Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe

Overview

General Information

Sample name:#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe
renamed because original name is a hash value
Original sample name:_2.1.0.exe
Analysis ID:1580582
MD5:600e95b436735aec1a9e8667c9e07396
SHA1:f170160f0b04e668baddd8ba0346bb527db91dd5
SHA256:817888612efe9489ead214871176b5cd4b0b147001bb82bd738572d6338d5c24
Tags:exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe (PID: 7492 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe" MD5: 600E95B436735AEC1A9E8667C9E07396)
    • #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp (PID: 7508 cmdline: "C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp" /SL5="$1047A,6465800,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe" MD5: 22F03937DBEFC57A5B60577F7577D53A)
      • powershell.exe (PID: 7524 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 7892 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe (PID: 7600 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe" /VERYSILENT MD5: 600E95B436735AEC1A9E8667C9E07396)
        • #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp (PID: 7648 cmdline: "C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp" /SL5="$3047E,6465800,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe" /VERYSILENT MD5: 22F03937DBEFC57A5B60577F7577D53A)
          • 7zr.exe (PID: 7796 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 7824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 7964 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 7972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 7796 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • sc.exe (PID: 7868 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
              • conhost.exe (PID: 7800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7764 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7780 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8044 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8056 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8088 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8112 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8172 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8188 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7284 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7292 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4008 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2200 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2144 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3760 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3368 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2188 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1432 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1060 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7696 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 824 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7492 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7776 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7780 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7804 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7860 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7616 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7700 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7624 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7568 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7976 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8020 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8004 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8096 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8136 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8168 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8112 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7196 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8188 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1780 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5480 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3004 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3120 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2720 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1800 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5740 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4588 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5580 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7304 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7576 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7500 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7792 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7768 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7948 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7528 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7532 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7624 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7244 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7228 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7988 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8064 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8136 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8104 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7176 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8152 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7276 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp" /SL5="$1047A,6465800,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, ParentProcessId: 7508, ParentProcessName: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7524, ProcessName: powershell.exe
Sigma detected: New Kernel Driver Via SC.EXE
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7764, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 7780, ProcessName: sc.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp" /SL5="$1047A,6465800,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, ParentProcessId: 7508, ParentProcessName: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7524, ProcessName: powershell.exe
Sigma detected: New Service Creation Using Sc.EXE
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7764, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 7780, ProcessName: sc.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp" /SL5="$1047A,6465800,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, ParentProcessId: 7508, ParentProcessName: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7524, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Windows NT\hrsw.vbcReversingLabs: Detection: 26%
Source: C:\Program Files (x86)\Windows NT\hrsw.vbcVirustotal: Detection: 48%Perma Link
Source: C:\Users\user\AppData\Local\Temp\is-6A5FG.tmp\update.vbcReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Temp\is-M04KA.tmp\update.vbcReversingLabs: Detection: 26%
Multi AV Scanner detection for submitted file
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeVirustotal: Detection: 13%Perma Link
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeReversingLabs: Detection: 13%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 93.8% probability
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.1723216764.0000000003510000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.1723364517.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C86E090 FindFirstFileA,FindClose,FindClose,5_2_6C86E090
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00126868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,9_2_00126868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00127496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,9_2_00127496
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000003.1678759254.0000000003810000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000003.1678759254.0000000003810000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000003.1678759254.0000000003810000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000003.1678759254.0000000003810000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000003.1678759254.0000000003810000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000003.1678759254.0000000003810000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000003.1678759254.0000000003810000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000003.1678759254.0000000003810000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000003.1678759254.0000000003810000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000003.1678759254.0000000003810000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000003.1678759254.0000000003810000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000003.1678759254.0000000003810000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000003.1678759254.0000000003810000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000003.1678759254.0000000003810000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000003.1678759254.0000000003810000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000003.1678759254.0000000003810000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000003.1678759254.0000000003810000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://ocsp.digicert.com0X
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000003.1678759254.0000000003810000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000003.1678759254.0000000003810000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe, 00000000.00000003.1669828026.0000000002A90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe, 00000000.00000003.1670311686.000000007F8AB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000000.1671905039.0000000000081000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000005.00000000.1683136139.00000000008CD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp.4.dr, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp.0.drString found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe, 00000000.00000003.1669828026.0000000002A90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe, 00000000.00000003.1670311686.000000007F8AB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000000.1671905039.0000000000081000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000005.00000000.1683136139.00000000008CD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp.4.dr, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp.0.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess information set: 01 00 00 00 Jump to behavior

System Summary

barindex
PE file contains section with special chars
Source: update.vbc.1.drStatic PE information: section name: .aQ#
Source: hrsw.vbc.5.drStatic PE information: section name: .aQ#
Source: update.vbc.5.drStatic PE information: section name: .aQ#
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C878810 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,5_2_6C878810
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C6F3886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,5_2_6C6F3886
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C6F3C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,5_2_6C6F3C62
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C879450 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,5_2_6C879450
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C6F3D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,5_2_6C6F3D62
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C6F3D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,5_2_6C6F3D18
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C6F39CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,5_2_6C6F39CF
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C6F3A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,5_2_6C6F3A6A
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C6F1950: CreateFileA,DeviceIoControl,CloseHandle,5_2_6C6F1950
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C6F4754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,5_2_6C6F4754
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C6F47545_2_6C6F4754
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6CA58D125_2_6CA58D12
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C9C4F0A5_2_6C9C4F0A
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C9E38815_2_6C9E3881
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6CA4B06F5_2_6CA4B06F
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C8748605_2_6C874860
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C87A1335_2_6C87A133
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C987A465_2_6C987A46
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C9FCB305_2_6C9FCB30
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C8D9CE05_2_6C8D9CE0
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C926D505_2_6C926D50
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C92CE805_2_6C92CE80
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C8ABEA15_2_6C8ABEA1
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C8C5EC95_2_6C8C5EC9
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C9218105_2_6C921810
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C92C9F05_2_6C92C9F0
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C93D9305_2_6C93D930
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C8AB9725_2_6C8AB972
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C924AA05_2_6C924AA0
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C937AA05_2_6C937AA0
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C920AD05_2_6C920AD0
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C922A505_2_6C922A50
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C8B3BCA5_2_6C8B3BCA
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C8C3B665_2_6C8C3B66
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C8C840A5_2_6C8C840A
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C9255805_2_6C925580
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C9325C05_2_6C9325C0
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C92C6E05_2_6C92C6E0
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C8AF7CF5_2_6C8AF7CF
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C94C7005_2_6C94C700
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C9230205_2_6C923020
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C9367505_2_6C936750
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001681EC9_2_001681EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0013E00A9_2_0013E00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001A81C09_2_001A81C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001B82409_2_001B8240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001A22E09_2_001A22E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001C23009_2_001C2300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001BC3C09_2_001BC3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0018E49F9_2_0018E49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001B04C89_2_001B04C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001A25F09_2_001A25F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001986509_2_00198650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0019A6A09_2_0019A6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001966D09_2_001966D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0019C9509_2_0019C950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001709439_2_00170943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001BE9909_2_001BE990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001A2A809_2_001A2A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0017AB119_2_0017AB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00198C209_2_00198C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001A6CE09_2_001A6CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001B0E009_2_001B0E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001B4EA09_2_001B4EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001AD0899_2_001AD089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001810AC9_2_001810AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0018B1219_2_0018B121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001B11209_2_001B1120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001A51809_2_001A5180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0019B1809_2_0019B180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0019D1D09_2_0019D1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001B91C09_2_001B91C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001B72009_2_001B7200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001BD2C09_2_001BD2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001AF3A09_2_001AF3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001BF3C09_2_001BF3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001253CF9_2_001253CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001853F39_2_001853F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0014B3E49_2_0014B3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001974109_2_00197410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001AF4209_2_001AF420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001BD4709_2_001BD470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0016D4969_2_0016D496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001B54D09_2_001B54D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001C351A9_2_001C351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0019F5009_2_0019F500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001B35309_2_001B3530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001B15509_2_001B1550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001215729_2_00121572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001BF5999_2_001BF599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001C36019_2_001C3601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001796529_2_00179652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001AD6A09_2_001AD6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001397669_2_00139766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001297CA9_2_001297CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001B77C09_2_001B77C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0014F8E09_2_0014F8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0019F9109_2_0019F910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001BD9E09_2_001BD9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00121AA19_2_00121AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0013BAC99_2_0013BAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001A7AF09_2_001A7AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00173AEF9_2_00173AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001A7C509_2_001A7C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0013BC929_2_0013BC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0019FDF09_2_0019FDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001A5E809_2_001A5E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001A5F809_2_001A5F80
Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\Windows NT\hrsw.vbc 34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: String function: 6C949F10 appears 415 times
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: String function: 6C8AC240 appears 31 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00121E40 appears 82 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 001228E3 appears 34 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 001BFB10 appears 720 times
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp.4.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp.4.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe, 00000000.00000003.1670311686.000000007FBAA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameDHCHEkp1qRkkZ9.exe vs #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe, 00000000.00000003.1669828026.0000000002BAE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameDHCHEkp1qRkkZ9.exe vs #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe, 00000000.00000000.1668452699.00000000003E9000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameDHCHEkp1qRkkZ9.exe vs #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeBinary or memory string: OriginalFileNameDHCHEkp1qRkkZ9.exe vs #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.12.drBinary string: \Device\TfSysMon
Source: tProtect.dll.12.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal96.evad.winEXE@148/31@0/0
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C879450 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,5_2_6C879450
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00129313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,9_2_00129313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00133D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,9_2_00133D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00129252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,9_2_00129252
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C878930 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,Process32NextW,5_2_6C878930
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpFile created: C:\Program Files (x86)\Windows NT\is-OSG8Q.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7840:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8144:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8156:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5824:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7744:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7552:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7236:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7252:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8128:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3428:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8008:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7184:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7800:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7120:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7788:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7172:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7296:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3104:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7824:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8132:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7764:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7972:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8068:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7968:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2188:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1188:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5012:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7572:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7264:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7644:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2504:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7532:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3164:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7876:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7588:120:WilError_03
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeFile created: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmpJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeVirustotal: Detection: 13%
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeReversingLabs: Detection: 13%
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeFile read: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeProcess created: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp "C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp" /SL5="$1047A,6465800,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe"
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeProcess created: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp "C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp" /SL5="$3047E,6465800,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeProcess created: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp "C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp" /SL5="$1047A,6465800,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeProcess created: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp "C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp" /SL5="$3047E,6465800,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeStatic file information: File size 7420234 > 1048576
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.1723216764.0000000003510000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.1723364517.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001A57D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,9_2_001A57D0
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x343aef
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp.4.drStatic PE information: real checksum: 0x0 should be: 0x343aef
Source: update.vbc.5.drStatic PE information: real checksum: 0x0 should be: 0x3789ec
Source: update.vbc.1.drStatic PE information: real checksum: 0x0 should be: 0x3789ec
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeStatic PE information: real checksum: 0x0 should be: 0x715482
Source: tProtect.dll.12.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: hrsw.vbc.5.drStatic PE information: real checksum: 0x0 should be: 0x3789ec
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeStatic PE information: section name: .didata
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp.0.drStatic PE information: section name: .didata
Source: update.vbc.1.drStatic PE information: section name: .00cfg
Source: update.vbc.1.drStatic PE information: section name: .voltbl
Source: update.vbc.1.drStatic PE information: section name: .aQ#
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp.4.drStatic PE information: section name: .didata
Source: 7zr.exe.5.drStatic PE information: section name: .sxdata
Source: hrsw.vbc.5.drStatic PE information: section name: .00cfg
Source: hrsw.vbc.5.drStatic PE information: section name: .voltbl
Source: hrsw.vbc.5.drStatic PE information: section name: .aQ#
Source: update.vbc.5.drStatic PE information: section name: .00cfg
Source: update.vbc.5.drStatic PE information: section name: .voltbl
Source: update.vbc.5.drStatic PE information: section name: .aQ#
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C87BDDB push ecx; ret 5_2_6C87BDEE
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C720F00 push ss; retn 0001h5_2_6C720F0A
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C949F10 push eax; ret 5_2_6C949F2E
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C8AE9F4 push 004AC35Ch; ret 5_2_6C8AEA0E
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C94A290 push eax; ret 5_2_6C94A2BE
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001245F4 push 001CC35Ch; ret 9_2_0012460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001BFB10 push eax; ret 9_2_001BFB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001BFE90 push eax; ret 9_2_001BFEBE
Source: update.vbc.1.drStatic PE information: section name: .aQ# entropy: 7.189081398239323
Source: hrsw.vbc.5.drStatic PE information: section name: .aQ# entropy: 7.189081398239323
Source: update.vbc.5.drStatic PE information: section name: .aQ# entropy: 7.189081398239323
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeFile created: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeFile created: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-M04KA.tmp\update.vbcJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-M04KA.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-6A5FG.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-6A5FG.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-6A5FG.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-M04KA.tmp\update.vbcJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5958Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3712Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpWindow / User API: threadDelayed 581Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpWindow / User API: threadDelayed 552Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpWindow / User API: threadDelayed 536Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-M04KA.tmp\update.vbcJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-M04KA.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-6A5FG.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-6A5FG.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.4 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7740Thread sleep time: -4611686018427385s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C86E090 FindFirstFileA,FindClose,FindClose,5_2_6C86E090
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00126868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,9_2_00126868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00127496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,9_2_00127496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00129C60 GetSystemInfo,9_2_00129C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000002.1688673725.000000000097D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\1
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000002.1688673725.000000000097D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}R
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C6F3886 NtSetInformationThread 00000000,00000011,00000000,000000005_2_6C6F3886
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C883871 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_6C883871
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001A57D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,9_2_001A57D0
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C88D425 mov eax, dword ptr fs:[00000030h]5_2_6C88D425
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C88D456 mov eax, dword ptr fs:[00000030h]5_2_6C88D456
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C88286D mov eax, dword ptr fs:[00000030h]5_2_6C88286D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C883871 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_6C883871
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C87C3AD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_6C87C3AD

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Found driver which could be used to inject code into processes
Source: tProtect.dll.12.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 5_2_6C94A700 cpuid 5_2_6C94A700
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0012AB2A GetSystemTimeAsFileTime,9_2_0012AB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001C0090 GetVersion,9_2_001C0090

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
Windows Service		1
Access Token Manipulation		11
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Service Execution		1
DLL Side-Loading		1
Windows Service		1
Disable or Modify Tools		LSASS Memory421
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Native API		Logon Script (Windows)111
Process Injection		231
Virtualization/Sandbox Evasion		Security Account Manager231
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		1
Access Token Manipulation		NTDS2
Process Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information		Cached Domain Credentials2
System Owner/User Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information		DCSync3
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing		Proc Filesystem25
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1580582 Sample: #U5b89#U88c5#U7a0b#U5e8f_2.... Startdate: 25/12/2024 Architecture: WINDOWS Score: 96 97 Multi AV Scanner detection for dropped file 2->97 99 Multi AV Scanner detection for submitted file 2->99 101 Found driver which could be used to inject code into processes 2->101 103 3 other signatures 2->103 11 #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe 2 2->11         started        14 cmd.exe 2->14         started        16 cmd.exe 2->16         started        18 31 other processes 2->18 process3 file4 95 C:\...\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, PE32 11->95 dropped 20 #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp 3 5 11->20         started        24 sc.exe 1 14->24         started        26 sc.exe 1 16->26         started        28 sc.exe 1 18->28         started        30 sc.exe 1 18->30         started        32 sc.exe 1 18->32         started        34 27 other processes 18->34 process5 file6 81 C:\Users\user\AppData\Local\...\update.vbc, PE32 20->81 dropped 83 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 20->83 dropped 105 Adds a directory exclusion to Windows Defender 20->105 36 #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe 2 20->36         started        39 powershell.exe 23 20->39         started        42 conhost.exe 24->42         started        44 conhost.exe 26->44         started        46 conhost.exe 28->46         started        48 conhost.exe 30->48         started        50 conhost.exe 32->50         started        52 conhost.exe 34->52         started        54 26 other processes 34->54 signatures7 process8 file9 85 C:\...\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, PE32 36->85 dropped 56 #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp 4 15 36->56         started        107 Loading BitLocker PowerShell Module 39->107 60 conhost.exe 39->60         started        62 WmiPrvSE.exe 39->62         started        signatures10 process11 file12 87 C:\Users\user\AppData\Local\...\update.vbc, PE32 56->87 dropped 89 C:\Program Files (x86)\Windows NT\hrsw.vbc, PE32 56->89 dropped 91 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 56->91 dropped 93 C:\Program Files (x86)\Windows NT\7zr.exe, PE32 56->93 dropped 109 Query firmware table information (likely to detect VMs) 56->109 111 Protects its processes via BreakOnTermination flag 56->111 113 Hides threads from debuggers 56->113 115 Contains functionality to hide a thread from the debugger 56->115 64 7zr.exe 2 56->64         started        67 cmd.exe 56->67         started        69 7zr.exe 7 56->69         started        signatures13 process14 file15 79 C:\Program Files (x86)\...\tProtect.dll, PE32+ 64->79 dropped 71 conhost.exe 64->71         started        73 sc.exe 67->73         started        75 conhost.exe 69->75         started        process16 process17 77 conhost.exe 73->77         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe13%VirustotalBrowse
#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe13%ReversingLabsWin32.Trojan.Generic

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\7zr.exe0%VirustotalBrowse
C:\Program Files (x86)\Windows NT\hrsw.vbc26%ReversingLabs
C:\Program Files (x86)\Windows NT\hrsw.vbc49%VirustotalBrowse
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll6%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp1%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-6A5FG.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-6A5FG.tmp\update.vbc26%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-M04KA.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-M04KA.tmp\update.vbc26%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exefalse
    		high
    https://www.remobjects.com/ps#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe, 00000000.00000003.1669828026.0000000002A90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe, 00000000.00000003.1670311686.000000007F8AB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000000.1671905039.0000000000081000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000005.00000000.1683136139.00000000008CD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp.4.dr, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp.0.drfalse
      		high
      https://www.innosetup.com/#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe, 00000000.00000003.1669828026.0000000002A90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe, 00000000.00000003.1670311686.000000007F8AB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000000.1671905039.0000000000081000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000005.00000000.1683136139.00000000008CD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp.4.dr, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp.0.drfalse
        		high

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1580582
        Start date and time:2024-12-25 11:16:07 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 8m 32s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:112
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Critical Process Termination
        Sample name:#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe
        renamed because original name is a hash value
        Original Sample Name:_2.1.0.exe
        Detection:MAL
        Classification:mal96.evad.winEXE@148/31@0/0
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:
        • Successful, ratio: 74%
        • Number of executed functions: 121
        • Number of non-executed functions: 101
        Cookbook Comments:
        • Found application associated with file extension: .exe

        Warnings

        • Exclude process from analysis (whitelisted): Conhost.exe
        • Excluded IPs from analysis (whitelisted): 52.149.20.212
        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
        • Not all processes where analyzed, report is missing behavior information
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size exceeded maximum capacity and may have missing disassembly code.
        • Report size getting too big, too many NtCreateKey calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        05:16:58API Interceptor1x Sleep call for process: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp modified
        05:17:00API Interceptor18x Sleep call for process: powershell.exe modified

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        C:\Program Files (x86)\Windows NT\7zr.exeyvaKqhmD4L.exeGet hashmaliciousUnknownBrowse
          yvaKqhmD4L.exeGet hashmaliciousUnknownBrowse
            #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeGet hashmaliciousUnknownBrowse
              #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeGet hashmaliciousUnknownBrowse
                #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeGet hashmaliciousUnknownBrowse
                  #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeGet hashmaliciousUnknownBrowse
                    #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeGet hashmaliciousUnknownBrowse
                      #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeGet hashmaliciousUnknownBrowse
                        #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeGet hashmaliciousUnknownBrowse
                          #U5b89#U88c5#U7a0b#U5e8f_1.1.3.exeGet hashmaliciousUnknownBrowse
                            C:\Program Files (x86)\Windows NT\hrsw.vbcyvaKqhmD4L.exeGet hashmaliciousUnknownBrowse
                              yvaKqhmD4L.exeGet hashmaliciousUnknownBrowse
                                #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeGet hashmaliciousUnknownBrowse
                                  #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeGet hashmaliciousUnknownBrowse
                                    #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeGet hashmaliciousUnknownBrowse
                                      #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeGet hashmaliciousUnknownBrowse
                                        #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeGet hashmaliciousUnknownBrowse
                                          #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeGet hashmaliciousUnknownBrowse
                                            #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeGet hashmaliciousUnknownBrowse
                                              #U5b89#U88c5#U7a0b#U5e8f_1.1.3.exeGet hashmaliciousUnknownBrowse

                                                Created / dropped Files

                                                C:\Program Files (x86)\Windows NT\7zr.exe

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp
                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):831200
                                                Entropy (8bit):6.671005303304742
                                                Encrypted:false
                                                SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                                                MD5:84DC4B92D860E8AEA55D12B1E87EA108
                                                SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                                                SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                                                SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                                                Malicious:false
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                Joe Sandbox View:
                                                • Filename: yvaKqhmD4L.exe, Detection: malicious, Browse
                                                • Filename: yvaKqhmD4L.exe, Detection: malicious, Browse
                                                • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe, Detection: malicious, Browse
                                                • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe, Detection: malicious, Browse
                                                • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe, Detection: malicious, Browse
                                                • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe, Detection: malicious, Browse
                                                • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe, Detection: malicious, Browse
                                                • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe, Detection: malicious, Browse
                                                • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe, Detection: malicious, Browse
                                                • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe, Detection: malicious, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................

                                                C:\Program Files (x86)\Windows NT\file.dat (copy)

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):2013712
                                                Entropy (8bit):7.999909775731037
                                                Encrypted:true
                                                SSDEEP:49152:BTyiWK1WyN+RDxRtFXvjJXlvm53Xc1irkBwMP:BuX+wTPN1BP
                                                MD5:8F08CC7E63D6300EC045AB1F8F9AA951
                                                SHA1:2D96E43F4D7DCE2FB4DE60FA86C06BECA936F1CB
                                                SHA-256:318B7D9D3A6D887B15103373F195640A971FC6741F1D3274D760231A54664150
                                                SHA-512:A43161CA6A430E8EF8E4BC379FE8A3A0D2791D8F5EAB0A1D08DAAFF91CBBEF4827EAE83DAE4D4A43E52F5D2EEFB63393EE8D925CA8D69AB2F8C6185531858658
                                                Malicious:false
                                                Preview:.@S.....C..LE.................PZX...3.(./.[x..H...tLcP&Zb.../.....j..a.K.......l..*.VB.~d..d..SeU:..b.<B.z!fj.*Ga.%.W.C2.~.B.=..W%l#.q.K.:..rT.r#^..i.....)O.{...<.X....H......o&.S{N@a.7..k...Yc.B.wM.q|8y1...&$.....w.......ESIf..:.........P!I...]B.:F...j.P....e..~.K.%j....R.i.0*A.v..(..&C.A....*=(....d..._.T.w...w..."@.....z.-:^F0...7..zN...4*lE..{\.*..&.d....f..ADd.\7..u%.j6.........Kb.)m..p}......w.N.9..>......x.:.!hj."2.B.nZ.s......_.\.....$....u....fIo.a...]BW.!..O..:...\.g...c.b....Cb.%I..|.s.1..r......e...c..V....e;.....?.R..W)...L..........|...m^...0.....b;"|I&94.O.v.Y.Hs..i.:.s...[..D..r]f...$.dG..xN..5WJ....K..h'......o.....2...c*...<7-~......W.....+xP..Q....$o....4.,....z.?..y!.P[e.VX.j.&.p.H.....9.XZ.B.Le2.F.t...{..........;...EK>....\.-.'.PY..l......ANjU.7$.-.....19...].A......B.....VW.....Fo.#..B..^..1.^.W...M...#..c.t..X.U]*d. ..g....8o./.(L.Z.9...PSxvmj......u...7'..A.|....Ne.Sx+...f.&.@..e...?.......T.*.M..s.....jq8....

                                                C:\Program Files (x86)\Windows NT\hrsw.vbc

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp
                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):3621376
                                                Entropy (8bit):7.006090025798393
                                                Encrypted:false
                                                SSDEEP:98304:UXTNS5omKHixBbVZ9yogz/lWGAxNRie71MzSRMYuefCG/gZD:U5SG7Hwke71MzxY/UZD
                                                MD5:FCADEAE28FCC52FD286350DFEECD82E5
                                                SHA1:48290AA098DEDE53C457FC774063C3198754A161
                                                SHA-256:34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
                                                SHA-512:56428AFDEEE8774518FE206AE4CD017F552F947508B87785A3BD960B14364F990F54E73F01C2A5CAF9B1862DADDD634BB894882B00B60102675D63F52245A41F
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 26%
                                                • Antivirus: Virustotal, Detection: 49%, Browse
                                                Joe Sandbox View:
                                                • Filename: yvaKqhmD4L.exe, Detection: malicious, Browse
                                                • Filename: yvaKqhmD4L.exe, Detection: malicious, Browse
                                                • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe, Detection: malicious, Browse
                                                • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe, Detection: malicious, Browse
                                                • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe, Detection: malicious, Browse
                                                • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe, Detection: malicious, Browse
                                                • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe, Detection: malicious, Browse
                                                • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe, Detection: malicious, Browse
                                                • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe, Detection: malicious, Browse
                                                • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe, Detection: malicious, Browse
                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...D.jg...........!..........................................................7...........@.........................8s.......y..<....p7.X.....................7.d?..........................h9.......................{...............................text...P........................... ..`.rdata..4...........................@..@.data...............................@....00cfg........(......T(.............@..@.tls..........(......V(.............@....voltbl.F.....(......X(..................aQ#..........(......Z(............. ..`.rsrc...X....p7.......6.............@..@.reloc..d?....7..@....7.............@..B................................................................................................................................................................................................................................................................................

                                                C:\Program Files (x86)\Windows NT\is-OSG8Q.tmp

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):2013712
                                                Entropy (8bit):7.999909775731037
                                                Encrypted:true
                                                SSDEEP:49152:BTyiWK1WyN+RDxRtFXvjJXlvm53Xc1irkBwMP:BuX+wTPN1BP
                                                MD5:8F08CC7E63D6300EC045AB1F8F9AA951
                                                SHA1:2D96E43F4D7DCE2FB4DE60FA86C06BECA936F1CB
                                                SHA-256:318B7D9D3A6D887B15103373F195640A971FC6741F1D3274D760231A54664150
                                                SHA-512:A43161CA6A430E8EF8E4BC379FE8A3A0D2791D8F5EAB0A1D08DAAFF91CBBEF4827EAE83DAE4D4A43E52F5D2EEFB63393EE8D925CA8D69AB2F8C6185531858658
                                                Malicious:false
                                                Preview:.@S.....C..LE.................PZX...3.(./.[x..H...tLcP&Zb.../.....j..a.K.......l..*.VB.~d..d..SeU:..b.<B.z!fj.*Ga.%.W.C2.~.B.=..W%l#.q.K.:..rT.r#^..i.....)O.{...<.X....H......o&.S{N@a.7..k...Yc.B.wM.q|8y1...&$.....w.......ESIf..:.........P!I...]B.:F...j.P....e..~.K.%j....R.i.0*A.v..(..&C.A....*=(....d..._.T.w...w..."@.....z.-:^F0...7..zN...4*lE..{\.*..&.d....f..ADd.\7..u%.j6.........Kb.)m..p}......w.N.9..>......x.:.!hj."2.B.nZ.s......_.\.....$....u....fIo.a...]BW.!..O..:...\.g...c.b....Cb.%I..|.s.1..r......e...c..V....e;.....?.R..W)...L..........|...m^...0.....b;"|I&94.O.v.Y.Hs..i.:.s...[..D..r]f...$.dG..xN..5WJ....K..h'......o.....2...c*...<7-~......W.....+xP..Q....$o....4.,....z.?..y!.P[e.VX.j.&.p.H.....9.XZ.B.Le2.F.t...{..........;...EK>....\.-.'.PY..l......ANjU.7$.-.....19...].A......B.....VW.....Fo.#..B..^..1.^.W...M...#..c.t..X.U]*d. ..g....8o./.(L.Z.9...PSxvmj......u...7'..A.|....Ne.Sx+...f.&.@..e...?.......T.*.M..s.....jq8....

                                                C:\Program Files (x86)\Windows NT\locale.bin

                                                Download File
                                                Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):56546
                                                Entropy (8bit):7.996334153088009
                                                Encrypted:true
                                                SSDEEP:1536:YywPS6FFSU9ntKk/GQo5eg5MkOnfoyV2d:Yxs8n/G7pyNnfzE
                                                MD5:CE6B049A9CEAF1CA63DC43A8E08325D4
                                                SHA1:26CEC46AEB554ADCCC1CABB2867F588F3810E556
                                                SHA-256:8EFB2026C56587E30418E8667DB39F273A9D4C60AEEB755ED6DBF669D2346FCF
                                                SHA-512:38309832AB68DD51792FD4CBB11C2FB34C4A8664E4CCA52805D8DF7299A4CB159FE5C073C022D59563B5060AFFE0C0CDD4A5A31D8E251214BCF9A6F328C3D026
                                                Malicious:false
                                                Preview:.@S.....4u2l ...............IP..P....N......M^..$.3LB4.....~.]M.2f.uj....I3..X..0...X...........:Q...6...\!).(.......3....f%.....5!.Lt....<...q..}kv.B..h.....D....x..|g(.!..S....v..4...Yz...G....@....1.f.k...e.&J..X....8..d.1Sz....)/..{..n.d%t<|6..2..Z.J..mm+.Z..........7"T^.hO....6B..nM..0&.EWw.-x}6"..6...%\B.J.r)...`...{r.K...E.C\.[..."%..(<.A.s............_.$/r#........z1\b.Y...5EAe.M.....B.......x..B$C......T....Y&.q.d.....27.nr.6..$...Kdx..x.c....9..`h..M/rL.LZI..8.....q@z..r..'k...k.#'(K.!....JE.c...4.m........g......}&V......O..|.V..j.X...p{.Q#'"..*is_...........n/..j..3...\..e...tGB.._...?.P.........Pn...WE.=9.U.j`=[-.r.^.y.....H.>r.\....v..........j2...t.!R8..5..lM.....Y...*.N..R,....b.!IE.<J...@....9~.UE.?.'.|lI6..v2...!..N......O.-|..a.....(..K=...S.>4.pB-.u..3...k.'.&.>6 ...a].Mo..b.n.......Y........#..s.O:.~.7E...~...V{.....&+...2Y..$..,yO...%.._1..-.+......?....UL1m.'.>K...\...{...D5.B.z....Q.b..D.....l"D.....n.}..

                                                C:\Program Files (x86)\Windows NT\locale.dat

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp
                                                File Type:7-zip archive data, version 0.4
                                                Category:dropped
                                                Size (bytes):56546
                                                Entropy (8bit):7.996334153088005
                                                Encrypted:true
                                                SSDEEP:1536:a1M9IX3uaeZQY/k1ZJOWBDtzm24KZRzhpS7SG:AM9G3wniDOWzd4aSGG
                                                MD5:7E6801C9BFDE2B66C069049E17685F1F
                                                SHA1:481F8E706F1CE00939457414A8A8D20207ED7A20
                                                SHA-256:A30AD636349FE242B9494A277EC632DB91E42F7E8CC7814224954DC99DCD5486
                                                SHA-512:F9E08821BF9D7E4447824941D5B5F309F8EEE3BF25694B0C15F51BF02C5292B00B28974F9341145E6A4782678E1FD0B497BFA66641BEC36761BE5B66AFA4EBE8
                                                Malicious:false
                                                Preview:7z..'...d.........2..........3.v]..D\H.;..E..s...PO.wD.2..!.....FrI..).97g.Q^H.nD...T....Y..L.b.b>.....VD/..`.. _.B....._.7Z...._.;...70.N>@....#7....D..N.)G @.4....}.`..h.iI.hU._V...4M_a.Q..T.FLV..z....HO1*X.n.Uh.z.:'.IX.{..K>l.1..Gl..C.U.....&+N.b1..Bi...[.@#..G|..;p.......Y..z.KE...|b~..6...-.......I.y..8...]fa.8.^.....Z.j7.X..9r.=u....#..`.|.c.7.(>.PN9+.."....v..[..nkA...&K..W.....L..Mxy..G=[eF.7.'\&...... G.;.9..`...M2.-_............b...|..h..{x..Q...P...).... ..LI/g....5..1 ..6q..e...h..ETp....v..K .!.[VO.z....r...=g..p....<..M...+.\..e6.z......i>...ga.8.h..i.g..j.bL.A:~n....................q....19Mx..7.s..P..........'....'0."....,.\l8..~..J6Esr3....G.Gj).>..Q>.`#../...N...\.#.w....).[....}...-N....o2..yc..8.?.......H..].U....[>#.*E..M.ym.Kp*$..b ....3G.,..~.....z?c.i_....?P."...{d...l..Z..!...3&6.p..l.$2.....|.x...... ...<.6.."/4.5...'|5u./..#S...4P(..Qr........qt.B.dz..b.>@...I.y......wuW^.|......{..s,7.).>...e..... ...i...G{

                                                C:\Program Files (x86)\Windows NT\locale2.bin

                                                Download File
                                                Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):56546
                                                Entropy (8bit):7.996966859255975
                                                Encrypted:true
                                                SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                                                MD5:CEA69F993E1CE0FB945A98BF37A66546
                                                SHA1:7114365265F041DA904574D1F5876544506F89BA
                                                SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                                                SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                                                Malicious:false
                                                Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..

                                                C:\Program Files (x86)\Windows NT\locale2.dat

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp
                                                File Type:7-zip archive data, version 0.4
                                                Category:dropped
                                                Size (bytes):56546
                                                Entropy (8bit):7.996966859255979
                                                Encrypted:true
                                                SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                                                MD5:4CB8B7E557C80FC7B014133AB834A042
                                                SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                                                SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                                                SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                                                Malicious:false
                                                Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.

                                                C:\Program Files (x86)\Windows NT\locale3.bin

                                                Download File
                                                Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):31890
                                                Entropy (8bit):7.99402458740637
                                                Encrypted:true
                                                SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                                                MD5:8622FC7228777F64A47BD6C61478ADD9
                                                SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                                                SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                                                SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                                                Malicious:false
                                                Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..

                                                C:\Program Files (x86)\Windows NT\locale3.dat

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp
                                                File Type:7-zip archive data, version 0.4
                                                Category:dropped
                                                Size (bytes):31890
                                                Entropy (8bit):7.99402458740637
                                                Encrypted:true
                                                SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                                                MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                                                SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                                                SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                                                SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                                                Malicious:false
                                                Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.

                                                C:\Program Files (x86)\Windows NT\locale4.bin

                                                Download File
                                                Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):74960
                                                Entropy (8bit):7.99759370165655
                                                Encrypted:true
                                                SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                                                MD5:950338D50B95A25F494EE74E97B7B7A9
                                                SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                                                SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                                                SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                                                Malicious:false
                                                Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...

                                                C:\Program Files (x86)\Windows NT\locale4.dat

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp
                                                File Type:7-zip archive data, version 0.4
                                                Category:dropped
                                                Size (bytes):74960
                                                Entropy (8bit):7.997593701656546
                                                Encrypted:true
                                                SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                                                MD5:059BA7C31F3E227356CA5F29E4AA2508
                                                SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                                                SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                                                SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                                                Malicious:false
                                                Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.

                                                C:\Program Files (x86)\Windows NT\locale7.bin

                                                Download File
                                                Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):29730
                                                Entropy (8bit):7.994290657653607
                                                Encrypted:true
                                                SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                                                MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                                                SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                                                SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                                                SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                                                Malicious:false
                                                Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.

                                                C:\Program Files (x86)\Windows NT\locale7.dat

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp
                                                File Type:7-zip archive data, version 0.4
                                                Category:dropped
                                                Size (bytes):29730
                                                Entropy (8bit):7.994290657653608
                                                Encrypted:true
                                                SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                                                MD5:A9C8A3E00692F79E1BA9693003F85D18
                                                SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                                                SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                                                SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                                                Malicious:false
                                                Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8

                                                C:\Program Files (x86)\Windows NT\res.dat

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp
                                                File Type:7-zip archive data, version 0.4
                                                Category:dropped
                                                Size (bytes):2013712
                                                Entropy (8bit):7.999909775731039
                                                Encrypted:true
                                                SSDEEP:24576:aeAeOnYmlpxI9mjU6aNrR9wkT4yXheu0VCZNdh5yUR3JL45INST1LGhgwFdfEsUF:aeSl7+mQ6an9FxX50qXk1ihLy5gChWsH
                                                MD5:40AB1E948FE3856EADAFC9463FF0EA8A
                                                SHA1:8DF92A812C48F2E9C0C07EEE9E52FA91DBD5EC14
                                                SHA-256:169723E66AC1D3CD061E80DCDAA8CC6AFC00FFC398DAA7B755E6985247ADA3E5
                                                SHA-512:92F2018E87B0996E1A5879FE2A3D9F7A7F7C6B5472C93ECD005B39CA206319C3F9BC87E59B82988803BA6930A1DD3C8A5412471E7EB2CC119EC531BC73A8FDF7
                                                Malicious:false
                                                Preview:7z..'...1.`c........@.......#.%...{...`.`..l..Q........3.".C.,...vW.....{..ZO.?..w.4..;z..a........MR.......I.....w...B.....$....@....^..<.....#7o.4.....7.....e..7i.z.p1...w..h...../.<.Ty(^..]..b....xsL..M&....ZHGS7...B..$'.r.5{e_....8k...TYr.F..FG..LL.g.!c.Y..4......Y..W..i.r.N_D.....g]=.#.p.].w.)=2.....g..!v4......zhP.>.D..DMm..._.X..).X....F.?._{...2...=.....{E..\*..Z...f.~,..{^.p`;X.|...*g'.T\u.c.'.......XE..E./....c.5..K..N#..2...m.A.TyM....>l.R}_.....M..|m.3UYz.w.g.O.A.i.+y>..n.jc...l..V...V....g.P.mB.jN$~L.....T8....E.......^.V./v.R..w.E.8...69...8zF.bG...........#..tI.^.2...:y..r.......O+9..T..;c....._S..>..+.....4+.X<u.3*-.:.].....9....z.t......!Rf...../.e`.{.#..=.AcA....3'..B.../......-u...+lP.O.a.......}..\...1..F.DF07..R...S.J...~......Zu.:cp{$)........B.D..L}....q....g.'*'C...hl....4.l.4..-.:4..?L...P.<=6.5.'....(..H.d.....m...k..H.;.r...-?...........b..l....pP.T..2....)....Th.C...A2.}.x..."f>4@*;..."....v.FEX...N)!6

                                                C:\Program Files (x86)\Windows NT\tProtect.dll

                                                Download File
                                                Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                File Type:PE32+ executable (native) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):63640
                                                Entropy (8bit):6.482810107683822
                                                Encrypted:false
                                                SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                                                MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                                                SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                                                SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                                                SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 9%
                                                • Antivirus: Virustotal, Detection: 6%, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................

                                                C:\Program Files (x86)\Windows NT\task.xml

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp
                                                File Type:ASCII text
                                                Category:dropped
                                                Size (bytes):4096
                                                Entropy (8bit):3.3443983145211007
                                                Encrypted:false
                                                SSDEEP:48:dXKLzDlnyL6w0QldOVQOj933ODOiTdKbKsz72eW+5yF:dXazDlnHwhldOVQOj6dKbKsz7
                                                MD5:1E67E91688292692932CD9096EDEA2BD
                                                SHA1:AA8859477C235F2F194FC7C4D75EF4C082A6864B
                                                SHA-256:ED20E6ED002708041CC98B046F976B2BE43685B258AE6461F291CF73F7128924
                                                SHA-512:7C6DE3E403542FE6D33C75F286212A114C7112B8401EAC8323EDBE856CADE905CE11E0B9C4083AE01A711E6B1EC12329CBF43AB0B585BCB56FE8A0F151B47B3E
                                                Malicious:false
                                                Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\turminoob</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAva

                                                C:\Program Files (x86)\Windows NT\trash

                                                Download File
                                                Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):1763587
                                                Entropy (8bit):7.999883611742324
                                                Encrypted:true
                                                SSDEEP:24576:ngGrcwCAZ/N47RABjDLL6uFD2z/DfjbdxUggZTCRvT3H+ReRfik9iL6W5vay+:nNrPq7RAB/zdQj8ggGR6ARN9WJar
                                                MD5:D118512C2CE146376953136C2C11E2DA
                                                SHA1:32B96DF4C8AC90710245B2B5B4B270EE1E12ED3B
                                                SHA-256:B47D07D59DB1A526BF02A84334216A8709E26F617199EFBA8B91E4D19CD4296E
                                                SHA-512:77E862C7E99D40258910F12CFA7D46633B8BEB8D1AE55D87DF17236E8331A8A7A537D8F3FA3AD1D2E38B2B05F66309866873EB18D8A353E421571964FF3827AC
                                                Malicious:false
                                                Preview:{...w.HW../..|?...!...Q.....$.z..#}..kB.O."|.."..3....!...2C.L.u.&..#..P..-.H......-....)...2.t..e.|Co.7A..#'..q.,.........-/.B.<@..v...i.....jA4.....n...v........6.V..hV...`.<!Q.s*J'.x...bCHc.....vF..th}..d4.lB...Z....)....G.Y..o.. .8....Y.F....#90'.....~L.....$...Px]...^.0t...'P.........b...no../.....wx..T. .+6i.p ..7.E.b.@WX..;In#.........U.:._k..R....$.>..P...{F.....e^......)>md....(x..O..5.R?!....S@.Y..l..Mo.#..UN[-.....U..N./....Yc'z"...4.-F#....E.q..<..\.`....W...~.M.H..6 x......gkS..k.....Z.......T.........k#.h......x..V..:.]e...@.P....C..sis.H%..H..l......#.T...k..+.j,....Ge&..w....>....qt......an.6....|Z.Y.H...R.{.....CkIu.u....On......s.......a$.1/..}.O...5..@sk..Y8.C..v.~..a..P.B.p.B]...l...#u....9.().....9..p.6./>|.;..#...P.8H.r3...*9..p.Y.......0h\\......a.h..N..@#...\y....1.(.(.....!..[E;..H..OB]..f........Z"...?....!.k.=I.u.B..e.L. 2...}.c.m8 Cd2.l.%.....(`..........Q;.d..\.}..t^..=i+.....m.}I.......s..c.S.a|....H.s...r...s

                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):64
                                                Entropy (8bit):1.1940658735648508
                                                Encrypted:false
                                                SSDEEP:3:NlllulxmH/lZ:NllUg
                                                MD5:D904BDD752B6F23D81E93ECA3BD8E0F3
                                                SHA1:026D8B0D0F79861746760B0431AD46BAD2A01676
                                                SHA-256:B393D3CEC8368794972E4ADD978B455A2F5BD37E3A116264DBED14DC8C67D6F2
                                                SHA-512:5B862B7F0BCCEF48E6A5A270C3F6271D7A5002465EAF347C6A266365F1B2CD3D88144C043D826D3456AA43484124D619BF16F9AEAB1F706463F553EE24CB5740
                                                Malicious:false
                                                Preview:@...e................................. ..............@..........

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_54nadnjj.rry.ps1

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dn0qxhnl.oug.psm1

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m1uhgl3l.y2m.ps1

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v5qp5z0t.40z.psm1

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp

                                                Download File
                                                Process:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe
                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):3366912
                                                Entropy (8bit):6.530565567370247
                                                Encrypted:false
                                                SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                                MD5:22F03937DBEFC57A5B60577F7577D53A
                                                SHA1:8DF2FE400E061C766AD31D400EB7EB6A63A57AB3
                                                SHA-256:ACEA922C33710AB9E3106BF3F1463FA2829EA257E747F6CABC7F59E91CC73397
                                                SHA-512:02E1FF9BC56CBF82901A6AF0E68BE00DF6124036C22F28019CD782EAF1ED23E76F2C487C91506F217AA9350BD14983E9BB9C6EB18A0DECE814FDBF52272C8DAB
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Virustotal, Detection: 1%, Browse
                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                                                C:\Users\user\AppData\Local\Temp\is-6A5FG.tmp\_isetup\_setup64.tmp

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp
                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):6144
                                                Entropy (8bit):4.720366600008286
                                                Encrypted:false
                                                SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                Malicious:false
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\is-6A5FG.tmp\update.vbc

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp
                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):3621376
                                                Entropy (8bit):7.006090025798393
                                                Encrypted:false
                                                SSDEEP:98304:UXTNS5omKHixBbVZ9yogz/lWGAxNRie71MzSRMYuefCG/gZD:U5SG7Hwke71MzxY/UZD
                                                MD5:FCADEAE28FCC52FD286350DFEECD82E5
                                                SHA1:48290AA098DEDE53C457FC774063C3198754A161
                                                SHA-256:34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
                                                SHA-512:56428AFDEEE8774518FE206AE4CD017F552F947508B87785A3BD960B14364F990F54E73F01C2A5CAF9B1862DADDD634BB894882B00B60102675D63F52245A41F
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 26%
                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...D.jg...........!..........................................................7...........@.........................8s.......y..<....p7.X.....................7.d?..........................h9.......................{...............................text...P........................... ..`.rdata..4...........................@..@.data...............................@....00cfg........(......T(.............@..@.tls..........(......V(.............@....voltbl.F.....(......X(..................aQ#..........(......Z(............. ..`.rsrc...X....p7.......6.............@..@.reloc..d?....7..@....7.............@..B................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\is-M04KA.tmp\_isetup\_setup64.tmp

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp
                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):6144
                                                Entropy (8bit):4.720366600008286
                                                Encrypted:false
                                                SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                Malicious:false
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\is-M04KA.tmp\update.vbc

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp
                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):3621376
                                                Entropy (8bit):7.006090025798393
                                                Encrypted:false
                                                SSDEEP:98304:UXTNS5omKHixBbVZ9yogz/lWGAxNRie71MzSRMYuefCG/gZD:U5SG7Hwke71MzxY/UZD
                                                MD5:FCADEAE28FCC52FD286350DFEECD82E5
                                                SHA1:48290AA098DEDE53C457FC774063C3198754A161
                                                SHA-256:34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
                                                SHA-512:56428AFDEEE8774518FE206AE4CD017F552F947508B87785A3BD960B14364F990F54E73F01C2A5CAF9B1862DADDD634BB894882B00B60102675D63F52245A41F
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 26%
                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...D.jg...........!..........................................................7...........@.........................8s.......y..<....p7.X.....................7.d?..........................h9.......................{...............................text...P........................... ..`.rdata..4...........................@..@.data...............................@....00cfg........(......T(.............@..@.tls..........(......V(.............@....voltbl.F.....(......X(..................aQ#..........(......Z(............. ..`.rsrc...X....p7.......6.............@..@.reloc..d?....7..@....7.............@..B................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp

                                                Download File
                                                Process:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe
                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):3366912
                                                Entropy (8bit):6.530565567370247
                                                Encrypted:false
                                                SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                                MD5:22F03937DBEFC57A5B60577F7577D53A
                                                SHA1:8DF2FE400E061C766AD31D400EB7EB6A63A57AB3
                                                SHA-256:ACEA922C33710AB9E3106BF3F1463FA2829EA257E747F6CABC7F59E91CC73397
                                                SHA-512:02E1FF9BC56CBF82901A6AF0E68BE00DF6124036C22F28019CD782EAF1ED23E76F2C487C91506F217AA9350BD14983E9BB9C6EB18A0DECE814FDBF52272C8DAB
                                                Malicious:true
                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                                                \Device\ConDrv

                                                Download File
                                                Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                File Type:ASCII text, with CRLF, CR line terminators
                                                Category:dropped
                                                Size (bytes):406
                                                Entropy (8bit):5.117520345541057
                                                Encrypted:false
                                                SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                                                MD5:9200058492BCA8F9D88B4877F842C148
                                                SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                                                SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                                                SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                                                Malicious:false
                                                Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Entropy (8bit):7.948220624850858
                                                TrID:
                                                • Win32 Executable (generic) a (10002005/4) 98.04%
                                                • Inno Setup installer (109748/4) 1.08%
                                                • InstallShield setup (43055/19) 0.42%
                                                • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                                • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                File name:#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe
                                                File size:7'420'234 bytes
                                                MD5:600e95b436735aec1a9e8667c9e07396
                                                SHA1:f170160f0b04e668baddd8ba0346bb527db91dd5
                                                SHA256:817888612efe9489ead214871176b5cd4b0b147001bb82bd738572d6338d5c24
                                                SHA512:675573d07e83d4ad36502c766fb3bfbb03d16407e76155ca1eb9b1b96172fe883d2856365356c5c61957959490d7ee153aecf3445b71c4bfab328abb0eb26314
                                                SSDEEP:98304:XwREO6yDBViBRU12eA2v9BmxMrsWb8jy4ai5+lL5jUvkm/HT2sA7AdMwZgz:lO6yEB2bmxMb8m7HlVUvHqs3a
                                                TLSH:B0762213F2CBD43EE05E073B19B2A25494FB7A20A522AD579AECB4ECCF255101D3E647
                                                File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                File Icon

                                                Icon Hash:0c0c2d33ceec80aa

                                                Static PE Info

                                                General

                                                Entrypoint:0x4a83bc
                                                Entrypoint Section:.itext
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:6
                                                OS Version Minor:1
                                                File Version Major:6
                                                File Version Minor:1
                                                Subsystem Version Major:6
                                                Subsystem Version Minor:1
                                                Import Hash:40ab50289f7ef5fae60801f88d4541fc

                                                Entrypoint Preview

                                                Instruction
                                                push ebp
                                                mov ebp, esp
                                                add esp, FFFFFFA4h
                                                push ebx
                                                push esi
                                                push edi
                                                xor eax, eax
                                                mov dword ptr [ebp-3Ch], eax
                                                mov dword ptr [ebp-40h], eax
                                                mov dword ptr [ebp-5Ch], eax
                                                mov dword ptr [ebp-30h], eax
                                                mov dword ptr [ebp-38h], eax
                                                mov dword ptr [ebp-34h], eax
                                                mov dword ptr [ebp-2Ch], eax
                                                mov dword ptr [ebp-28h], eax
                                                mov dword ptr [ebp-14h], eax
                                                mov eax, 004A2EBCh
                                                call 00007F836CD1D645h
                                                xor eax, eax
                                                push ebp
                                                push 004A8AC1h
                                                push dword ptr fs:[eax]
                                                mov dword ptr fs:[eax], esp
                                                xor edx, edx
                                                push ebp
                                                push 004A8A7Bh
                                                push dword ptr fs:[edx]
                                                mov dword ptr fs:[edx], esp
                                                mov eax, dword ptr [004B0634h]
                                                call 00007F836CDAEFCBh
                                                call 00007F836CDAEB1Eh
                                                lea edx, dword ptr [ebp-14h]
                                                xor eax, eax
                                                call 00007F836CDA97F8h
                                                mov edx, dword ptr [ebp-14h]
                                                mov eax, 004B41F4h
                                                call 00007F836CD176F3h
                                                push 00000002h
                                                push 00000000h
                                                push 00000001h
                                                mov ecx, dword ptr [004B41F4h]
                                                mov dl, 01h
                                                mov eax, dword ptr [0049CD14h]
                                                call 00007F836CDAAB23h
                                                mov dword ptr [004B41F8h], eax
                                                xor edx, edx
                                                push ebp
                                                push 004A8A27h
                                                push dword ptr fs:[edx]
                                                mov dword ptr fs:[edx], esp
                                                call 00007F836CDAF053h
                                                mov dword ptr [004B4200h], eax
                                                mov eax, dword ptr [004B4200h]
                                                cmp dword ptr [eax+0Ch], 01h
                                                jne 00007F836CDB5D3Ah
                                                mov eax, dword ptr [004B4200h]
                                                mov edx, 00000028h
                                                call 00007F836CDAB418h
                                                mov edx, dword ptr [004B4200h]

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                .rsrc0xcb0000x110000x11000337ff2608e1482ac22c0f5c41294ee7eFalse0.18770105698529413data3.723642188828799IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                                                RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                                                RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                                                RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                                                RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                                                RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                                                RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                                                RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                                                RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                                                RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                                                RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                                                RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                                                RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                                                RT_STRING0xd8e000x3f8data0.3198818897637795
                                                RT_STRING0xd91f80x2dcdata0.36475409836065575
                                                RT_STRING0xd94d40x430data0.40578358208955223
                                                RT_STRING0xd99040x44cdata0.38636363636363635
                                                RT_STRING0xd9d500x2d4data0.39226519337016574
                                                RT_STRING0xda0240xb8data0.6467391304347826
                                                RT_STRING0xda0dc0x9cdata0.6410256410256411
                                                RT_STRING0xda1780x374data0.4230769230769231
                                                RT_STRING0xda4ec0x398data0.3358695652173913
                                                RT_STRING0xda8840x368data0.3795871559633027
                                                RT_STRING0xdabec0x2a4data0.4275147928994083
                                                RT_RCDATA0xdae900x10data1.5
                                                RT_RCDATA0xdaea00x310data0.6173469387755102
                                                RT_RCDATA0xdb1b00x2cdata1.2045454545454546
                                                RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                                                RT_VERSION0xdb2980x584dataEnglishUnited States0.2769121813031161
                                                RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163

                                                Imports

                                                DLLImport
                                                kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                                comctl32.dllInitCommonControls
                                                user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                                oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                                advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

                                                Exports

                                                NameOrdinalAddress
                                                __dbk_fcall_wrapper20x40fc10
                                                dbkFCallWrapperAddr10x4b063c

                                                Possible Origin

                                                Language of compilation systemCountry where language is spokenMap
                                                EnglishUnited States

                                                Network Behavior

                                                No network behavior found

                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:05:16:57
                                                Start date:25/12/2024
                                                Path:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe"
                                                Imagebase:0x330000
                                                File size:7'420'234 bytes
                                                MD5 hash:600E95B436735AEC1A9E8667C9E07396
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:Borland Delphi
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:1
                                                Start time:05:16:57
                                                Start date:25/12/2024
                                                Path:C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\AppData\Local\Temp\is-VLJEP.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp" /SL5="$1047A,6465800,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe"
                                                Imagebase:0x80000
                                                File size:3'366'912 bytes
                                                MD5 hash:22F03937DBEFC57A5B60577F7577D53A
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:Borland Delphi
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:2
                                                Start time:05:16:58
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):false
                                                Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                                                Imagebase:0x7ff788560000
                                                File size:452'608 bytes
                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:3
                                                Start time:05:16:58
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:4
                                                Start time:05:16:58
                                                Start date:25/12/2024
                                                Path:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe" /VERYSILENT
                                                Imagebase:0x330000
                                                File size:7'420'234 bytes
                                                MD5 hash:600E95B436735AEC1A9E8667C9E07396
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:Borland Delphi
                                                Reputation:low
                                                Has exited:false

                                                General

                                                Target ID:5
                                                Start time:05:16:59
                                                Start date:25/12/2024
                                                Path:C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\AppData\Local\Temp\is-580MK.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp" /SL5="$3047E,6465800,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe" /VERYSILENT
                                                Imagebase:0x650000
                                                File size:3'366'912 bytes
                                                MD5 hash:22F03937DBEFC57A5B60577F7577D53A
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:Borland Delphi
                                                Antivirus matches:
                                                • Detection: 1%, Virustotal, Browse
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:6
                                                Start time:05:17:01
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                                Imagebase:0x7ff67f500000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:7
                                                Start time:05:17:01
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                                Imagebase:0x7ff6f5f50000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:8
                                                Start time:05:17:01
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:9
                                                Start time:05:17:01
                                                Start date:25/12/2024
                                                Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                                Wow64 process (32bit):true
                                                Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                                                Imagebase:0x120000
                                                File size:831'200 bytes
                                                MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Antivirus matches:
                                                • Detection: 0%, ReversingLabs
                                                • Detection: 0%, Virustotal, Browse
                                                Reputation:moderate
                                                Has exited:true

                                                General

                                                Target ID:10
                                                Start time:05:17:01
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:11
                                                Start time:05:17:02
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                Imagebase:0x7ff693ab0000
                                                File size:496'640 bytes
                                                MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                Has elevated privileges:true
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:false

                                                General

                                                Target ID:12
                                                Start time:05:17:02
                                                Start date:25/12/2024
                                                Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                                Wow64 process (32bit):true
                                                Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                                                Imagebase:0x120000
                                                File size:831'200 bytes
                                                MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate
                                                Has exited:true

                                                General

                                                Target ID:13
                                                Start time:05:17:02
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:14
                                                Start time:05:17:03
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff67f500000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:15
                                                Start time:05:17:03
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff6f5f50000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:16
                                                Start time:05:17:03
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:17
                                                Start time:05:17:03
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff67f500000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:18
                                                Start time:05:17:03
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff6f5f50000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:19
                                                Start time:05:17:03
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:20
                                                Start time:05:17:03
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff67f500000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:21
                                                Start time:05:17:03
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff6f5f50000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:22
                                                Start time:05:17:03
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:23
                                                Start time:05:17:03
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff67f500000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:24
                                                Start time:05:17:03
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff6f5f50000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:25
                                                Start time:05:17:03
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:26
                                                Start time:05:17:03
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff67f500000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:27
                                                Start time:05:17:03
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff6f5f50000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:28
                                                Start time:05:17:03
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:29
                                                Start time:05:17:03
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff67f500000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:30
                                                Start time:05:17:03
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff6f5f50000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:31
                                                Start time:05:17:03
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:32
                                                Start time:05:17:03
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff67f500000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:33
                                                Start time:05:17:03
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff6f5f50000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:34
                                                Start time:05:17:04
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:35
                                                Start time:05:17:04
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff67f500000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:36
                                                Start time:05:17:04
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff6f5f50000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:37
                                                Start time:05:17:04
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:38
                                                Start time:05:17:04
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff67f500000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:39
                                                Start time:05:17:04
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff6f5f50000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:40
                                                Start time:05:17:04
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:41
                                                Start time:05:17:04
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff67f500000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:42
                                                Start time:05:17:04
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff6f5f50000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:43
                                                Start time:05:17:04
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:44
                                                Start time:05:17:04
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff67f500000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:45
                                                Start time:05:17:04
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff6f5f50000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:46
                                                Start time:05:17:04
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:47
                                                Start time:05:17:04
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff67f500000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:48
                                                Start time:05:17:04
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff6f5f50000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:49
                                                Start time:05:17:04
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:50
                                                Start time:05:17:04
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff67f500000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:51
                                                Start time:05:17:04
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff6f5f50000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:52
                                                Start time:05:17:04
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:53
                                                Start time:05:17:05
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff67f500000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:54
                                                Start time:05:17:05
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff6f5f50000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:55
                                                Start time:05:17:05
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:56
                                                Start time:05:17:05
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff67f500000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:57
                                                Start time:05:17:05
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff6f5f50000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:58
                                                Start time:05:17:05
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:59
                                                Start time:05:17:05
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff67f500000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:60
                                                Start time:05:17:05
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff6f5f50000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:61
                                                Start time:05:17:05
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:62
                                                Start time:05:17:05
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff67f500000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:63
                                                Start time:05:17:05
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff6f5f50000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:64
                                                Start time:05:17:05
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:65
                                                Start time:05:17:05
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff67f500000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:66
                                                Start time:05:17:05
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff6f5f50000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:67
                                                Start time:05:17:05
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:68
                                                Start time:05:17:05
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff67f500000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:69
                                                Start time:05:17:05
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff6f5f50000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:70
                                                Start time:05:17:05
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:71
                                                Start time:05:17:05
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff67f500000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:72
                                                Start time:05:17:05
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff6f5f50000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:73
                                                Start time:05:17:05
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:74
                                                Start time:05:17:05
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff67f500000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:75
                                                Start time:05:17:06
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff6f5f50000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:76
                                                Start time:05:17:06
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:77
                                                Start time:05:17:06
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff67f500000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:78
                                                Start time:05:17:06
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff6f5f50000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:79
                                                Start time:05:17:06
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:80
                                                Start time:05:17:06
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff67f500000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:81
                                                Start time:05:17:06
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff6f5f50000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:82
                                                Start time:05:17:06
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:83
                                                Start time:05:17:06
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff67f500000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:84
                                                Start time:05:17:06
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff6f5f50000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:85
                                                Start time:05:17:06
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:86
                                                Start time:05:17:06
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff67f500000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:87
                                                Start time:05:17:06
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff6f5f50000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:88
                                                Start time:05:17:06
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:89
                                                Start time:05:17:06
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff67f500000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:90
                                                Start time:05:17:06
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff6f5f50000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:91
                                                Start time:05:17:06
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:92
                                                Start time:05:17:06
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff67f500000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:93
                                                Start time:05:17:06
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff6f5f50000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:94
                                                Start time:05:17:06
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:95
                                                Start time:05:17:07
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff67f500000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:96
                                                Start time:05:17:07
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff6f5f50000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:97
                                                Start time:05:17:07
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:98
                                                Start time:05:17:07
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff67f500000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:99
                                                Start time:05:17:07
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff70f330000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:100
                                                Start time:05:17:07
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:101
                                                Start time:05:17:07
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff67f500000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:102
                                                Start time:05:17:07
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff6f5f50000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:103
                                                Start time:05:17:07
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:104
                                                Start time:05:17:07
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff67f500000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:105
                                                Start time:05:17:07
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff6f5f50000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:106
                                                Start time:05:17:07
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:107
                                                Start time:05:17:07
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff67f500000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:108
                                                Start time:05:17:07
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff6f5f50000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:109
                                                Start time:05:17:07
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:110
                                                Start time:05:17:07
                                                Start date:25/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff67f500000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                Disassembly

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:1.9%
                                                  Dynamic/Decrypted Code Coverage:0%
                                                  Signature Coverage:5.2%
                                                  Total number of Nodes:737
                                                  Total number of Limit Nodes:8
                                                  execution_graph 63555 6c70f150 63557 6c70efbe 63555->63557 63556 6c70f243 CreateFileA 63560 6c70f2a7 63556->63560 63557->63556 63558 6c7102ca 63559 6c7102ac GetCurrentProcess TerminateProcess 63559->63558 63560->63558 63560->63559 63561 6c703b72 63574 6c87a133 63561->63574 63567 6c7037e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 63571 6c71639e 63567->63571 63588 6c86e090 63567->63588 63594 6c716ba0 63567->63594 63613 6c716e60 63567->63613 63623 6c717090 63567->63623 63636 6c73e010 67 API calls 63567->63636 63637 6c883820 18 API calls __Getctype 63571->63637 63576 6c87a138 63574->63576 63575 6c87a152 63575->63567 63576->63575 63579 6c87a154 std::_Facet_Register 63576->63579 63638 6c882704 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 63576->63638 63578 6c87afb3 std::_Facet_Register 63642 6c87ca69 RaiseException 63578->63642 63579->63578 63639 6c87ca69 RaiseException 63579->63639 63581 6c87b7ac IsProcessorFeaturePresent 63587 6c87b7d1 63581->63587 63583 6c87af73 63640 6c87ca69 RaiseException 63583->63640 63585 6c87af93 std::invalid_argument::invalid_argument 63641 6c87ca69 RaiseException 63585->63641 63587->63567 63589 6c86e0a6 FindFirstFileA 63588->63589 63590 6c86e0a4 63588->63590 63591 6c86e0e0 63589->63591 63590->63589 63592 6c86e0e2 FindClose 63591->63592 63593 6c86e13c 63591->63593 63592->63591 63593->63567 63595 6c716bd5 63594->63595 63643 6c742020 63595->63643 63597 6c716c68 63598 6c87a133 std::_Facet_Register 4 API calls 63597->63598 63599 6c716ca0 63598->63599 63660 6c87aa17 63599->63660 63601 6c716cb4 63672 6c741d90 63601->63672 63604 6c716d8e 63604->63567 63606 6c716dc8 63680 6c7426e0 24 API calls 4 library calls 63606->63680 63608 6c716dda 63681 6c87ca69 RaiseException 63608->63681 63610 6c716def 63682 6c73e010 67 API calls 63610->63682 63612 6c716e0f 63612->63567 63614 6c716e9f 63613->63614 63617 6c716eb3 63614->63617 64077 6c743560 32 API calls std::_Xinvalid_argument 63614->64077 63619 6c716f5b 63617->63619 64079 6c742250 30 API calls 63617->64079 64080 6c7426e0 24 API calls 4 library calls 63617->64080 64081 6c87ca69 RaiseException 63617->64081 63620 6c716f6e 63619->63620 64078 6c7437e0 32 API calls std::_Xinvalid_argument 63619->64078 63620->63567 63624 6c71709e 63623->63624 63628 6c7170d1 63623->63628 64082 6c7401f0 63624->64082 63626 6c717183 63626->63567 63628->63626 64086 6c742250 30 API calls 63628->64086 63630 6c884208 67 API calls 63630->63628 63631 6c7171ae 64087 6c742340 24 API calls 63631->64087 63633 6c7171be 64088 6c87ca69 RaiseException 63633->64088 63635 6c7171c9 63636->63567 63638->63576 63639->63583 63640->63585 63641->63578 63642->63581 63644 6c87a133 std::_Facet_Register 4 API calls 63643->63644 63645 6c74207e 63644->63645 63646 6c87aa17 43 API calls 63645->63646 63647 6c742092 63646->63647 63683 6c742f60 42 API calls 4 library calls 63647->63683 63649 6c74210d 63652 6c742120 63649->63652 63684 6c87a67e 9 API calls 2 library calls 63649->63684 63650 6c7420c8 63650->63649 63651 6c742136 63650->63651 63685 6c742250 30 API calls 63651->63685 63652->63597 63655 6c74215b 63686 6c742340 24 API calls 63655->63686 63657 6c742171 63687 6c87ca69 RaiseException 63657->63687 63659 6c74217c 63659->63597 63661 6c87aa23 __EH_prolog3 63660->63661 63688 6c87a5a5 63661->63688 63666 6c87aa41 63702 6c87aaaa 39 API calls std::locale::_Setgloballocale 63666->63702 63667 6c87aa9c 63667->63601 63669 6c87aa49 63703 6c87a8a1 HeapFree GetLastError _Yarn ___std_exception_destroy 63669->63703 63671 6c87aa5f 63694 6c87a5d6 63671->63694 63673 6c716d5d 63672->63673 63674 6c741ddc 63672->63674 63673->63604 63679 6c742250 30 API calls 63673->63679 63708 6c87ab37 63674->63708 63678 6c741e82 63679->63606 63680->63608 63681->63610 63682->63612 63683->63650 63684->63652 63685->63655 63686->63657 63687->63659 63689 6c87a5b4 63688->63689 63691 6c87a5bb 63688->63691 63704 6c883abd 6 API calls std::_Lockit::_Lockit 63689->63704 63692 6c87a5b9 63691->63692 63705 6c87bc7b EnterCriticalSection 63691->63705 63692->63671 63701 6c87a920 6 API calls 2 library calls 63692->63701 63695 6c883acb 63694->63695 63696 6c87a5e0 63694->63696 63707 6c883aa6 LeaveCriticalSection 63695->63707 63698 6c87a5f3 63696->63698 63706 6c87bc89 LeaveCriticalSection 63696->63706 63698->63667 63699 6c883ad2 63699->63667 63701->63666 63702->63669 63703->63671 63704->63692 63705->63692 63706->63698 63707->63699 63710 6c87ab40 63708->63710 63709 6c741dea 63709->63673 63716 6c87fc53 18 API calls __Getctype 63709->63716 63710->63709 63717 6c88343a 63710->63717 63712 6c87ab8c 63712->63709 63728 6c883148 65 API calls 63712->63728 63714 6c87aba7 63714->63709 63729 6c884208 63714->63729 63716->63678 63719 6c883445 __wsopen_s 63717->63719 63718 6c883458 63754 6c883810 18 API calls __Getctype 63718->63754 63719->63718 63720 6c883478 63719->63720 63724 6c883468 63720->63724 63740 6c88e4fc 63720->63740 63724->63712 63728->63714 63730 6c884214 __wsopen_s 63729->63730 63731 6c88421e 63730->63731 63732 6c884233 63730->63732 63950 6c883810 18 API calls __Getctype 63731->63950 63733 6c88422e 63732->63733 63935 6c87fc99 EnterCriticalSection 63732->63935 63733->63709 63735 6c884250 63936 6c88428c 63735->63936 63738 6c88425b 63951 6c884282 LeaveCriticalSection 63738->63951 63741 6c88e508 __wsopen_s 63740->63741 63756 6c883a8f EnterCriticalSection 63741->63756 63743 6c88e516 63757 6c88e5a0 63743->63757 63748 6c88e662 63749 6c88e781 63748->63749 63781 6c88e804 63749->63781 63753 6c8834bc 63755 6c8834e5 LeaveCriticalSection 63753->63755 63754->63724 63755->63724 63756->63743 63765 6c88e5c3 63757->63765 63758 6c88e61b 63776 6c88a8d5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 63758->63776 63760 6c88e624 63777 6c887eab HeapFree GetLastError _free 63760->63777 63763 6c88e62d 63766 6c88e523 63763->63766 63778 6c88a30f 6 API calls std::_Lockit::_Lockit 63763->63778 63765->63758 63765->63766 63774 6c87fc99 EnterCriticalSection 63765->63774 63775 6c87fcad LeaveCriticalSection 63765->63775 63771 6c88e55c 63766->63771 63767 6c88e64c 63779 6c87fc99 EnterCriticalSection 63767->63779 63770 6c88e65f 63770->63766 63780 6c883aa6 LeaveCriticalSection 63771->63780 63773 6c883493 63773->63724 63773->63748 63774->63765 63775->63765 63776->63760 63777->63763 63778->63767 63779->63770 63780->63773 63782 6c88e823 63781->63782 63783 6c88e836 63782->63783 63786 6c88e84b 63782->63786 63797 6c883810 18 API calls __Getctype 63783->63797 63785 6c88e797 63785->63753 63794 6c8976ce 63785->63794 63792 6c88e96b 63786->63792 63798 6c897598 37 API calls __Getctype 63786->63798 63789 6c88e9bb 63789->63792 63799 6c897598 37 API calls __Getctype 63789->63799 63791 6c88e9d9 63791->63792 63800 6c897598 37 API calls __Getctype 63791->63800 63792->63785 63801 6c883810 18 API calls __Getctype 63792->63801 63802 6c897a86 63794->63802 63797->63785 63798->63789 63799->63791 63800->63792 63801->63785 63804 6c897a92 __wsopen_s 63802->63804 63803 6c897a99 63820 6c883810 18 API calls __Getctype 63803->63820 63804->63803 63805 6c897ac4 63804->63805 63811 6c8976ee 63805->63811 63810 6c8976e9 63810->63753 63822 6c883dbb 63811->63822 63816 6c897724 63818 6c897756 63816->63818 63862 6c887eab HeapFree GetLastError _free 63816->63862 63821 6c897b1b LeaveCriticalSection __wsopen_s 63818->63821 63820->63810 63821->63810 63863 6c87f3db 63822->63863 63825 6c883ddf 63827 6c87f4e6 63825->63827 63872 6c87f53e 63827->63872 63829 6c87f4fe 63829->63816 63830 6c89775c 63829->63830 63887 6c897bdc 63830->63887 63836 6c897882 GetFileType 63839 6c89788d GetLastError 63836->63839 63840 6c8978d4 63836->63840 63837 6c89778e __dosmaperr 63837->63816 63838 6c897857 GetLastError 63838->63837 63916 6c8830e2 __dosmaperr _free 63839->63916 63917 6c894ea0 SetStdHandle __dosmaperr __wsopen_s 63840->63917 63841 6c897805 63841->63836 63841->63838 63915 6c897b47 CreateFileW 63841->63915 63844 6c89789b CloseHandle 63844->63837 63861 6c8978c4 63844->63861 63846 6c89784a 63846->63836 63846->63838 63847 6c8978f5 63848 6c897941 63847->63848 63918 6c897d56 70 API calls 2 library calls 63847->63918 63852 6c897948 63848->63852 63932 6c897e00 70 API calls 2 library calls 63848->63932 63851 6c897976 63851->63852 63853 6c897984 63851->63853 63919 6c88f015 63852->63919 63853->63837 63855 6c897a00 CloseHandle 63853->63855 63933 6c897b47 CreateFileW 63855->63933 63857 6c897a2b 63858 6c897a35 GetLastError 63857->63858 63857->63861 63859 6c897a41 __dosmaperr 63858->63859 63934 6c894e0f SetStdHandle __dosmaperr __wsopen_s 63859->63934 63861->63837 63862->63818 63864 6c87f3f2 63863->63864 63865 6c87f3fb 63863->63865 63864->63825 63871 6c88a0c5 5 API calls std::_Lockit::_Lockit 63864->63871 63865->63864 63866 6c8880a2 __Getctype 37 API calls 63865->63866 63867 6c87f41b 63866->63867 63868 6c888618 __Getctype 37 API calls 63867->63868 63869 6c87f431 63868->63869 63870 6c888645 __cftoe 37 API calls 63869->63870 63870->63864 63871->63825 63873 6c87f566 63872->63873 63874 6c87f54c 63872->63874 63875 6c87f56d 63873->63875 63876 6c87f58c 63873->63876 63877 6c87f4cc __wsopen_s HeapFree GetLastError 63874->63877 63878 6c87f556 __dosmaperr 63875->63878 63880 6c87f48d __wsopen_s HeapFree GetLastError 63875->63880 63879 6c887f33 __fassign MultiByteToWideChar 63876->63879 63877->63878 63878->63829 63881 6c87f59b 63879->63881 63880->63878 63882 6c87f5a2 GetLastError 63881->63882 63883 6c87f48d __wsopen_s HeapFree GetLastError 63881->63883 63885 6c87f5c8 63881->63885 63882->63878 63883->63885 63884 6c887f33 __fassign MultiByteToWideChar 63886 6c87f5df 63884->63886 63885->63878 63885->63884 63886->63878 63886->63882 63888 6c897c17 63887->63888 63890 6c897bfd 63887->63890 63889 6c897b6c __wsopen_s 18 API calls 63888->63889 63894 6c897c4f 63889->63894 63890->63888 63891 6c883810 __Getctype 18 API calls 63890->63891 63891->63888 63892 6c897c7e 63893 6c899001 __wsopen_s 18 API calls 63892->63893 63900 6c897779 63892->63900 63895 6c897ccc 63893->63895 63894->63892 63897 6c883810 __Getctype 18 API calls 63894->63897 63896 6c897d49 63895->63896 63895->63900 63898 6c88383d __Getctype 11 API calls 63896->63898 63897->63892 63899 6c897d55 63898->63899 63900->63837 63901 6c894cfc 63900->63901 63902 6c894d08 __wsopen_s 63901->63902 63903 6c883a8f std::_Lockit::_Lockit EnterCriticalSection 63902->63903 63906 6c894d0f 63903->63906 63904 6c894d56 63905 6c894e06 __wsopen_s LeaveCriticalSection 63904->63905 63908 6c894d76 63905->63908 63906->63904 63907 6c894d34 63906->63907 63911 6c894da3 EnterCriticalSection 63906->63911 63909 6c894f32 __wsopen_s 11 API calls 63907->63909 63908->63837 63914 6c897b47 CreateFileW 63908->63914 63910 6c894d39 63909->63910 63910->63904 63913 6c895080 __wsopen_s EnterCriticalSection 63910->63913 63911->63904 63912 6c894db0 LeaveCriticalSection 63911->63912 63912->63906 63913->63904 63914->63841 63915->63846 63916->63844 63917->63847 63918->63848 63920 6c894c92 __wsopen_s 18 API calls 63919->63920 63922 6c88f025 63920->63922 63921 6c88f02b 63924 6c894e0f __wsopen_s SetStdHandle 63921->63924 63922->63921 63923 6c88f05d 63922->63923 63925 6c894c92 __wsopen_s 18 API calls 63922->63925 63923->63921 63926 6c894c92 __wsopen_s 18 API calls 63923->63926 63931 6c88f083 __dosmaperr 63924->63931 63927 6c88f054 63925->63927 63928 6c88f069 CloseHandle 63926->63928 63929 6c894c92 __wsopen_s 18 API calls 63927->63929 63928->63921 63930 6c88f075 GetLastError 63928->63930 63929->63923 63930->63921 63931->63837 63932->63851 63933->63857 63934->63861 63935->63735 63937 6c884299 63936->63937 63938 6c8842ae 63936->63938 63974 6c883810 18 API calls __Getctype 63937->63974 63941 6c8842a9 63938->63941 63952 6c8843a9 63938->63952 63941->63738 63946 6c8842d1 63967 6c88ef88 63946->63967 63948 6c8842d7 63948->63941 63975 6c887eab HeapFree GetLastError _free 63948->63975 63950->63733 63951->63733 63953 6c8843c1 63952->63953 63957 6c8842c3 63952->63957 63954 6c88d350 18 API calls 63953->63954 63953->63957 63955 6c8843df 63954->63955 63976 6c88f25c 63955->63976 63958 6c88be2e 63957->63958 63959 6c8842cb 63958->63959 63960 6c88be45 63958->63960 63962 6c88d350 63959->63962 63960->63959 64064 6c887eab HeapFree GetLastError _free 63960->64064 63963 6c88d35c 63962->63963 63964 6c88d371 63962->63964 64065 6c883810 18 API calls __Getctype 63963->64065 63964->63946 63966 6c88d36c 63966->63946 63968 6c88efae 63967->63968 63969 6c88ef99 __dosmaperr 63967->63969 63970 6c88efd5 63968->63970 63971 6c88eff7 __dosmaperr 63968->63971 63969->63948 64066 6c88f0b1 63970->64066 64074 6c883810 18 API calls __Getctype 63971->64074 63974->63941 63975->63941 63977 6c88f268 __wsopen_s 63976->63977 63978 6c88f270 __dosmaperr 63977->63978 63979 6c88f2ba 63977->63979 63981 6c88f323 __dosmaperr 63977->63981 63978->63957 63987 6c895080 EnterCriticalSection 63979->63987 64017 6c883810 18 API calls __Getctype 63981->64017 63982 6c88f2c0 63985 6c88f2dc __dosmaperr 63982->63985 63988 6c88f34e 63982->63988 64016 6c88f31b LeaveCriticalSection __wsopen_s 63985->64016 63987->63982 63989 6c88f370 63988->63989 64015 6c88f38c __dosmaperr 63988->64015 63990 6c88f3c4 63989->63990 63992 6c88f374 __dosmaperr 63989->63992 63991 6c88f3d7 63990->63991 64026 6c88e359 20 API calls __wsopen_s 63990->64026 64018 6c88f530 63991->64018 64025 6c883810 18 API calls __Getctype 63992->64025 63997 6c88f42c 63999 6c88f440 63997->63999 64000 6c88f485 WriteFile 63997->64000 63998 6c88f3ed 64001 6c88f3f1 63998->64001 64002 6c88f416 63998->64002 64005 6c88f44b 63999->64005 64006 6c88f475 63999->64006 64003 6c88f4a9 GetLastError 64000->64003 64000->64015 64001->64015 64027 6c88f94b 6 API calls __wsopen_s 64001->64027 64028 6c88f5a1 43 API calls 5 library calls 64002->64028 64003->64015 64007 6c88f450 64005->64007 64008 6c88f465 64005->64008 64031 6c88f9b3 7 API calls 2 library calls 64006->64031 64012 6c88f455 64007->64012 64007->64015 64030 6c88fb77 8 API calls 3 library calls 64008->64030 64011 6c88f463 64011->64015 64029 6c88fa8e 7 API calls 2 library calls 64012->64029 64015->63985 64016->63978 64017->63978 64032 6c8950d5 64018->64032 64020 6c88f541 64021 6c88f3e8 64020->64021 64037 6c8880a2 GetLastError 64020->64037 64021->63997 64021->63998 64024 6c88f57e GetConsoleMode 64024->64021 64025->64015 64026->63991 64027->64015 64028->64015 64029->64011 64030->64011 64031->64011 64033 6c8950e2 64032->64033 64035 6c8950ef 64032->64035 64033->64020 64034 6c8950fb 64034->64020 64035->64034 64036 6c883810 __Getctype 18 API calls 64035->64036 64036->64033 64038 6c8880b9 64037->64038 64039 6c8880bf 64037->64039 64040 6c88a213 __Getctype 6 API calls 64038->64040 64041 6c88a252 __Getctype 6 API calls 64039->64041 64043 6c8880c5 SetLastError 64039->64043 64040->64039 64042 6c8880dd 64041->64042 64042->64043 64044 6c8880e1 64042->64044 64050 6c888159 64043->64050 64051 6c888153 64043->64051 64045 6c88a8d5 __Getctype EnterCriticalSection LeaveCriticalSection HeapAlloc 64044->64045 64047 6c8880ed 64045->64047 64048 6c88810c 64047->64048 64049 6c8880f5 64047->64049 64054 6c88a252 __Getctype 6 API calls 64048->64054 64052 6c88a252 __Getctype 6 API calls 64049->64052 64053 6c8841b9 __Getctype 35 API calls 64050->64053 64051->64021 64051->64024 64055 6c888103 64052->64055 64056 6c88815e 64053->64056 64057 6c888118 64054->64057 64060 6c887eab _free HeapFree GetLastError 64055->64060 64058 6c88811c 64057->64058 64059 6c88812d 64057->64059 64061 6c88a252 __Getctype 6 API calls 64058->64061 64063 6c887eab _free HeapFree GetLastError 64059->64063 64062 6c888109 64060->64062 64061->64055 64062->64043 64063->64062 64064->63959 64065->63966 64067 6c88f0bd __wsopen_s 64066->64067 64075 6c895080 EnterCriticalSection 64067->64075 64069 6c88f0cb 64070 6c88f015 __wsopen_s 21 API calls 64069->64070 64071 6c88f0f8 64069->64071 64070->64071 64076 6c88f131 LeaveCriticalSection __wsopen_s 64071->64076 64073 6c88f11a 64073->63969 64074->63969 64075->64069 64076->64073 64077->63617 64078->63620 64079->63617 64080->63617 64081->63617 64083 6c74022e 64082->64083 64084 6c7170c4 64083->64084 64089 6c884ecb 64083->64089 64084->63630 64086->63631 64087->63633 64088->63635 64090 6c884ed9 64089->64090 64091 6c884ef6 64089->64091 64090->64091 64092 6c884efa 64090->64092 64093 6c884ee6 64090->64093 64091->64083 64097 6c8850f2 64092->64097 64105 6c883810 18 API calls __Getctype 64093->64105 64098 6c8850fe __wsopen_s 64097->64098 64106 6c87fc99 EnterCriticalSection 64098->64106 64100 6c88510c 64107 6c8850af 64100->64107 64104 6c884f2c 64104->64083 64105->64091 64106->64100 64115 6c88bc96 64107->64115 64113 6c8850e9 64114 6c885141 LeaveCriticalSection 64113->64114 64114->64104 64116 6c88d350 18 API calls 64115->64116 64117 6c88bca7 64116->64117 64118 6c8950d5 __wsopen_s 18 API calls 64117->64118 64120 6c88bcad __wsopen_s 64118->64120 64119 6c8850c3 64122 6c884f2e 64119->64122 64120->64119 64132 6c887eab HeapFree GetLastError _free 64120->64132 64124 6c884f40 64122->64124 64127 6c884f5e 64122->64127 64123 6c884f4e 64133 6c883810 18 API calls __Getctype 64123->64133 64124->64123 64124->64127 64130 6c884f76 _Yarn 64124->64130 64126 6c8843a9 62 API calls 64126->64130 64131 6c88bd49 62 API calls 64127->64131 64128 6c88d350 18 API calls 64128->64130 64129 6c88f25c __wsopen_s 62 API calls 64129->64130 64130->64126 64130->64127 64130->64128 64130->64129 64131->64113 64132->64119 64133->64127 64134 6c88262f 64135 6c88263b __wsopen_s 64134->64135 64136 6c88264f 64135->64136 64137 6c882642 GetLastError ExitThread 64135->64137 64138 6c8880a2 __Getctype 37 API calls 64136->64138 64139 6c882654 64138->64139 64146 6c88d456 64139->64146 64142 6c88266b 64152 6c88259a 16 API calls 2 library calls 64142->64152 64145 6c88268d 64147 6c88d468 GetPEB 64146->64147 64148 6c88265f 64146->64148 64147->64148 64149 6c88d47b 64147->64149 64148->64142 64151 6c88a45f 5 API calls std::_Lockit::_Lockit 64148->64151 64153 6c88a508 5 API calls std::_Lockit::_Lockit 64149->64153 64151->64142 64152->64145 64153->64148 64154 6c8901c3 64155 6c8901ed 64154->64155 64156 6c8901d5 __dosmaperr 64154->64156 64155->64156 64158 6c890238 __dosmaperr 64155->64158 64159 6c890267 64155->64159 64196 6c883810 18 API calls __Getctype 64158->64196 64160 6c890280 64159->64160 64161 6c89029b __dosmaperr 64159->64161 64164 6c8902d7 __wsopen_s 64159->64164 64160->64161 64163 6c890285 64160->64163 64189 6c883810 18 API calls __Getctype 64161->64189 64162 6c8950d5 __wsopen_s 18 API calls 64166 6c89042e 64162->64166 64163->64162 64190 6c887eab HeapFree GetLastError _free 64164->64190 64169 6c8904a4 64166->64169 64172 6c890447 GetConsoleMode 64166->64172 64167 6c8902f7 64191 6c887eab HeapFree GetLastError _free 64167->64191 64171 6c8904a8 ReadFile 64169->64171 64174 6c89051c GetLastError 64171->64174 64175 6c8904c2 64171->64175 64172->64169 64176 6c890458 64172->64176 64173 6c8902fe 64184 6c8902b2 __dosmaperr __wsopen_s 64173->64184 64192 6c88e359 20 API calls __wsopen_s 64173->64192 64174->64184 64175->64174 64177 6c890499 64175->64177 64176->64171 64178 6c89045e ReadConsoleW 64176->64178 64182 6c8904fe 64177->64182 64183 6c8904e7 64177->64183 64177->64184 64178->64177 64181 6c89047a GetLastError 64178->64181 64181->64184 64182->64184 64185 6c890515 64182->64185 64194 6c8905ee 23 API calls 3 library calls 64183->64194 64193 6c887eab HeapFree GetLastError _free 64184->64193 64195 6c8908a6 21 API calls __wsopen_s 64185->64195 64188 6c89051a 64188->64184 64189->64184 64190->64167 64191->64173 64192->64163 64193->64156 64194->64184 64195->64188 64196->64156 64197 6c6f4b53 64198 6c87a133 std::_Facet_Register 4 API calls 64197->64198 64199 6c6f4b5c _Yarn 64198->64199 64200 6c86e090 2 API calls 64199->64200 64205 6c6f4bae std::ios_base::_Ios_base_dtor 64200->64205 64201 6c71639e 64400 6c883820 18 API calls __Getctype 64201->64400 64203 6c6f4cff 64204 6c6f5164 CreateFileA CloseHandle 64209 6c6f51ec 64204->64209 64205->64201 64205->64203 64205->64204 64206 6c70245a _Yarn _strlen 64205->64206 64206->64201 64208 6c86e090 2 API calls 64206->64208 64224 6c702a83 std::ios_base::_Ios_base_dtor 64208->64224 64355 6c878810 OpenSCManagerA 64209->64355 64211 6c6ffc00 64392 6c878930 CreateToolhelp32Snapshot 64211->64392 64213 6c87a133 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 64251 6c6f5478 std::ios_base::_Ios_base_dtor _Yarn _strlen 64213->64251 64216 6c86e090 2 API calls 64216->64251 64217 6c7037d0 Sleep 64261 6c7037e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 64217->64261 64218 6c7163b2 64401 6c6f15e0 18 API calls std::ios_base::_Ios_base_dtor 64218->64401 64219 6c878930 4 API calls 64237 6c70053a 64219->64237 64221 6c878930 4 API calls 64243 6c7012e2 64221->64243 64222 6c6fffe3 64222->64219 64229 6c700abc 64222->64229 64223 6c7164f8 64224->64201 64359 6c860880 64224->64359 64225 6c716ba0 104 API calls 64225->64251 64226 6c716e60 32 API calls 64226->64251 64228 6c878930 4 API calls 64228->64229 64229->64206 64229->64221 64230 6c717090 77 API calls 64230->64251 64231 6c878930 4 API calls 64248 6c701dd9 64231->64248 64232 6c70211c 64232->64206 64233 6c70241a 64232->64233 64236 6c860880 10 API calls 64233->64236 64234 6c86e090 2 API calls 64234->64261 64239 6c70244d 64236->64239 64237->64228 64237->64229 64238 6c6f6722 64368 6c874860 25 API calls 4 library calls 64238->64368 64398 6c879450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 64239->64398 64241 6c702452 Sleep 64241->64206 64242 6c7016ac 64243->64231 64243->64232 64243->64242 64244 6c6f6162 64245 6c6f740b 64369 6c8786e0 CreateProcessA 64245->64369 64247 6c878930 4 API calls 64247->64232 64248->64232 64248->64247 64249 6c716ba0 104 API calls 64249->64261 64250 6c716e60 32 API calls 64250->64261 64251->64201 64251->64211 64251->64213 64251->64216 64251->64225 64251->64226 64251->64230 64251->64238 64251->64244 64367 6c73e010 67 API calls 64251->64367 64252 6c717090 77 API calls 64252->64261 64254 6c6f775a _strlen 64254->64201 64255 6c6f7ba9 64254->64255 64256 6c6f7b92 64254->64256 64259 6c6f7b43 _Yarn 64254->64259 64258 6c87a133 std::_Facet_Register 4 API calls 64255->64258 64257 6c87a133 std::_Facet_Register 4 API calls 64256->64257 64257->64259 64258->64259 64260 6c86e090 2 API calls 64259->64260 64270 6c6f7be7 std::ios_base::_Ios_base_dtor 64260->64270 64261->64201 64261->64234 64261->64249 64261->64250 64261->64252 64399 6c73e010 67 API calls 64261->64399 64262 6c8786e0 4 API calls 64273 6c6f8a07 64262->64273 64263 6c6f9d7f 64267 6c87a133 std::_Facet_Register 4 API calls 64263->64267 64264 6c6f9d68 64266 6c87a133 std::_Facet_Register 4 API calls 64264->64266 64265 6c6f962c _strlen 64265->64201 64265->64263 64265->64264 64268 6c6f9d18 _Yarn 64265->64268 64266->64268 64267->64268 64269 6c86e090 2 API calls 64268->64269 64276 6c6f9dbd std::ios_base::_Ios_base_dtor 64269->64276 64270->64201 64270->64262 64270->64265 64271 6c6f8387 64270->64271 64272 6c8786e0 4 API calls 64281 6c6f9120 64272->64281 64273->64272 64274 6c8786e0 4 API calls 64291 6c6fa215 _strlen 64274->64291 64275 6c8786e0 4 API calls 64277 6c6f9624 64275->64277 64276->64201 64276->64274 64282 6c6fe8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 64276->64282 64373 6c879450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 64277->64373 64278 6c87a133 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 64278->64282 64280 6c86e090 2 API calls 64280->64282 64281->64275 64282->64201 64282->64278 64282->64280 64283 6c6fed02 Sleep 64282->64283 64284 6c6ff7b1 64282->64284 64303 6c6fe8c1 64283->64303 64391 6c879450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 64284->64391 64286 6c6fe8dd GetCurrentProcess TerminateProcess 64286->64282 64287 6c6fa9bb 64290 6c87a133 std::_Facet_Register 4 API calls 64287->64290 64288 6c6fa9a4 64289 6c87a133 std::_Facet_Register 4 API calls 64288->64289 64298 6c6fa953 _Yarn _strlen 64289->64298 64290->64298 64291->64201 64291->64287 64291->64288 64291->64298 64292 6c8786e0 4 API calls 64292->64303 64293 6c6ffbb8 64294 6c6ffbe8 ExitWindowsEx Sleep 64293->64294 64294->64211 64295 6c6ff7c0 64295->64293 64296 6c6fb009 64300 6c87a133 std::_Facet_Register 4 API calls 64296->64300 64297 6c6faff0 64299 6c87a133 std::_Facet_Register 4 API calls 64297->64299 64298->64218 64298->64296 64298->64297 64301 6c6fafa0 _Yarn 64298->64301 64299->64301 64300->64301 64374 6c879050 64301->64374 64303->64282 64303->64286 64303->64292 64304 6c6fb059 std::ios_base::_Ios_base_dtor _strlen 64304->64201 64305 6c6fb42c 64304->64305 64306 6c6fb443 64304->64306 64309 6c6fb3da _Yarn _strlen 64304->64309 64307 6c87a133 std::_Facet_Register 4 API calls 64305->64307 64308 6c87a133 std::_Facet_Register 4 API calls 64306->64308 64307->64309 64308->64309 64309->64218 64310 6c6fb79e 64309->64310 64311 6c6fb7b7 64309->64311 64314 6c6fb751 _Yarn 64309->64314 64313 6c87a133 std::_Facet_Register 4 API calls 64310->64313 64312 6c87a133 std::_Facet_Register 4 API calls 64311->64312 64312->64314 64313->64314 64315 6c879050 104 API calls 64314->64315 64316 6c6fb804 std::ios_base::_Ios_base_dtor _strlen 64315->64316 64316->64201 64317 6c6fbc0f 64316->64317 64318 6c6fbc26 64316->64318 64321 6c6fbbbd _Yarn _strlen 64316->64321 64319 6c87a133 std::_Facet_Register 4 API calls 64317->64319 64320 6c87a133 std::_Facet_Register 4 API calls 64318->64320 64319->64321 64320->64321 64321->64218 64322 6c6fc08e 64321->64322 64323 6c6fc075 64321->64323 64326 6c6fc028 _Yarn 64321->64326 64325 6c87a133 std::_Facet_Register 4 API calls 64322->64325 64324 6c87a133 std::_Facet_Register 4 API calls 64323->64324 64324->64326 64325->64326 64327 6c879050 104 API calls 64326->64327 64332 6c6fc0db std::ios_base::_Ios_base_dtor _strlen 64327->64332 64328 6c6fc7bc 64331 6c87a133 std::_Facet_Register 4 API calls 64328->64331 64329 6c6fc7a5 64330 6c87a133 std::_Facet_Register 4 API calls 64329->64330 64339 6c6fc753 _Yarn _strlen 64330->64339 64331->64339 64332->64201 64332->64328 64332->64329 64332->64339 64333 6c6fd3ed 64335 6c87a133 std::_Facet_Register 4 API calls 64333->64335 64334 6c6fd406 64336 6c87a133 std::_Facet_Register 4 API calls 64334->64336 64337 6c6fd39a _Yarn 64335->64337 64336->64337 64338 6c879050 104 API calls 64337->64338 64340 6c6fd458 std::ios_base::_Ios_base_dtor _strlen 64338->64340 64339->64218 64339->64333 64339->64334 64339->64337 64345 6c6fcb2f 64339->64345 64340->64201 64341 6c6fd8bb 64340->64341 64342 6c6fd8a4 64340->64342 64346 6c6fd852 _Yarn _strlen 64340->64346 64344 6c87a133 std::_Facet_Register 4 API calls 64341->64344 64343 6c87a133 std::_Facet_Register 4 API calls 64342->64343 64343->64346 64344->64346 64346->64218 64347 6c6fdccf 64346->64347 64348 6c6fdcb6 64346->64348 64351 6c6fdc69 _Yarn 64346->64351 64350 6c87a133 std::_Facet_Register 4 API calls 64347->64350 64349 6c87a133 std::_Facet_Register 4 API calls 64348->64349 64349->64351 64350->64351 64352 6c879050 104 API calls 64351->64352 64354 6c6fdd1c std::ios_base::_Ios_base_dtor 64352->64354 64353 6c8786e0 4 API calls 64353->64282 64354->64201 64354->64353 64356 6c878846 64355->64356 64357 6c8788be OpenServiceA 64356->64357 64358 6c878922 64356->64358 64357->64356 64358->64251 64363 6c860893 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 64359->64363 64360 6c864e71 CloseHandle 64360->64363 64361 6c863bd1 CloseHandle 64361->64363 64362 6c7037cb 64366 6c879450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 64362->64366 64363->64360 64363->64361 64363->64362 64365 6c84cea0 WriteFile ReadFile WriteFile WriteFile 64363->64365 64402 6c84c390 64363->64402 64365->64363 64366->64217 64367->64251 64368->64245 64370 6c878770 64369->64370 64371 6c8787b0 WaitForSingleObject CloseHandle CloseHandle 64370->64371 64372 6c8787a4 64370->64372 64371->64370 64372->64254 64373->64265 64375 6c8790a7 64374->64375 64413 6c8796e0 64375->64413 64377 6c8790b8 64378 6c716ba0 104 API calls 64377->64378 64382 6c8790dc 64378->64382 64380 6c87918f std::ios_base::_Ios_base_dtor 64466 6c73e010 67 API calls 64380->64466 64384 6c879144 64382->64384 64390 6c879157 64382->64390 64432 6c879a30 64382->64432 64440 6c753010 64382->64440 64450 6c879280 64384->64450 64387 6c8791d2 std::ios_base::_Ios_base_dtor 64387->64304 64388 6c87914c 64389 6c717090 77 API calls 64388->64389 64389->64390 64465 6c73e010 67 API calls 64390->64465 64391->64295 64395 6c878966 std::locale::_Setgloballocale 64392->64395 64393 6c878a64 Process32NextW 64393->64395 64394 6c878a14 CloseHandle 64394->64395 64395->64393 64395->64394 64396 6c878a45 Process32FirstW 64395->64396 64397 6c878a96 64395->64397 64396->64395 64397->64222 64398->64241 64399->64261 64401->64223 64404 6c84c3a3 _Yarn __wsopen_s std::locale::_Setgloballocale 64402->64404 64403 6c84ce3c 64403->64363 64404->64403 64405 6c84cab9 CreateFileA 64404->64405 64407 6c84b4d0 64404->64407 64405->64404 64410 6c84b4e3 __wsopen_s std::locale::_Setgloballocale 64407->64410 64408 6c84c206 WriteFile 64408->64410 64409 6c84c377 64409->64404 64410->64408 64410->64409 64411 6c84b619 WriteFile 64410->64411 64412 6c84bc23 ReadFile 64410->64412 64411->64410 64412->64410 64414 6c879715 64413->64414 64415 6c742020 52 API calls 64414->64415 64416 6c8797b6 64415->64416 64417 6c87a133 std::_Facet_Register 4 API calls 64416->64417 64418 6c8797ee 64417->64418 64419 6c87aa17 43 API calls 64418->64419 64420 6c879802 64419->64420 64421 6c741d90 89 API calls 64420->64421 64423 6c8798ab 64421->64423 64422 6c8798dc 64422->64377 64423->64422 64467 6c742250 30 API calls 64423->64467 64425 6c879916 64468 6c7426e0 24 API calls 4 library calls 64425->64468 64427 6c879928 64469 6c87ca69 RaiseException 64427->64469 64429 6c87993d 64470 6c73e010 67 API calls 64429->64470 64431 6c87994f 64431->64377 64433 6c879a7d 64432->64433 64471 6c879c90 64433->64471 64435 6c879a95 64436 6c879b6c 64435->64436 64489 6c742250 30 API calls 64435->64489 64490 6c7426e0 24 API calls 4 library calls 64435->64490 64491 6c87ca69 RaiseException 64435->64491 64436->64382 64441 6c75304f 64440->64441 64444 6c753063 64441->64444 64500 6c743560 32 API calls std::_Xinvalid_argument 64441->64500 64446 6c75311e 64444->64446 64502 6c742250 30 API calls 64444->64502 64503 6c7426e0 24 API calls 4 library calls 64444->64503 64504 6c87ca69 RaiseException 64444->64504 64449 6c753131 64446->64449 64501 6c7437e0 32 API calls std::_Xinvalid_argument 64446->64501 64449->64382 64451 6c87928e 64450->64451 64454 6c8792c1 64450->64454 64453 6c7401f0 64 API calls 64451->64453 64452 6c879373 64452->64388 64455 6c8792b4 64453->64455 64454->64452 64505 6c742250 30 API calls 64454->64505 64457 6c884208 67 API calls 64455->64457 64457->64454 64458 6c87939e 64506 6c742340 24 API calls 64458->64506 64460 6c8793ae 64507 6c87ca69 RaiseException 64460->64507 64462 6c8793b9 64508 6c73e010 67 API calls 64462->64508 64464 6c879412 std::ios_base::_Ios_base_dtor 64464->64388 64465->64380 64466->64387 64467->64425 64468->64427 64469->64429 64470->64431 64472 6c879ccc 64471->64472 64473 6c879cf8 64471->64473 64487 6c879cf1 64472->64487 64494 6c742250 30 API calls 64472->64494 64478 6c879d09 64473->64478 64492 6c743560 32 API calls std::_Xinvalid_argument 64473->64492 64476 6c879ed8 64495 6c742340 24 API calls 64476->64495 64478->64487 64493 6c742f60 42 API calls 4 library calls 64478->64493 64479 6c879ee7 64496 6c87ca69 RaiseException 64479->64496 64483 6c879f17 64498 6c742340 24 API calls 64483->64498 64485 6c879f2d 64499 6c87ca69 RaiseException 64485->64499 64487->64435 64488 6c879d43 64488->64487 64497 6c742250 30 API calls 64488->64497 64489->64435 64490->64435 64491->64435 64492->64478 64493->64488 64494->64476 64495->64479 64496->64488 64497->64483 64498->64485 64499->64487 64500->64444 64501->64449 64502->64444 64503->64444 64504->64444 64505->64458 64506->64460 64507->64462 64508->64464 64509 6c6f3d62 64511 6c6f3bc0 64509->64511 64510 6c6f3e8a GetCurrentThread NtSetInformationThread 64512 6c6f3eea 64510->64512 64511->64510

                                                  Executed Functions

                                                  Function 6C6F4754 Relevance: 69.2, APIs: 28, Strings: 1, Instructions: 18471COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: _strlen
                                                  • String ID: HR^
                                                  • API String ID: 4218353326-1341859651
                                                  • Opcode ID: e35a99437b58e051267b4d3725c2dad18682211a30624b6266f4e868c4023f9b
                                                  • Instruction ID: b1a64efff715559217a65e8b71677bd5af42f19801eeee0ced73186c2b0dad91
                                                  • Opcode Fuzzy Hash: e35a99437b58e051267b4d3725c2dad18682211a30624b6266f4e868c4023f9b
                                                  • Instruction Fuzzy Hash: 3974F471644B028FC728CF28C8D0A95B7F3FF95318B198A6DC0A68BA55E774B54BCB50
                                                  Function 6C878930 Relevance: 6.1, APIs: 4, Instructions: 95processCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 4604 6c878930-6c878964 CreateToolhelp32Snapshot 4605 6c878980-6c878989 4604->4605 4606 6c8789d0-6c8789d5 4605->4606 4607 6c87898b-6c878990 4605->4607 4608 6c8789d7-6c8789dc 4606->4608 4609 6c878a34-6c878a62 call 6c87f010 Process32FirstW 4606->4609 4610 6c878992-6c878997 4607->4610 4611 6c878a0d-6c878a12 4607->4611 4612 6c878a64-6c878a71 Process32NextW 4608->4612 4613 6c8789e2-6c8789e7 4608->4613 4622 6c878a76-6c878a86 4609->4622 4617 6c878966-6c878973 4610->4617 4618 6c878999-6c87899e 4610->4618 4614 6c878a14-6c878a2f CloseHandle 4611->4614 4615 6c878a8b-6c878a90 4611->4615 4612->4622 4613->4605 4620 6c8789e9-6c878a08 4613->4620 4614->4605 4615->4605 4623 6c878a96-6c878aa4 4615->4623 4617->4605 4618->4605 4619 6c8789a0-6c8789ca call 6c8862f5 4618->4619 4619->4605 4620->4605 4622->4605
                                                  APIs
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6C87893E
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: CreateSnapshotToolhelp32
                                                  • String ID:
                                                  • API String ID: 3332741929-0
                                                  • Opcode ID: bcf8e53c0bea7b39e26b46e2d2447d2028e30acdac30d259ee37028bc0910fc2
                                                  • Instruction ID: c3941aef01497d8e782d43db0084b4b9079e72f66bb0eb2db306c8d5bff8e2ee
                                                  • Opcode Fuzzy Hash: bcf8e53c0bea7b39e26b46e2d2447d2028e30acdac30d259ee37028bc0910fc2
                                                  • Instruction Fuzzy Hash: 1F316D70209305AFD7729F59CA8475EBBE4AF89708F144D2EF488E6760E731E8458B63
                                                  Function 6C6F3886 Relevance: 3.6, APIs: 2, Instructions: 573COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 4877 6c6f3886-6c6f388e 4878 6c6f3894-6c6f3896 4877->4878 4879 6c6f3970-6c6f397d 4877->4879 4878->4879 4882 6c6f389c-6c6f38b9 4878->4882 4880 6c6f397f-6c6f3989 4879->4880 4881 6c6f39f1-6c6f39f8 4879->4881 4880->4882 4883 6c6f398f-6c6f3994 4880->4883 4884 6c6f39fe-6c6f3a03 4881->4884 4885 6c6f3ab5-6c6f3aba 4881->4885 4886 6c6f38c0-6c6f38c1 4882->4886 4888 6c6f399a-6c6f399f 4883->4888 4889 6c6f3b16-6c6f3b18 4883->4889 4890 6c6f3a09-6c6f3a2f 4884->4890 4891 6c6f38d2-6c6f38d4 4884->4891 4885->4882 4887 6c6f3ac0-6c6f3ac7 4885->4887 4892 6c6f395e 4886->4892 4887->4886 4894 6c6f3acd-6c6f3ad6 4887->4894 4895 6c6f383b-6c6f3855 call 6c842a20 call 6c842a30 4888->4895 4896 6c6f39a5-6c6f39bf 4888->4896 4889->4886 4897 6c6f38f8-6c6f3955 4890->4897 4898 6c6f3a35-6c6f3a3a 4890->4898 4899 6c6f3957-6c6f395c 4891->4899 4893 6c6f3960-6c6f3964 4892->4893 4901 6c6f396a 4893->4901 4902 6c6f3860-6c6f3885 4893->4902 4894->4889 4903 6c6f3ad8-6c6f3aeb 4894->4903 4895->4902 4904 6c6f3a5a-6c6f3a5d 4896->4904 4897->4899 4905 6c6f3b1d-6c6f3b22 4898->4905 4906 6c6f3a40-6c6f3a57 4898->4906 4899->4892 4908 6c6f3ba1-6c6f3bb6 4901->4908 4902->4877 4903->4897 4909 6c6f3af1-6c6f3af8 4903->4909 4913 6c6f3aa9-6c6f3ab0 4904->4913 4911 6c6f3b49-6c6f3b50 4905->4911 4912 6c6f3b24-6c6f3b44 4905->4912 4906->4904 4914 6c6f3bc0-6c6f3bda call 6c842a20 call 6c842a30 4908->4914 4916 6c6f3afa-6c6f3aff 4909->4916 4917 6c6f3b62-6c6f3b85 4909->4917 4911->4886 4920 6c6f3b56-6c6f3b5d 4911->4920 4912->4913 4913->4893 4928 6c6f3be0-6c6f3bfe 4914->4928 4916->4899 4917->4897 4924 6c6f3b8b 4917->4924 4920->4893 4924->4908 4931 6c6f3e7b 4928->4931 4932 6c6f3c04-6c6f3c11 4928->4932 4933 6c6f3e81-6c6f3ee0 call 6c6f3750 GetCurrentThread NtSetInformationThread 4931->4933 4934 6c6f3c17-6c6f3c20 4932->4934 4935 6c6f3ce0-6c6f3cea 4932->4935 4949 6c6f3eea-6c6f3f04 call 6c842a20 call 6c842a30 4933->4949 4937 6c6f3c26-6c6f3c2d 4934->4937 4938 6c6f3dc5 4934->4938 4939 6c6f3cec-6c6f3d0c 4935->4939 4940 6c6f3d3a-6c6f3d3c 4935->4940 4946 6c6f3dc3 4937->4946 4947 6c6f3c33-6c6f3c3a 4937->4947 4945 6c6f3dc6 4938->4945 4941 6c6f3d90-6c6f3d95 4939->4941 4942 6c6f3d3e-6c6f3d45 4940->4942 4943 6c6f3d70-6c6f3d8d 4940->4943 4950 6c6f3dba-6c6f3dc1 4941->4950 4951 6c6f3d97-6c6f3db8 4941->4951 4948 6c6f3d50-6c6f3d57 4942->4948 4943->4941 4954 6c6f3dc8-6c6f3dcc 4945->4954 4946->4938 4952 6c6f3e26-6c6f3e2b 4947->4952 4953 6c6f3c40-6c6f3c5b 4947->4953 4948->4945 4971 6c6f3f75-6c6f3fa1 4949->4971 4950->4946 4956 6c6f3dd7-6c6f3ddc 4950->4956 4951->4938 4957 6c6f3c7b-6c6f3cd0 4952->4957 4958 6c6f3e31 4952->4958 4959 6c6f3e1b-6c6f3e24 4953->4959 4954->4928 4960 6c6f3dd2 4954->4960 4963 6c6f3dde-6c6f3e17 4956->4963 4964 6c6f3e36-6c6f3e3d 4956->4964 4957->4948 4958->4914 4959->4954 4961 6c6f3e76-6c6f3e79 4959->4961 4960->4961 4961->4933 4963->4959 4967 6c6f3e3f-6c6f3e5a 4964->4967 4968 6c6f3e5c-6c6f3e5f 4964->4968 4967->4959 4968->4957 4969 6c6f3e65-6c6f3e69 4968->4969 4969->4954 4969->4961 4975 6c6f3fa3-6c6f3fa8 4971->4975 4976 6c6f4020-6c6f4026 4971->4976 4979 6c6f3fae-6c6f3fcf 4975->4979 4980 6c6f407c-6c6f4081 4975->4980 4977 6c6f402c-6c6f403c 4976->4977 4978 6c6f3f06-6c6f3f35 4976->4978 4983 6c6f403e-6c6f4058 4977->4983 4984 6c6f40b3-6c6f40b8 4977->4984 4982 6c6f3f38-6c6f3f61 4978->4982 4981 6c6f40aa-6c6f40ae 4979->4981 4980->4981 4985 6c6f4083-6c6f408a 4980->4985 4987 6c6f3f6b-6c6f3f6f 4981->4987 4988 6c6f3f64-6c6f3f67 4982->4988 4989 6c6f405a-6c6f4063 4983->4989 4984->4979 4986 6c6f40be-6c6f40c9 4984->4986 4985->4982 4990 6c6f4090 4985->4990 4986->4981 4991 6c6f40cb-6c6f40d4 4986->4991 4987->4971 4992 6c6f3f69 4988->4992 4993 6c6f4069-6c6f406c 4989->4993 4994 6c6f40f5-6c6f413f 4989->4994 4990->4949 4995 6c6f40a7 4990->4995 4991->4995 4996 6c6f40d6-6c6f40f0 4991->4996 4992->4987 4998 6c6f4144-6c6f414b 4993->4998 4999 6c6f4072-6c6f4077 4993->4999 4994->4992 4995->4981 4996->4989 4998->4987 4999->4988
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c7a4897664e1a7d961dc568d078de49f693246d12f81263e9aeb2121313c41d2
                                                  • Instruction ID: 0f3557146cba179c2253cf23f349c9a77d920bae34d92a98f7d1ac5681ae6311
                                                  • Opcode Fuzzy Hash: c7a4897664e1a7d961dc568d078de49f693246d12f81263e9aeb2121313c41d2
                                                  • Instruction Fuzzy Hash: B832D232245B018FC324CF28C8906A5B7E3EFD1314B6A8A7DC0BA4BA95D775B44BCB55
                                                  Function 6C6F3A6A Relevance: 3.1, APIs: 2, Instructions: 148threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: CurrentThread
                                                  • String ID:
                                                  • API String ID: 2882836952-0
                                                  • Opcode ID: 11ee2843cb490c06781804b0eabcafa1ad826ca5faae5227ced4afcc7166013a
                                                  • Instruction ID: 5c915de6cb3a310d72d87acf2bad1fb5f0b2b59c4232a4be93e88cc00638ac27
                                                  • Opcode Fuzzy Hash: 11ee2843cb490c06781804b0eabcafa1ad826ca5faae5227ced4afcc7166013a
                                                  • Instruction Fuzzy Hash: F551CE311597018FC320CF28C8807D5B7A3AF96314F6A8A6DC0F65BA95DBB4B44B8B56
                                                  Function 6C6F39CF Relevance: 3.1, APIs: 2, Instructions: 139threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: CurrentThread
                                                  • String ID:
                                                  • API String ID: 2882836952-0
                                                  • Opcode ID: 3ed7b4d754ac891bec7c843df791599acb9379ce7b4dff9bc496b78ef68de9c7
                                                  • Instruction ID: 74372799a68657984f3c35079ae52ac012bd5ee308aa80c8914c3c190cd3c957
                                                  • Opcode Fuzzy Hash: 3ed7b4d754ac891bec7c843df791599acb9379ce7b4dff9bc496b78ef68de9c7
                                                  • Instruction Fuzzy Hash: E451AF31518B018BC320CF28C4807D5B7E3BF96314F698A6DC0F65BA95DBB5B44B8B96
                                                  Function 6C6F3D18 Relevance: 3.1, APIs: 2, Instructions: 89threadnativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentThread.KERNEL32 ref: 6C6F3E9D
                                                  • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C6F3EAA
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: Thread$CurrentInformation
                                                  • String ID:
                                                  • API String ID: 1650627709-0
                                                  • Opcode ID: b6f25f33a44b332c5cc1ea9d98cb73a4eff7f436e21459a37be15819f0c8ddce
                                                  • Instruction ID: a925e4c474de19cb15d60d4008799f5c87e09893667d35438ad72e8175208c5f
                                                  • Opcode Fuzzy Hash: b6f25f33a44b332c5cc1ea9d98cb73a4eff7f436e21459a37be15819f0c8ddce
                                                  • Instruction Fuzzy Hash: 5A31F431159B018FD720CF28C8947D6B7A3AF96314F698A2DC0B65BA81DBB4700BDB56
                                                  Function 6C6F3D62 Relevance: 3.1, APIs: 2, Instructions: 83threadnativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentThread.KERNEL32 ref: 6C6F3E9D
                                                  • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C6F3EAA
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: Thread$CurrentInformation
                                                  • String ID:
                                                  • API String ID: 1650627709-0
                                                  • Opcode ID: c4831c45ce48a5e5566946d3f7e0975f790b4e0e914d1fba7f2586378c08cde6
                                                  • Instruction ID: 4102aec1b41bfcded5cd459c3054981035a3075270f9cfd3859a3660753e9cd1
                                                  • Opcode Fuzzy Hash: c4831c45ce48a5e5566946d3f7e0975f790b4e0e914d1fba7f2586378c08cde6
                                                  • Instruction Fuzzy Hash: 7E31F1311187018BD734CF28C4947E6B7A3AF96308F654E2DC0B65BA81DBB17446CB56
                                                  Function 6C6F3C62 Relevance: 3.1, APIs: 2, Instructions: 72threadnativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentThread.KERNEL32 ref: 6C6F3E9D
                                                  • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C6F3EAA
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: Thread$CurrentInformation
                                                  • String ID:
                                                  • API String ID: 1650627709-0
                                                  • Opcode ID: 2ed530aa36baca4c32c47536138b3a3aaaa6be80c124a70d111a3ba180ddc561
                                                  • Instruction ID: 4daab83546738683b9eeb27b7ef4f2a70d00e394acbfedad0bca1543025c0cff
                                                  • Opcode Fuzzy Hash: 2ed530aa36baca4c32c47536138b3a3aaaa6be80c124a70d111a3ba180ddc561
                                                  • Instruction Fuzzy Hash: 7E21C4301197018BD734CF28C8947E677B3AF56304F654A3DC0B68BA91DBB5B446CB5A
                                                  Function 6C878810 Relevance: 3.1, APIs: 2, Instructions: 72serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6C878820
                                                  • OpenServiceA.ADVAPI32(?,?,00000004), ref: 6C8788C5
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: Open$ManagerService
                                                  • String ID:
                                                  • API String ID: 2351955762-0
                                                  • Opcode ID: 77081e11c8f64f4cfb78df1477963ff7b368c0b602863ff7efa0ff5ca13ba90f
                                                  • Instruction ID: 0df80a981e18f666f3eda203628960ffb69ed2e2402300b7970d2a857518fcef
                                                  • Opcode Fuzzy Hash: 77081e11c8f64f4cfb78df1477963ff7b368c0b602863ff7efa0ff5ca13ba90f
                                                  • Instruction Fuzzy Hash: 4E312974609311AFC721DF29C949A0EBBF0AB89754F548C6EF498E7361E371C8488B63
                                                  Function 6C86E090 Relevance: 3.0, APIs: 2, Instructions: 47fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileA.KERNEL32(?,?), ref: 6C86E0AC
                                                  • FindClose.KERNEL32(000000FF), ref: 6C86E0E2
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: Find$CloseFileFirst
                                                  • String ID:
                                                  • API String ID: 2295610775-0
                                                  • Opcode ID: b0ab8e9a341204d976e3c1c86d82107148ac4fed05f40e6dc5c45a6d4cbe5aca
                                                  • Instruction ID: 46fd929ee6654fa9d50c727b2bfc963bce860a12cdbdf5bb7d7f6f599fb4dfc7
                                                  • Opcode Fuzzy Hash: b0ab8e9a341204d976e3c1c86d82107148ac4fed05f40e6dc5c45a6d4cbe5aca
                                                  • Instruction Fuzzy Hash: ED113A7450C351DFC7218F29CA44A4ABBF4AB86315F148D5AF4E8C7B90E734D8988B93
                                                  Function 6C8901C3 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301COMMONLIBRARYCODE
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 3722 6c8901c3-6c8901d3 3723 6c8901ed-6c8901ef 3722->3723 3724 6c8901d5-6c8901e8 call 6c8830cf call 6c8830bc 3722->3724 3725 6c8901f5-6c8901fb 3723->3725 3726 6c890554-6c890561 call 6c8830cf call 6c8830bc 3723->3726 3738 6c89056c 3724->3738 3725->3726 3729 6c890201-6c890227 3725->3729 3744 6c890567 call 6c883810 3726->3744 3729->3726 3733 6c89022d-6c890236 3729->3733 3736 6c890238-6c89024b call 6c8830cf call 6c8830bc 3733->3736 3737 6c890250-6c890252 3733->3737 3736->3744 3741 6c890258-6c89025b 3737->3741 3742 6c890550-6c890552 3737->3742 3743 6c89056f-6c890572 3738->3743 3741->3742 3746 6c890261-6c890265 3741->3746 3742->3743 3744->3738 3746->3736 3749 6c890267-6c89027e 3746->3749 3751 6c8902cf-6c8902d5 3749->3751 3752 6c890280-6c890283 3749->3752 3755 6c89029b-6c8902b2 call 6c8830cf call 6c8830bc call 6c883810 3751->3755 3756 6c8902d7-6c8902e1 3751->3756 3753 6c890293-6c890299 3752->3753 3754 6c890285-6c89028e 3752->3754 3753->3755 3758 6c8902b7-6c8902ca 3753->3758 3757 6c890353-6c890363 3754->3757 3788 6c890487 3755->3788 3760 6c8902e8-6c890306 call 6c887ee5 call 6c887eab * 2 3756->3760 3761 6c8902e3-6c8902e5 3756->3761 3763 6c890369-6c890375 3757->3763 3764 6c890428-6c890431 call 6c8950d5 3757->3764 3758->3757 3792 6c890308-6c89031e call 6c8830bc call 6c8830cf 3760->3792 3793 6c890323-6c89034c call 6c88e359 3760->3793 3761->3760 3763->3764 3768 6c89037b-6c89037d 3763->3768 3777 6c890433-6c890445 3764->3777 3778 6c8904a4 3764->3778 3768->3764 3773 6c890383-6c8903a7 3768->3773 3773->3764 3774 6c8903a9-6c8903bf 3773->3774 3774->3764 3779 6c8903c1-6c8903c3 3774->3779 3777->3778 3783 6c890447-6c890456 GetConsoleMode 3777->3783 3781 6c8904a8-6c8904c0 ReadFile 3778->3781 3779->3764 3784 6c8903c5-6c8903eb 3779->3784 3786 6c89051c-6c890527 GetLastError 3781->3786 3787 6c8904c2-6c8904c8 3781->3787 3783->3778 3789 6c890458-6c89045c 3783->3789 3784->3764 3791 6c8903ed-6c890403 3784->3791 3794 6c890529-6c89053b call 6c8830bc call 6c8830cf 3786->3794 3795 6c890540-6c890543 3786->3795 3787->3786 3796 6c8904ca 3787->3796 3790 6c89048a-6c890494 call 6c887eab 3788->3790 3789->3781 3797 6c89045e-6c890478 ReadConsoleW 3789->3797 3790->3743 3791->3764 3799 6c890405-6c890407 3791->3799 3792->3788 3793->3757 3794->3788 3806 6c890549-6c89054b 3795->3806 3807 6c890480-6c890486 call 6c8830e2 3795->3807 3803 6c8904cd-6c8904df 3796->3803 3804 6c890499-6c8904a2 3797->3804 3805 6c89047a GetLastError 3797->3805 3799->3764 3809 6c890409-6c890423 3799->3809 3803->3790 3813 6c8904e1-6c8904e5 3803->3813 3804->3803 3805->3807 3806->3790 3807->3788 3809->3764 3818 6c8904fe-6c890509 3813->3818 3819 6c8904e7-6c8904f7 call 6c8905ee 3813->3819 3820 6c89050b call 6c890573 3818->3820 3821 6c890515-6c89051a call 6c8908a6 3818->3821 3830 6c8904fa-6c8904fc 3819->3830 3828 6c890510-6c890513 3820->3828 3821->3828 3828->3830 3830->3790
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 8Q
                                                  • API String ID: 0-4022487301
                                                  • Opcode ID: cd418c5722da2b9a1c6f0d58e23dba052821cb50bece6e1507b167c59fcf6d26
                                                  • Instruction ID: e5951f76644bda9a1e41006a3ed44cb68150d637025f1a307dc5fecccdc4bc0c
                                                  • Opcode Fuzzy Hash: cd418c5722da2b9a1c6f0d58e23dba052821cb50bece6e1507b167c59fcf6d26
                                                  • Instruction Fuzzy Hash: 0BC1F870F052899FDF21CF9CCA80BAEBBB0AF4E318F104969E514ABB41C7319945CB61
                                                  Function 6C89775C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 3831 6c89775c-6c89778c call 6c897bdc 3834 6c89778e-6c897799 call 6c8830cf 3831->3834 3835 6c8977a7-6c8977b3 call 6c894cfc 3831->3835 3840 6c89779b-6c8977a2 call 6c8830bc 3834->3840 3841 6c8977cc-6c897815 call 6c897b47 3835->3841 3842 6c8977b5-6c8977ca call 6c8830cf call 6c8830bc 3835->3842 3851 6c897a81-6c897a85 3840->3851 3849 6c897882-6c89788b GetFileType 3841->3849 3850 6c897817-6c897820 3841->3850 3842->3840 3856 6c89788d-6c8978be GetLastError call 6c8830e2 CloseHandle 3849->3856 3857 6c8978d4-6c8978d7 3849->3857 3854 6c897822-6c897826 3850->3854 3855 6c897857-6c89787d GetLastError call 6c8830e2 3850->3855 3854->3855 3860 6c897828-6c897855 call 6c897b47 3854->3860 3855->3840 3856->3840 3868 6c8978c4-6c8978cf call 6c8830bc 3856->3868 3858 6c8978d9-6c8978de 3857->3858 3859 6c8978e0-6c8978e6 3857->3859 3863 6c8978ea-6c897938 call 6c894ea0 3858->3863 3859->3863 3864 6c8978e8 3859->3864 3860->3849 3860->3855 3874 6c89793a-6c897946 call 6c897d56 3863->3874 3875 6c897957-6c89797f call 6c897e00 3863->3875 3864->3863 3868->3840 3874->3875 3882 6c897948 3874->3882 3880 6c897981-6c897982 3875->3880 3881 6c897984-6c8979c5 3875->3881 3883 6c89794a-6c897952 call 6c88f015 3880->3883 3884 6c8979c7-6c8979cb 3881->3884 3885 6c8979e6-6c8979f4 3881->3885 3882->3883 3883->3851 3884->3885 3886 6c8979cd-6c8979e1 3884->3886 3887 6c8979fa-6c8979fe 3885->3887 3888 6c897a7f 3885->3888 3886->3885 3887->3888 3891 6c897a00-6c897a33 CloseHandle call 6c897b47 3887->3891 3888->3851 3894 6c897a35-6c897a61 GetLastError call 6c8830e2 call 6c894e0f 3891->3894 3895 6c897a67-6c897a7b 3891->3895 3894->3895 3895->3888
                                                  APIs
                                                    • Part of subcall function 6C897B47: CreateFileW.KERNEL32(00000000,00000000,?,6C897805,?,?,00000000,?,6C897805,00000000,0000000C), ref: 6C897B64
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C897870
                                                  • __dosmaperr.LIBCMT ref: 6C897877
                                                  • GetFileType.KERNEL32(00000000), ref: 6C897883
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C89788D
                                                  • __dosmaperr.LIBCMT ref: 6C897896
                                                  • CloseHandle.KERNEL32(00000000), ref: 6C8978B6
                                                  • CloseHandle.KERNEL32(6C88E7C0), ref: 6C897A03
                                                  • GetLastError.KERNEL32 ref: 6C897A35
                                                  • __dosmaperr.LIBCMT ref: 6C897A3C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                  • String ID: 8Q
                                                  • API String ID: 4237864984-4022487301
                                                  • Opcode ID: ca46753a69a3f4d010db861815533d8444bddec0361030b1417f74405454e122
                                                  • Instruction ID: 872406a598360dddd4d68cc72c3f048522ff89e06327824446ca15e8109ee8ad
                                                  • Opcode Fuzzy Hash: ca46753a69a3f4d010db861815533d8444bddec0361030b1417f74405454e122
                                                  • Instruction Fuzzy Hash: 4FA14532A041549FCF299F6CCD91BAD7BB1AB47328F28056DE811AFB90D7358906CB51
                                                  Function 6C84B4D0 Relevance: 16.6, APIs: 3, Strings: 6, Instructions: 834fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WriteFile.KERNEL32(?,?,00000038,?,00000000), ref: 6C84B62F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: FileWrite
                                                  • String ID: *$,=ym$-=ym$-=ym$B$H
                                                  • API String ID: 3934441357-3163594065
                                                  • Opcode ID: ab79b6c5abc425863f0e1648f41eb9cb7c9b3ab2fcce5b6cf4b3ad09d9f6ad13
                                                  • Instruction ID: f7e03f5d19f9e5decbbceb6f482e21e936b17ee04fab98099a7a6db6f055d8d3
                                                  • Opcode Fuzzy Hash: ab79b6c5abc425863f0e1648f41eb9cb7c9b3ab2fcce5b6cf4b3ad09d9f6ad13
                                                  • Instruction Fuzzy Hash: 0F729B706097899FCB24CF28C59066EBBE1AF89304F18CE1EE499CBB51E774D8458B53
                                                  Function 6C6F4200 Relevance: 9.0, APIs: 3, Strings: 1, Instructions: 2005COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ;T55
                                                  • API String ID: 0-2572755013
                                                  • Opcode ID: 7562812cca2332cc198b75b73477710ca069fe0b2fa8ff5b7d1f1a2e3c18eb5c
                                                  • Instruction ID: d6cbd03995617d9fe0dfdfadb4636263a491f607011c8a98c34eeb2a62c11c3e
                                                  • Opcode Fuzzy Hash: 7562812cca2332cc198b75b73477710ca069fe0b2fa8ff5b7d1f1a2e3c18eb5c
                                                  • Instruction Fuzzy Hash: 5603E171745B018FC728CF28C9D06A6B7E3AFD532871DCA2DC0A64BA95DB74B44ACB50
                                                  Function 6C8786E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62processsynchronizationCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 4469 6c8786e0-6c878767 CreateProcessA 4470 6c87878b-6c878794 4469->4470 4471 6c878796-6c87879b 4470->4471 4472 6c8787b0-6c8787fa WaitForSingleObject CloseHandle * 2 4470->4472 4473 6c878770-6c878783 4471->4473 4474 6c87879d-6c8787a2 4471->4474 4472->4470 4473->4470 4474->4470 4475 6c8787a4-6c878807 4474->4475
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: CloseHandle$CreateObjectProcessSingleWait
                                                  • String ID: D
                                                  • API String ID: 2059082233-2746444292
                                                  • Opcode ID: 3040f46ff98de85edd258056d6bbe1f631b751bf075473e69e15655ab3b888b9
                                                  • Instruction ID: bb07079f3d99e7a82f4c342ab5f3b0bb5ded61d83ed1e8fdc8df2812af84659b
                                                  • Opcode Fuzzy Hash: 3040f46ff98de85edd258056d6bbe1f631b751bf075473e69e15655ab3b888b9
                                                  • Instruction Fuzzy Hash: B431C2718193808FD760DF28D28471EBBF0AB9A358F505A1EF8D996360E7789584CF53
                                                  Function 6C88F34E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177fileCOMMONLIBRARYCODE
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 4477 6c88f34e-6c88f36a 4478 6c88f529 4477->4478 4479 6c88f370-6c88f372 4477->4479 4480 6c88f52b-6c88f52f 4478->4480 4481 6c88f394-6c88f3b5 4479->4481 4482 6c88f374-6c88f387 call 6c8830cf call 6c8830bc call 6c883810 4479->4482 4483 6c88f3bc-6c88f3c2 4481->4483 4484 6c88f3b7-6c88f3ba 4481->4484 4497 6c88f38c-6c88f38f 4482->4497 4483->4482 4486 6c88f3c4-6c88f3c9 4483->4486 4484->4483 4484->4486 4488 6c88f3da-6c88f3eb call 6c88f530 4486->4488 4489 6c88f3cb-6c88f3d7 call 6c88e359 4486->4489 4498 6c88f42c-6c88f43e 4488->4498 4499 6c88f3ed-6c88f3ef 4488->4499 4489->4488 4497->4480 4500 6c88f440-6c88f449 4498->4500 4501 6c88f485-6c88f4a7 WriteFile 4498->4501 4502 6c88f3f1-6c88f3f9 4499->4502 4503 6c88f416-6c88f422 call 6c88f5a1 4499->4503 4507 6c88f44b-6c88f44e 4500->4507 4508 6c88f475-6c88f483 call 6c88f9b3 4500->4508 4504 6c88f4a9-6c88f4af GetLastError 4501->4504 4505 6c88f4b2 4501->4505 4509 6c88f4bb-6c88f4be 4502->4509 4510 6c88f3ff-6c88f40c call 6c88f94b 4502->4510 4511 6c88f427-6c88f42a 4503->4511 4504->4505 4512 6c88f4b5-6c88f4ba 4505->4512 4514 6c88f450-6c88f453 4507->4514 4515 6c88f465-6c88f473 call 6c88fb77 4507->4515 4508->4511 4513 6c88f4c1-6c88f4c6 4509->4513 4519 6c88f40f-6c88f411 4510->4519 4511->4519 4512->4509 4520 6c88f4c8-6c88f4cd 4513->4520 4521 6c88f524-6c88f527 4513->4521 4514->4513 4522 6c88f455-6c88f463 call 6c88fa8e 4514->4522 4515->4511 4519->4512 4525 6c88f4f9-6c88f505 4520->4525 4526 6c88f4cf-6c88f4d4 4520->4526 4521->4480 4522->4511 4529 6c88f50c-6c88f51f call 6c8830bc call 6c8830cf 4525->4529 4530 6c88f507-6c88f50a 4525->4530 4531 6c88f4ed-6c88f4f4 call 6c8830e2 4526->4531 4532 6c88f4d6-6c88f4e8 call 6c8830bc call 6c8830cf 4526->4532 4529->4497 4530->4478 4530->4529 4531->4497 4532->4497
                                                  APIs
                                                    • Part of subcall function 6C88F5A1: GetConsoleCP.KERNEL32(?,6C88E7C0,?), ref: 6C88F5E9
                                                  • WriteFile.KERNEL32(?,?,6C897DDC,00000000,00000000,?,00000000,00000000,6C8991A6,00000000,00000000,?,00000000,6C88E7C0,6C897DDC,00000000), ref: 6C88F49F
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C897DDC,6C88E7C0,00000000,?,?,?,?,00000000,?), ref: 6C88F4A9
                                                  • __dosmaperr.LIBCMT ref: 6C88F4EE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: ConsoleErrorFileLastWrite__dosmaperr
                                                  • String ID: 8Q
                                                  • API String ID: 251514795-4022487301
                                                  • Opcode ID: 6f3ed21f995e6d841dba8147b0581739739e887f8167e6e471023b6f0d345a3f
                                                  • Instruction ID: c8880b8e0537aa98fc81fe47bb4ec3b5c95379145913acb4afeaa80a800dd0a4
                                                  • Opcode Fuzzy Hash: 6f3ed21f995e6d841dba8147b0581739739e887f8167e6e471023b6f0d345a3f
                                                  • Instruction Fuzzy Hash: CD51E671A0211AAFDB21CFA8CA40BDFBBB9EF19358F140D62D500ABE81D774D945CB61
                                                  Function 6C879280 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 142COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 4544 6c879280-6c87928c 4545 6c87928e-6c879299 4544->4545 4546 6c8792cd 4544->4546 4548 6c8792af-6c8792bc call 6c7401f0 call 6c884208 4545->4548 4549 6c87929b-6c8792ad 4545->4549 4547 6c8792cf-6c879347 4546->4547 4550 6c879373-6c879379 4547->4550 4551 6c879349-6c879371 4547->4551 4557 6c8792c1-6c8792cb 4548->4557 4549->4548 4551->4550 4553 6c87937a-6c879439 call 6c742250 call 6c742340 call 6c87ca69 call 6c73e010 call 6c87a778 4551->4553 4557->4547
                                                  APIs
                                                  • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C879421
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: Ios_base_dtorstd::ios_base::_
                                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                  • API String ID: 323602529-1866435925
                                                  • Opcode ID: 806a6850c6c58d93efc208b6487bffdc75b9841f284a6e0dcb4d7841a92335b3
                                                  • Instruction ID: 5cc0f987cce230c531216b3ae6b4c3386a713c45757d3e50b92ada0fe136777a
                                                  • Opcode Fuzzy Hash: 806a6850c6c58d93efc208b6487bffdc75b9841f284a6e0dcb4d7841a92335b3
                                                  • Instruction Fuzzy Hash: B65144B1500B008FD735CF29C685B9BBBF1BB49318F408D2DD88647B91E775A90ACB90
                                                  Function 6C84CEA0 Relevance: 6.2, APIs: 4, Instructions: 187fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 4567 6c84cea0-6c84cf03 call 6c87a260 4570 6c84cf40-6c84cf49 4567->4570 4571 6c84cf90-6c84cf95 4570->4571 4572 6c84cf4b-6c84cf50 4570->4572 4573 6c84d030-6c84d035 4571->4573 4574 6c84cf9b-6c84cfa0 4571->4574 4575 6c84cf56-6c84cf5b 4572->4575 4576 6c84d000-6c84d005 4572->4576 4581 6c84d17d-6c84d191 4573->4581 4582 6c84d03b-6c84d040 4573->4582 4577 6c84cf05-6c84cf21 WriteFile 4574->4577 4578 6c84cfa6-6c84cfab 4574->4578 4583 6c84d065-6c84d08c 4575->4583 4584 6c84cf61-6c84cf66 4575->4584 4579 6c84d125-6c84d158 call 6c87ea90 4576->4579 4580 6c84d00b-6c84d010 4576->4580 4592 6c84cf30 4577->4592 4589 6c84cfb1-6c84cfb6 4578->4589 4590 6c84d0af-6c84d120 WriteFile 4578->4590 4579->4570 4593 6c84d016-6c84d01b 4580->4593 4594 6c84d15d-6c84d175 4580->4594 4591 6c84d195-6c84d1a2 4581->4591 4595 6c84d046-6c84d060 4582->4595 4596 6c84d1a7-6c84d1ac 4582->4596 4587 6c84cf33-6c84cf38 4583->4587 4585 6c84d091-6c84d0aa WriteFile 4584->4585 4586 6c84cf6c-6c84cf71 4584->4586 4585->4592 4586->4570 4597 6c84cf73-6c84cf86 4586->4597 4587->4570 4589->4570 4599 6c84cfb8-6c84cfee call 6c87f010 ReadFile 4589->4599 4590->4592 4591->4570 4592->4587 4593->4570 4601 6c84d021-6c84d02b 4593->4601 4594->4581 4595->4591 4596->4570 4600 6c84d1b2-6c84d1c0 4596->4600 4597->4587 4599->4592 4601->4592
                                                  APIs
                                                  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 6C84CFE1
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: FileRead
                                                  • String ID:
                                                  • API String ID: 2738559852-0
                                                  • Opcode ID: 929faae1c40e284ef20ab055a0f858d6353ff56977148d58e635fea57d22997a
                                                  • Instruction ID: 4755b7ca8f1779538fa70e5d83c6ff6b32ee96a123136934a785687fc95a921b
                                                  • Opcode Fuzzy Hash: 929faae1c40e284ef20ab055a0f858d6353ff56977148d58e635fea57d22997a
                                                  • Instruction Fuzzy Hash: C0714FB0209348AFD720DF19C984B5ABBE8BF89708F508D2EF494D7651D3B5D9488F92
                                                  Function 6C84C390 Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 631COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 4626 6c84c390-6c84c406 call 6c87a260 call 6c87f010 4631 6c84c426-6c84c42f 4626->4631 4632 6c84c490-6c84c495 4631->4632 4633 6c84c431-6c84c436 4631->4633 4636 6c84c570-6c84c575 4632->4636 4637 6c84c49b-6c84c4a0 4632->4637 4634 6c84c500-6c84c505 4633->4634 4635 6c84c43c-6c84c441 4633->4635 4640 6c84c679-6c84c67e 4634->4640 4641 6c84c50b-6c84c510 4634->4641 4638 6c84c447-6c84c44c 4635->4638 4639 6c84c5bf-6c84c5c4 4635->4639 4642 6c84c6d6-6c84c6db 4636->4642 4643 6c84c57b-6c84c580 4636->4643 4644 6c84c4a6-6c84c4ab 4637->4644 4645 6c84c638-6c84c63d 4637->4645 4650 6c84c742-6c84c747 4638->4650 4651 6c84c452-6c84c457 4638->4651 4648 6c84c863-6c84c868 4639->4648 4649 6c84c5ca-6c84c5cf 4639->4649 4656 6c84c684-6c84c689 4640->4656 4657 6c84c8e2-6c84c8e7 4640->4657 4652 6c84c516-6c84c51b 4641->4652 4653 6c84c7de-6c84c7e3 4641->4653 4646 6c84c6e1-6c84c6e6 4642->4646 4647 6c84c912-6c84c917 4642->4647 4658 6c84c586-6c84c58b 4643->4658 4659 6c84c830-6c84c835 4643->4659 4660 6c84c796-6c84c79b 4644->4660 4661 6c84c4b1-6c84c4b6 4644->4661 4654 6c84c643-6c84c648 4645->4654 4655 6c84c8ab-6c84c8b0 4645->4655 4666 6c84cc12-6c84cc4d call 6c87f010 call 6c84b4d0 4646->4666 4667 6c84c6ec-6c84c6f1 4646->4667 4664 6c84c91d-6c84c922 4647->4664 4665 6c84ce1a-6c84ce29 4647->4665 4682 6c84cdb7-6c84cdbf 4648->4682 4683 6c84c86e-6c84c873 4648->4683 4680 6c84c5d5-6c84c5da 4649->4680 4681 6c84ca71-6c84ca9b call 6c87ea90 4649->4681 4668 6c84cca3-6c84ccba 4650->4668 4669 6c84c74d-6c84c752 4650->4669 4684 6c84c93d-6c84c95b 4651->4684 4685 6c84c45d-6c84c462 4651->4685 4670 6c84c521-6c84c526 4652->4670 4671 6c84c9a3-6c84c9b3 4652->4671 4674 6c84c7e9-6c84c7ee 4653->4674 4675 6c84ccfa-6c84cd23 4653->4675 4686 6c84c64e-6c84c653 4654->4686 4687 6c84cb08-6c84cb34 4654->4687 4688 6c84c8b6-6c84c8bb 4655->4688 4689 6c84cdda-6c84cdf1 4655->4689 4692 6c84cb61-6c84cb85 4656->4692 4693 6c84c68f-6c84c694 4656->4693 4690 6c84c8ed-6c84c8f2 4657->4690 4691 6c84cdf9-6c84ce12 4657->4691 4676 6c84c591-6c84c596 4658->4676 4677 6c84c9fe-6c84ca3a 4658->4677 4678 6c84cd6c-6c84cd88 4659->4678 4679 6c84c83b-6c84c840 4659->4679 4672 6c84c7a1-6c84c7a6 4660->4672 4673 6c84c408-6c84c418 4660->4673 4662 6c84c4bc-6c84c4c1 4661->4662 4663 6c84c97a-6c84c984 4661->4663 4716 6c84c4c7-6c84c4cc 4662->4716 4717 6c84c989-6c84c99e 4662->4717 4663->4631 4664->4631 4718 6c84c928-6c84c938 4664->4718 4710 6c84ce31-6c84ce36 4665->4710 4752 6c84cc52-6c84cc72 4666->4752 4697 6c84cc77-6c84cc88 4667->4697 4698 6c84c6f7-6c84c6fc 4667->4698 4694 6c84ccbc-6c84ccc4 4668->4694 4700 6c84c758-6c84c75d 4669->4700 4701 6c84ccc9-6c84ccd8 4669->4701 4719 6c84c52c-6c84c531 4670->4719 4720 6c84c9bd-6c84c9c5 4670->4720 4671->4720 4703 6c84cce0-6c84ccf5 4672->4703 4704 6c84c7ac-6c84c7b1 4672->4704 4707 6c84c41d 4673->4707 4705 6c84c7f4-6c84c7f9 4674->4705 4706 6c84cd28-6c84cd67 4674->4706 4675->4631 4722 6c84ca43-6c84ca6c 4676->4722 4723 6c84c59c-6c84c5a1 4676->4723 4677->4722 4699 6c84cd8a-6c84cd98 4678->4699 4708 6c84c846-6c84c84b 4679->4708 4709 6c84cd9d-6c84cdad 4679->4709 4724 6c84caa0-6c84cb03 call 6c84ce50 CreateFileA 4680->4724 4725 6c84c5e0-6c84c5e5 4680->4725 4681->4631 4702 6c84cdc4-6c84cdd5 4682->4702 4683->4710 4711 6c84c879-6c84c8a6 4683->4711 4684->4699 4712 6c84c960-6c84c975 4685->4712 4713 6c84c468-6c84c46d 4685->4713 4727 6c84cb39-6c84cb5c 4686->4727 4728 6c84c659-6c84c65e 4686->4728 4687->4631 4688->4631 4714 6c84c8c1-6c84c8dd 4688->4714 4689->4691 4690->4631 4715 6c84c8f8-6c84c90d 4690->4715 4691->4665 4692->4631 4695 6c84cb8a-6c84cc0d 4693->4695 4696 6c84c69a-6c84c69f 4693->4696 4694->4631 4695->4631 4696->4631 4729 6c84c6a5-6c84c6d1 4696->4729 4738 6c84cc8d-6c84cc9e 4697->4738 4698->4631 4730 6c84c702-6c84c73d 4698->4730 4699->4631 4700->4631 4731 6c84c763-6c84c791 4700->4731 4701->4703 4702->4631 4703->4707 4704->4631 4732 6c84c7b7-6c84c7d9 4704->4732 4705->4631 4733 6c84c7ff-6c84c82b 4705->4733 4706->4631 4734 6c84c420-6c84c424 4707->4734 4708->4631 4736 6c84c851-6c84c85e 4708->4736 4709->4682 4710->4631 4735 6c84ce3c-6c84ce47 4710->4735 4711->4631 4712->4631 4713->4631 4737 6c84c46f-6c84c483 4713->4737 4714->4738 4715->4631 4716->4631 4739 6c84c4d2-6c84c4fa call 6c842a20 call 6c842a30 4716->4739 4717->4734 4718->4702 4719->4631 4741 6c84c537-6c84c561 4719->4741 4740 6c84c9ca-6c84c9f9 4720->4740 4722->4631 4723->4631 4743 6c84c5a7-6c84c5ba 4723->4743 4724->4631 4725->4631 4745 6c84c5eb-6c84c633 4725->4745 4727->4631 4728->4631 4747 6c84c664-6c84c674 4728->4747 4729->4631 4730->4631 4731->4694 4732->4699 4733->4631 4734->4631 4736->4740 4737->4702 4738->4631 4739->4631 4740->4631 4741->4631 4743->4631 4745->4631 4747->4740 4752->4631
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @*Z$@*Z
                                                  • API String ID: 0-2842812045
                                                  • Opcode ID: 56af683857e12192812a3583b64781d7262167459b8aa9c446e9a5123b7a6535
                                                  • Instruction ID: 50805f1b2445fb10ff5555029f7516f76eafd2c25673c4d1c2b0aaf5da9c8819
                                                  • Opcode Fuzzy Hash: 56af683857e12192812a3583b64781d7262167459b8aa9c446e9a5123b7a6535
                                                  • Instruction Fuzzy Hash: 1C42697060934A8FCB24DF18C68166EBBE5AF89348F248D2EF495C7762D331D9498B13
                                                  Function 6C88F015 Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 4755 6c88f015-6c88f029 call 6c894c92 4758 6c88f02b-6c88f02d 4755->4758 4759 6c88f02f-6c88f037 4755->4759 4760 6c88f07d-6c88f09d call 6c894e0f 4758->4760 4761 6c88f039-6c88f040 4759->4761 4762 6c88f042-6c88f045 4759->4762 4770 6c88f0ab 4760->4770 4771 6c88f09f-6c88f0a9 call 6c8830e2 4760->4771 4761->4762 4763 6c88f04d-6c88f061 call 6c894c92 * 2 4761->4763 4764 6c88f063-6c88f073 call 6c894c92 CloseHandle 4762->4764 4765 6c88f047-6c88f04b 4762->4765 4763->4758 4763->4764 4764->4758 4777 6c88f075-6c88f07b GetLastError 4764->4777 4765->4763 4765->4764 4775 6c88f0ad-6c88f0b0 4770->4775 4771->4775 4777->4760
                                                  APIs
                                                  • CloseHandle.KERNEL32(00000000,?,00000000,?,6C89794F), ref: 6C88F06B
                                                  • GetLastError.KERNEL32(?,00000000,?,6C89794F), ref: 6C88F075
                                                  • __dosmaperr.LIBCMT ref: 6C88F0A0
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: CloseErrorHandleLast__dosmaperr
                                                  • String ID:
                                                  • API String ID: 2583163307-0
                                                  • Opcode ID: cb08e3f2395bb9d8e1f46dfd404e3e8bc7a4167828ef5bb52c9bcc87fe2842b3
                                                  • Instruction ID: 715d6a5c493b15dfdda0359d2c1c7e08fb683dc31be91c1d5a5cb61ee9b5e933
                                                  • Opcode Fuzzy Hash: cb08e3f2395bb9d8e1f46dfd404e3e8bc7a4167828ef5bb52c9bcc87fe2842b3
                                                  • Instruction Fuzzy Hash: 3A012B3370B2246ED235523D9B447AE37694BD373CF2A4E69E9249BFC1DF75884481A0
                                                  Function 6C88428C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 5000 6c88428c-6c884297 5001 6c884299-6c8842ac call 6c8830bc call 6c883810 5000->5001 5002 6c8842ae-6c8842bb 5000->5002 5013 6c884300-6c884302 5001->5013 5004 6c8842bd-6c8842d2 call 6c8843a9 call 6c88be2e call 6c88d350 call 6c88ef88 5002->5004 5005 6c8842f6-6c8842ff call 6c88e565 5002->5005 5019 6c8842d7-6c8842dc 5004->5019 5005->5013 5020 6c8842de-6c8842e1 5019->5020 5021 6c8842e3-6c8842e7 5019->5021 5020->5005 5021->5005 5022 6c8842e9-6c8842f5 call 6c887eab 5021->5022 5022->5005
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 8Q
                                                  • API String ID: 0-4022487301
                                                  • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                                  • Instruction ID: 7eeab6dc925b9ecb41bb5991602390911a9e8e75c675f326f71693c6649cced8
                                                  • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                                  • Instruction Fuzzy Hash: 61F0AD375076245AD6315A6D9E00ADA32AC8FC233CB100F29EA2493ED0DB64D80A86A1
                                                  Function 6C879050 Relevance: 3.1, APIs: 2, Instructions: 108COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C8791A4
                                                  • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C8791E4
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: Ios_base_dtorstd::ios_base::_
                                                  • String ID:
                                                  • API String ID: 323602529-0
                                                  • Opcode ID: a7d4c620664256fe130d4abc5f13ee56a5d4ced560a26b528cb8b239a819493f
                                                  • Instruction ID: 547b7a2fc896a33db876a9f810efa865b63020ce083b0da1d1e806e0bf9a37b9
                                                  • Opcode Fuzzy Hash: a7d4c620664256fe130d4abc5f13ee56a5d4ced560a26b528cb8b239a819493f
                                                  • Instruction Fuzzy Hash: DA512875101B00DBD735CF29CA88BD6B7F4BB05714F448A1CD4AA47BA1EB35B949CB90
                                                  Function 6C88262F Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(6C8A9DD0,0000000C), ref: 6C882642
                                                  • ExitThread.KERNEL32 ref: 6C882649
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: ErrorExitLastThread
                                                  • String ID:
                                                  • API String ID: 1611280651-0
                                                  • Opcode ID: 861045890359530e1707334da1457409f893d923f9fb879aaa2fcebdbbc860f1
                                                  • Instruction ID: 68f64172fe94ae1ce023c7e980627a5cd77a744ff321a24a7673c9dcc3935483
                                                  • Opcode Fuzzy Hash: 861045890359530e1707334da1457409f893d923f9fb879aaa2fcebdbbc860f1
                                                  • Instruction Fuzzy Hash: D8F0C271A01204AFDB209BB4CA4DAAE3B74FF41708F244A69E001A7F91DB759945DBA1
                                                  Function 6C88E662 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: __wsopen_s
                                                  • String ID:
                                                  • API String ID: 3347428461-0
                                                  • Opcode ID: 30adf2ad03b9487ce71c1ecc1a3ec4c1515fb857e5a97112c17bb1530accf1c9
                                                  • Instruction ID: a8445751f6235c39f1880747f997173753f4f676188d5fe7b244cbcb10543813
                                                  • Opcode Fuzzy Hash: 30adf2ad03b9487ce71c1ecc1a3ec4c1515fb857e5a97112c17bb1530accf1c9
                                                  • Instruction Fuzzy Hash: EB114875A0420AAFCF16DF58EA4499F7BF8EF49308F1444A9F809AB311D670ED11CBA5
                                                  Function 6C8976EE Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID:
                                                  • API String ID: 269201875-0
                                                  • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                                  • Instruction ID: f706a0c875988270bbbb07e6a2312ef6360f461d3898a49270113e1c2ff35a16
                                                  • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                                  • Instruction Fuzzy Hash: 79012C72C01159BFCF119FAC8D00AEE7FB5AB09214F144565E924A2660E7318A64DB91
                                                  Function 6C897B47 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(00000000,00000000,?,6C897805,?,?,00000000,?,6C897805,00000000,0000000C), ref: 6C897B64
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: CreateFile
                                                  • String ID:
                                                  • API String ID: 823142352-0
                                                  • Opcode ID: 10cc886f297697ad570057e4ed55632d1377840d31bfe55add299523bc8b8242
                                                  • Instruction ID: 0460ec6b9d99d43f8020d656bb3283eab55e927a263ec83fda4bc69b63fb3963
                                                  • Opcode Fuzzy Hash: 10cc886f297697ad570057e4ed55632d1377840d31bfe55add299523bc8b8242
                                                  • Instruction Fuzzy Hash: 2CD06C3210014DBBDF128E84DC06EDA3BAAFB48715F014010BA1856020C732E862EB90
                                                  Function 6C7483A0 Relevance: 1.5, APIs: 1, Instructions: 1COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                                  • Instruction ID: 146d0fd1fc654a49ee3ddbcbe9e7bdca1236cbfca993ce50e81519f03f876bb0
                                                  • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                                  • Instruction Fuzzy Hash:

                                                  Non-executed Functions

                                                  Function 6C874860 Relevance: 11.0, APIs: 3, Strings: 1, Instructions: 4048COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: _strlen
                                                  • String ID: C
                                                  • API String ID: 4218353326-4157497815
                                                  • Opcode ID: 6584e053f97543267815505ee8912c57862b3aef864e7c700b29fef4a094cbe1
                                                  • Instruction ID: 86d69bc9991d91b1d429a1c7483e24c6339da8dd079f27aacdb4ce293d445a4b
                                                  • Opcode Fuzzy Hash: 6584e053f97543267815505ee8912c57862b3aef864e7c700b29fef4a094cbe1
                                                  • Instruction Fuzzy Hash: 09730671644B018FC738CF28C9D0A9AB7F2AF953187198F6DC0A787A55EB34B54ACB50
                                                  Function 6C879450 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 31nativeshutdownCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32 ref: 6C87945A
                                                  • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 6C879466
                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 6C879474
                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 6C87949B
                                                  • NtInitiatePowerAction.NTDLL ref: 6C8794AF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: ProcessToken$ActionAdjustCurrentInitiateLookupOpenPowerPrivilegePrivilegesValue
                                                  • String ID: SeShutdownPrivilege
                                                  • API String ID: 3256374457-3733053543
                                                  • Opcode ID: ab3fc0ea8670ca225b59083de6d279ecb5656d4c59658976e8b0a73d82c929a1
                                                  • Instruction ID: 02710cb59855e26efde51154f97426f2b265a1a2f3381b275215fb0ac0c36445
                                                  • Opcode Fuzzy Hash: ab3fc0ea8670ca225b59083de6d279ecb5656d4c59658976e8b0a73d82c929a1
                                                  • Instruction Fuzzy Hash: 4CF0BB706493147BE7126F28CD0EB5A7BB4EF45701F104518F945961D1D770A994CBA2
                                                  Function 6C6F1950 Relevance: 9.3, APIs: 2, Strings: 3, Instructions: 594COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: \j`7$\j`7$j
                                                  • API String ID: 0-3644614255
                                                  • Opcode ID: 34f76299e781613276f2b9dce773a7228d0452c6742b7eb52b0b60a8fda3d90d
                                                  • Instruction ID: e9f5ec3d183e2922bd0f26f5e82f07becf0e254cbab24e8697bc89a17248bb01
                                                  • Opcode Fuzzy Hash: 34f76299e781613276f2b9dce773a7228d0452c6742b7eb52b0b60a8fda3d90d
                                                  • Instruction Fuzzy Hash: B64235B46093828FCB24CF68C48165ABBE2BBD9394F144A2EE4E5C7760D334D946CB57
                                                  Function 6C8D9CE0 Relevance: 5.4, APIs: 1, Strings: 1, Instructions: 1923COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 6C8D9CE5
                                                    • Part of subcall function 6C8AFC2A: __EH_prolog.LIBCMT ref: 6C8AFC2F
                                                    • Part of subcall function 6C8B16A6: __EH_prolog.LIBCMT ref: 6C8B16AB
                                                    • Part of subcall function 6C8D9A0E: __EH_prolog.LIBCMT ref: 6C8D9A13
                                                    • Part of subcall function 6C8D9837: __EH_prolog.LIBCMT ref: 6C8D983C
                                                    • Part of subcall function 6C8DD143: __EH_prolog.LIBCMT ref: 6C8DD148
                                                    • Part of subcall function 6C8DD143: ctype.LIBCPMT ref: 6C8DD16C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: H_prolog$ctype
                                                  • String ID:
                                                  • API String ID: 1039218491-3916222277
                                                  • Opcode ID: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                                                  • Instruction ID: b88d50e47b41337c8bfdd429b2fd7a9ae6a87c8366326fd6d12223380068ddaf
                                                  • Opcode Fuzzy Hash: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                                                  • Instruction Fuzzy Hash: 9303BE30805248DFDF21DFA8CA50BDCBBB0AF15308F2548AAD44567691DB74AF8ADF61
                                                  Function 6C883871 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6C883969
                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6C883973
                                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6C883980
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                  • String ID:
                                                  • API String ID: 3906539128-0
                                                  • Opcode ID: c34b2b9d01ee6372d755521434803b0353450f9eb819eb8f0bfee9ca6c1cdf3a
                                                  • Instruction ID: 0cf8f959f3c48a42a20507a5681fe08066a25194130b98f4e3bc1c594203f5e1
                                                  • Opcode Fuzzy Hash: c34b2b9d01ee6372d755521434803b0353450f9eb819eb8f0bfee9ca6c1cdf3a
                                                  • Instruction Fuzzy Hash: FC31C4749022289BCB21DF68D988BDDBBB8BF08314F6045EAE41CA7650E7709F85CF54
                                                  Function 6C88286D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(00000000,?,6C882925,6C87D339,00000003,00000000,6C87D339,00000000), ref: 6C88288F
                                                  • TerminateProcess.KERNEL32(00000000,?,6C882925,6C87D339,00000003,00000000,6C87D339,00000000), ref: 6C882896
                                                  • ExitProcess.KERNEL32 ref: 6C8828A8
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: Process$CurrentExitTerminate
                                                  • String ID:
                                                  • API String ID: 1703294689-0
                                                  • Opcode ID: 4b0c4b7f7fe0d9174c971208bd9ae0a6bb012847fe2acb4b7026c32ddcc5372c
                                                  • Instruction ID: 20a7183b743da1735af11d00f4c0fef0e80f305df6745e699bbd844a360ef8b2
                                                  • Opcode Fuzzy Hash: 4b0c4b7f7fe0d9174c971208bd9ae0a6bb012847fe2acb4b7026c32ddcc5372c
                                                  • Instruction Fuzzy Hash: 20E0B631602118ABCF216F94DA0CA9D3B79FB45759B514835F81986A25CB3AED82DA80
                                                  Function 6C8ABEA1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 246COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: x=J
                                                  • API String ID: 3519838083-1497497802
                                                  • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                                  • Instruction ID: 3e70886f276161b63dba1bc2fc71a91d54d2291cfbed8b26e269d6e5a474f83f
                                                  • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                                  • Instruction Fuzzy Hash: 8F91D131D011099BCF24EFE9CA90AEDBBB1BF15308F24887ED45167A52DB36594BCB90
                                                  Function 6C87A133 Relevance: 3.3, APIs: 2, Instructions: 302COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6C87AFA0
                                                  • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6C87B7C3
                                                    • Part of subcall function 6C87CA69: RaiseException.KERNEL32(E06D7363,00000001,00000003,6C87B7AC,00000000,?,?,?,6C87B7AC,?,6C8A853C), ref: 6C87CAC9
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFeaturePresentProcessorRaisestd::invalid_argument::invalid_argument
                                                  • String ID:
                                                  • API String ID: 915016180-0
                                                  • Opcode ID: ce950aad898df99159b94e289375292931e9ae16322240f2c2a63b27d6c1e184
                                                  • Instruction ID: 850b9d97a374a3cd6cb68ab2bf638516b42b690113e0660f20254fb4dfd5fb25
                                                  • Opcode Fuzzy Hash: ce950aad898df99159b94e289375292931e9ae16322240f2c2a63b27d6c1e184
                                                  • Instruction Fuzzy Hash: 87B1AE71E0A2189FDF25CF55C9816ADBBB1FB49318F24892AD429E7780E3349654CFB0
                                                  Function 6C8AB972 Relevance: 2.6, Strings: 2, Instructions: 91COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @4J$DsL
                                                  • API String ID: 0-2004129199
                                                  • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                                  • Instruction ID: 1f3f668b7a74f50f0536cfb6c6fd57028a94c727715c1e53e21e5e3c816e8c47
                                                  • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                                  • Instruction Fuzzy Hash: 9F217E37AA49564BD74CCA28EC33FB92680E744305B89527EE94BCB7D1DF6D8800CA4C
                                                  Function 6C8C840A Relevance: 2.3, APIs: 1, Instructions: 760COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 6C8C840F
                                                    • Part of subcall function 6C8C9137: __EH_prolog.LIBCMT ref: 6C8C913C
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID:
                                                  • API String ID: 3519838083-0
                                                  • Opcode ID: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                                                  • Instruction ID: fa68a190602dc26afdf34ec11c02d087af3685308fe0a3a07d451e36bbe8af09
                                                  • Opcode Fuzzy Hash: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                                                  • Instruction Fuzzy Hash: 7A627D70A40219CFDF25CF98C694BEEBBB1BF44308F14486AE905A7B80D7749945CF92
                                                  Function 6C920AD0 Relevance: 1.9, Strings: 1, Instructions: 669COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: YA1
                                                  • API String ID: 0-613462611
                                                  • Opcode ID: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                                                  • Instruction ID: 7b37c3eacf1e190c5c4d439743f9c4269a509a927773a0f5d4de9cf4c51a0c40
                                                  • Opcode Fuzzy Hash: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                                                  • Instruction Fuzzy Hash: AA42F3706193818FD315CF28C4A06AAFBE2FFD9308F14596DE8D68B746C635D94ACB42
                                                  Function 6C8B3BCA Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: __aullrem
                                                  • String ID:
                                                  • API String ID: 3758378126-0
                                                  • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                                  • Instruction ID: 99e5067a829d2c9008e94fe26b8febc29bc595e441761e407550a4377db0397b
                                                  • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                                  • Instruction Fuzzy Hash: 5A51D871A092459BE710CF5EC4C02EDFBE6EF79214F18C45EE88897242D27A5D9AC760
                                                  Function 6C92CE80 Relevance: 1.7, Strings: 1, Instructions: 424COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID: 0-3916222277
                                                  • Opcode ID: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                                  • Instruction ID: 2cd5985b13ed095ddd9d22b0fa116645cece1783b65a7a494361f74c99b3891b
                                                  • Opcode Fuzzy Hash: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                                  • Instruction Fuzzy Hash: 7002C4326183818BD724CF28C59079EBBE2BFC9308F144A2DE4D597B59C779D945CB82
                                                  Function 6C8AF7CF Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (SL
                                                  • API String ID: 0-669240678
                                                  • Opcode ID: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                                  • Instruction ID: 98dd5be3336656479f0a04d21e3177e20208c64857c66c1867e38a371a867777
                                                  • Opcode Fuzzy Hash: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                                  • Instruction Fuzzy Hash: 2C519473E208314AD78CCE24DC2177572D2E784310F8BC1B99D4BAB6E6CD78989187C4
                                                  Function 6C987A46 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: B
                                                  • API String ID: 0-1255198513
                                                  • Opcode ID: 26643807f12313c04aaa413d9f20b4c0588d72bb55b68c80837e514dee027d31
                                                  • Instruction ID: 727c30a077d00af2fa1774d3b03ff160364046a9ee1b07852b638ed01871a5ab
                                                  • Opcode Fuzzy Hash: 26643807f12313c04aaa413d9f20b4c0588d72bb55b68c80837e514dee027d31
                                                  • Instruction Fuzzy Hash: 273124315087518BD314DF28D884AABB3E2FBC4325F64CA3ED89ACBA94E7745815CF41
                                                  Function 6C923020 Relevance: .8, Instructions: 762COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                                                  • Instruction ID: ed9700adbc1207dac10f944e903fd22ffdc7e9f63aadafb0788bb1b313a7e390
                                                  • Opcode Fuzzy Hash: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                                                  • Instruction Fuzzy Hash: 59525E31218B418BD328CF39C5946AAB7EABF95308F148A2DD4DAC7B45DB78F449CB41
                                                  Function 6C93D930 Relevance: .7, Instructions: 740COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                                  • Instruction ID: a6c267cb08cc3177743b441cf7c8299f7552f7658997618e649c34e84e72e10f
                                                  • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                                  • Instruction Fuzzy Hash: EC6224B1A183518FC714CF19C49061AFBFABFC8744F249A2EE89987715D770E945CB82
                                                  Function 6C926D50 Relevance: .5, Instructions: 547COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                                  • Instruction ID: 276069bfa85a7ae36af5bf19b2eea1a624defc974fad6a376432f89d4d0a4d7e
                                                  • Opcode Fuzzy Hash: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                                  • Instruction Fuzzy Hash: 6112CF712193428FC718CF28C5906AAFBE2BFC8304F54492DE9D697B45DB39E849CB91
                                                  Function 6C937AA0 Relevance: .5, Instructions: 474COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                                  • Instruction ID: ffe7b2f9f0360d1ad19b3ef35e68fcde36f622b5f27f020d37ea21a38573a1e1
                                                  • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                                  • Instruction Fuzzy Hash: 4902F932A08222CBD319CE28C590279BBF2FBC4355F151B2EE49AD7E94D774D944CB92
                                                  Function 6C922A50 Relevance: .5, Instructions: 453COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                                                  • Instruction ID: 497e5b35e82ced07df62451306a59824e7551e9f0aa785f73e128fe0db287082
                                                  • Opcode Fuzzy Hash: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                                                  • Instruction Fuzzy Hash: B3F132326246898BEB24CE28D8547EEB7E2FBC1324F54453DD889CBB44DB39D50AC791
                                                  Function 6C9325C0 Relevance: .3, Instructions: 333COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                                                  • Instruction ID: 1f634042a02e16766f1600bfe83c49335ad5cfc6da6bbfd5bd78af8d205052ae
                                                  • Opcode Fuzzy Hash: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                                                  • Instruction Fuzzy Hash: EAD1EE71505A268FD319CF1CC498236BBE1FF85308F054ABDDAAA8B28AD734E505CB90
                                                  Function 6C9C4F0A Relevance: .3, Instructions: 332COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b1f756ee2fe841902191c907d409ace29a41e7dd29706095e1f65657f94ace09
                                                  • Instruction ID: 7a65cf681a551859c370c3497555c53e001f8079bc25b6abe0e42703a1236ab3
                                                  • Opcode Fuzzy Hash: b1f756ee2fe841902191c907d409ace29a41e7dd29706095e1f65657f94ace09
                                                  • Instruction Fuzzy Hash: 69B1A6366087128BD318DE78D8408BB73A2EBC1320F558A3DE596C79C4DB35D91A8B85
                                                  Function 6C925580 Relevance: .3, Instructions: 316COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                                  • Instruction ID: b6137af9efcd67a1de06dba37fdcd39eaad331f973aaeb4a51428810fa35818a
                                                  • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                                  • Instruction Fuzzy Hash: D6C1C4352147418BC718CE39D0A06A7BBE2EFD9314F148A6DC4CA8BB59DA34E80ECB55
                                                  Function 6C921810 Relevance: .3, Instructions: 296COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                                  • Instruction ID: 9b8ea52a3a4d03ba34f1e945f338c78ad5decf61e0468623f3e4323d053d6113
                                                  • Opcode Fuzzy Hash: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                                  • Instruction Fuzzy Hash: 76B1E131314B454BD324DE39C890BEAB7E5AFA2308F40492DC5EA87B55EF39E9098790
                                                  Function 6C924AA0 Relevance: .3, Instructions: 291COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                                                  • Instruction ID: 51c6be8b2b04287a4d0d8ca123140a5336f6038862e2f4efb0a66f7ea1cc5b1f
                                                  • Opcode Fuzzy Hash: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                                                  • Instruction Fuzzy Hash: 50B1CC756187028BC304DF29C8806ABF7E2FFD8304F14892DE4DA87715E774A95ACB95
                                                  Function 6C92C9F0 Relevance: .3, Instructions: 287COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                                                  • Instruction ID: f6e94816df82b8754d7f79403b21d8dcaad934f032f137ead91baa7c6927a5bb
                                                  • Opcode Fuzzy Hash: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                                                  • Instruction Fuzzy Hash: DDA1267161C3418FE318DF2DC4906AABBE1AFD5348F144A2DE4DAC7B48D635E94ACB42
                                                  Function 6C92C6E0 Relevance: .2, Instructions: 223COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                                                  • Instruction ID: 743ff9a04d6eba61d21d3c0c897ae936b5d1180f3c0d71d0fa38ec8fe1188050
                                                  • Opcode Fuzzy Hash: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                                                  • Instruction Fuzzy Hash: 1E81D035A047028FD320DF29C080296B7E5FF99704F28CAADC5D99B715E776E946CB81
                                                  Function 6C9E3881 Relevance: .2, Instructions: 184COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 009345f38ae626d469f014b0d0cdef2e0b6b81041916f6b4890b19886bbdf896
                                                  • Instruction ID: e5680b8d7ecf659df9af3e4221f0583f3e2dd0bcfe3596050690ec756cf36699
                                                  • Opcode Fuzzy Hash: 009345f38ae626d469f014b0d0cdef2e0b6b81041916f6b4890b19886bbdf896
                                                  • Instruction Fuzzy Hash: 615188366166124BC70CDA3CD8519E73392EBD9370B18C73EE556C79D4EB79940BC600
                                                  Function 6C8C3B66 Relevance: .2, Instructions: 167COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                                  • Instruction ID: c3db12a3d3b6a5c87a4fc16c3fe13f56cbbf82c5cad7fb4bcce1d485e486b38e
                                                  • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                                  • Instruction Fuzzy Hash: C0519D76F006099BDB18CF98DA916EDB7F2EB88304F248569D112E7781D774DE42CB81
                                                  Function 6CA4B06F Relevance: .2, Instructions: 155COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9302b36b025ec877457fbbf1a21bafb2f45ab16812df500e0537ae03573401d4
                                                  • Instruction ID: ce41ea78e1b72ab8a00d128d4890f99a4d7559fc385c484f3b60fd9919d582c4
                                                  • Opcode Fuzzy Hash: 9302b36b025ec877457fbbf1a21bafb2f45ab16812df500e0537ae03573401d4
                                                  • Instruction Fuzzy Hash: DE5136355087068BC314DF6CE8409EAB3A2AFC1320F658B3EA495CB8D1EB755529CB46
                                                  Function 6C8C5EC9 Relevance: .1, Instructions: 136COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                                  • Instruction ID: 2ae379657c2a9a907c6a7f23b98cb03883c9d9feb9924eb4449e33694d824e54
                                                  • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                                  • Instruction Fuzzy Hash: 653114277A450103CB1CCA2BCD1279FA1575BD422A75ECF396805CAF59D52CC8125145
                                                  Function 6C9FCB30 Relevance: .1, Instructions: 118COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 81fb7fc96f77d47a2381de64c3b03a5677fdca1855e1e5d4d92a421ea28f8923
                                                  • Instruction ID: 955b73bbdbe912ce2537af5a39938cb6e368a97ee68ded5efd6300b6ab8a1e21
                                                  • Opcode Fuzzy Hash: 81fb7fc96f77d47a2381de64c3b03a5677fdca1855e1e5d4d92a421ea28f8923
                                                  • Instruction Fuzzy Hash: 8041AB72A587168FC304EE58EC804FBB3A6EFC8320F904B3DA866971D5D771691AC790
                                                  Function 6CA58D12 Relevance: .1, Instructions: 97COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 098c659f76e41217d8669f6238bf7423f4d33ff929d6c702424d2a71048e67eb
                                                  • Instruction ID: 8e19c3079b05bc2ddf282c3256cccac3994ff828958b9f165c9cef7162ea9b08
                                                  • Opcode Fuzzy Hash: 098c659f76e41217d8669f6238bf7423f4d33ff929d6c702424d2a71048e67eb
                                                  • Instruction Fuzzy Hash: F8316831A047128BD729DE39E4450ABB3E3EFC5318B59CB3DC4568B589EB75A01BCB41
                                                  Function 6C94C700 Relevance: .1, Instructions: 70COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                                                  • Instruction ID: 7c426d6528aea7df62fc6b65cb2eec058eab9e50a2416ded9e545032136364c8
                                                  • Opcode Fuzzy Hash: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                                                  • Instruction Fuzzy Hash: F6219077320A064BE74C8A38D83737532D0A705318F98A22DEA6BCE2C2D73AC457C385
                                                  Function 6C88D456 Relevance: .0, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 110a3fe7f426abf10a5393aca776322d1a6214e06e72743a319a3f7562851b93
                                                  • Instruction ID: ff55f750acf5b1d3d35f3c3b73726716c50fa8910554a4bbd89ef306b3bf03be
                                                  • Opcode Fuzzy Hash: 110a3fe7f426abf10a5393aca776322d1a6214e06e72743a319a3f7562851b93
                                                  • Instruction Fuzzy Hash: 7FF0A031A16220EBCB26DA4CC501B8A73B8EB45BA8F1184A7E401ABA80C2B0ED40C7D4
                                                  Function 6C88D425 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                                                  • Instruction ID: 94c5db5fe27e5ac7cd35b8937682bafd9871c5be3d6f5e7c095dbf9d6fcafa1c
                                                  • Opcode Fuzzy Hash: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                                                  • Instruction Fuzzy Hash: D8E04632913228EBCB20CB888A0498AB3ACEB45A04B1108A7A505D3A40C274EE40C7D0
                                                  Function 6C94A700 Relevance: .0, Instructions: 13COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 152ca77b835acdaa31470eaeb3eb3d3d2907b0f4df8f431f6db191a7075f4f47
                                                  • Instruction ID: 9e775abeed684ca77467d17cca6977048c68fff2285a19e0a564aa4dd6adc1c9
                                                  • Opcode Fuzzy Hash: 152ca77b835acdaa31470eaeb3eb3d3d2907b0f4df8f431f6db191a7075f4f47
                                                  • Instruction Fuzzy Hash: 27C002F6609606AF970CCF1FA480415FBE9FAD8321324C23FA02DC3700C77198258B64
                                                  Function 6C8E1B50 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 341COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                                                  • API String ID: 3519838083-609671
                                                  • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                                  • Instruction ID: 96eb68e3e1883e982cb75d6897f9fb0fc8405e94b2c339139f73fdea31b50991
                                                  • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                                  • Instruction Fuzzy Hash: E9D1C831A0410AEFCF21CFA4DA90BEDB7B5FF4A308F144929E455A3A51DB71D909CB60
                                                  Function 6C8C9798 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 461COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: __aulldiv$H_prolog
                                                  • String ID: >WJ$x$x
                                                  • API String ID: 2300968129-3162267903
                                                  • Opcode ID: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                                  • Instruction ID: 241ad73cf33c6559277c93a7975641c7654ae695499324614132f9b548e48139
                                                  • Opcode Fuzzy Hash: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                                  • Instruction Fuzzy Hash: 6A127D71A00219EFDF20DFA8CA80ADDBBB5FF48318F2489A9E815A7650DB31D945CF51
                                                  Function 6C87D1C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _ValidateLocalCookies.LIBCMT ref: 6C87D1F7
                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 6C87D1FF
                                                  • _ValidateLocalCookies.LIBCMT ref: 6C87D288
                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 6C87D2B3
                                                  • _ValidateLocalCookies.LIBCMT ref: 6C87D308
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                  • String ID: csm
                                                  • API String ID: 1170836740-1018135373
                                                  • Opcode ID: 0f485930ddd2bf092bd5f7d6e483873994aadbedf17a9d6ef0f463d04953d0eb
                                                  • Instruction ID: bbe732cc31141f61aeaaed74209e31d829d4b58db048b000e6aefee4e5106930
                                                  • Opcode Fuzzy Hash: 0f485930ddd2bf092bd5f7d6e483873994aadbedf17a9d6ef0f463d04953d0eb
                                                  • Instruction Fuzzy Hash: 3941CE34A112189BCF30CF6CC944ADE7BB5AF45318F14896AE8245BB51E731EA16CBB0
                                                  Function 6C88A58A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: api-ms-$ext-ms-
                                                  • API String ID: 0-537541572
                                                  • Opcode ID: c6bf70b996028ff5551f0430c1739652e07ff4eaa3fb3239626d14b496d29b14
                                                  • Instruction ID: 549777ed2be02deffc31f51e63215b488b6425fd9c77ed199970906b9d65b86d
                                                  • Opcode Fuzzy Hash: c6bf70b996028ff5551f0430c1739652e07ff4eaa3fb3239626d14b496d29b14
                                                  • Instruction Fuzzy Hash: 2F21DB75A07215E7DB32CAAD9E44A8A37649F02768F250E20E815A7ECCD730ED01D6E0
                                                  Function 6C88F5A1 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetConsoleCP.KERNEL32(?,6C88E7C0,?), ref: 6C88F5E9
                                                  • __fassign.LIBCMT ref: 6C88F7C8
                                                  • __fassign.LIBCMT ref: 6C88F7E5
                                                  • WriteFile.KERNEL32(?,6C8991A6,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C88F82D
                                                  • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6C88F86D
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C88F919
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: FileWrite__fassign$ConsoleErrorLast
                                                  • String ID:
                                                  • API String ID: 4031098158-0
                                                  • Opcode ID: e13bc21e976c97352b75e61cac16844dc39331691adfe7c850c1db0e4023fca1
                                                  • Instruction ID: f05effe61d5e2e7472a6a028ca6b2323e3a369662002db454f4259597a13d127
                                                  • Opcode Fuzzy Hash: e13bc21e976c97352b75e61cac16844dc39331691adfe7c850c1db0e4023fca1
                                                  • Instruction Fuzzy Hash: C8D1CF71E022589FDF21CFA8CA809EDBBB5BF19314F24056AE455BBB41D730A946CB60
                                                  Function 6C742F60 Relevance: 9.1, APIs: 6, Instructions: 107COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 6C742F95
                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 6C742FAF
                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 6C742FD0
                                                  • __Getctype.LIBCPMT ref: 6C743084
                                                  • std::_Facet_Register.LIBCPMT ref: 6C74309C
                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 6C7430B7
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                                                  • String ID:
                                                  • API String ID: 1102183713-0
                                                  • Opcode ID: 258f949205d8da77b6ea5cb96a89b6f6cab1198caf075bd2fe11a50a99b6c900
                                                  • Instruction ID: d1192a091a7ec9412e380848cf7a30d873ddd00a2796fbc3f8c24d09d98cb11b
                                                  • Opcode Fuzzy Hash: 258f949205d8da77b6ea5cb96a89b6f6cab1198caf075bd2fe11a50a99b6c900
                                                  • Instruction Fuzzy Hash: 9C417AB1E046148FCB21CF88CA54BDEBBB1FF44719F148629D859ABB50E734E904CBA1
                                                  Function 6C8B7FA6 Relevance: 9.1, APIs: 6, Instructions: 95COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: __aulldiv$__aullrem
                                                  • String ID:
                                                  • API String ID: 2022606265-0
                                                  • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                                  • Instruction ID: 71e766239a16fbe5eeb40c2afa337b7fd424c5560059415403fc5da413612473
                                                  • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                                  • Instruction Fuzzy Hash: FF219E3094121AFEEF208E948D80DDF7E79EB617E8F20C626B52471B90D6718D51E6A1
                                                  Function 6C8BD6EC Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 183COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 6C8BD6F1
                                                    • Part of subcall function 6C8CC173: __EH_prolog.LIBCMT ref: 6C8CC178
                                                  • __EH_prolog.LIBCMT ref: 6C8BD8F9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: IJ$WIJ$J
                                                  • API String ID: 3519838083-740443243
                                                  • Opcode ID: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                                  • Instruction ID: 13e1cb6863e0e3e52173982123ecc7649a6fd9e99700a2fb78fb3bc333d4c411
                                                  • Opcode Fuzzy Hash: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                                  • Instruction Fuzzy Hash: BA71A130900255EFDB24DF98C644BDDB7B4BF15308F1088AED855ABB95CB74BA09CB91
                                                  Function 6C7428E0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 176COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 6C742A76
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: ___std_exception_destroy
                                                  • String ID: U#tl$q!tl$Jbx$Jbx
                                                  • API String ID: 4194217158-1209145004
                                                  • Opcode ID: a7a2ab75c8815c2098e0a3deab300f4d5766c7c4d5ea55cbd2ab473ad01a4294
                                                  • Instruction ID: 7d061bb1181ae0f7845c0606004e2622858e3e97b7c5c2b61c2bec4b62ba5f75
                                                  • Opcode Fuzzy Hash: a7a2ab75c8815c2098e0a3deab300f4d5766c7c4d5ea55cbd2ab473ad01a4294
                                                  • Instruction Fuzzy Hash: 3951F3B1A002048FDB24CF58D98469EBBB5FF89314F14896EEC49DB741E331D995CBA1
                                                  Function 6C8990FD Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132fileCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 6C8991CD
                                                  • _free.LIBCMT ref: 6C8991F6
                                                  • SetEndOfFile.KERNEL32(00000000,6C897DDC,00000000,6C88E7C0,?,?,?,?,?,?,?,6C897DDC,6C88E7C0,00000000), ref: 6C899228
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C897DDC,6C88E7C0,00000000,?,?,?,?,00000000,?), ref: 6C899244
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: _free$ErrorFileLast
                                                  • String ID: 8Q
                                                  • API String ID: 1547350101-4022487301
                                                  • Opcode ID: 8f8e9c0e64ee6c64a0bce0519179c76c1f45a1a4317c5069b895214f5a9a67d5
                                                  • Instruction ID: 704563a59de70822f5299b9b07c0f4af774a30253cab3c3f7a982f6670688f5b
                                                  • Opcode Fuzzy Hash: 8f8e9c0e64ee6c64a0bce0519179c76c1f45a1a4317c5069b895214f5a9a67d5
                                                  • Instruction Fuzzy Hash: AC418632901605AEDB319BACCE44BCD3779BF45328F250D64E92CA7F90DB35D8494762
                                                  Function 6C8D1418 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 6C8D141D
                                                    • Part of subcall function 6C8D1E40: __EH_prolog.LIBCMT ref: 6C8D1E45
                                                    • Part of subcall function 6C8D18EB: __EH_prolog.LIBCMT ref: 6C8D18F0
                                                    • Part of subcall function 6C8D1593: __EH_prolog.LIBCMT ref: 6C8D1598
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: &qB$0aJ$A0$XqB
                                                  • API String ID: 3519838083-1326096578
                                                  • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                                  • Instruction ID: 491b551a74ec169914965c5e357bbc93cb648e1e6db2767c603d0c3e404620bf
                                                  • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                                  • Instruction Fuzzy Hash: D721BB70D01258AECB14DBE8DA819EDBBB5AF25318F20443ED81273781DB785E0DCB50
                                                  Function 6C8D1234 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: J$0J$DJ$`J
                                                  • API String ID: 3519838083-2453737217
                                                  • Opcode ID: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                                                  • Instruction ID: 6fc68d3c3b2d874c49bf6af3d2b3e95bc31d6304bd2e1c2f431808407cadb726
                                                  • Opcode Fuzzy Hash: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                                                  • Instruction Fuzzy Hash: 1811C2B0900B64CEC720CF5AC55469AFBE4BFA5718B11C91FC4A687B50C7F8A909CB99
                                                  Function 6C88281A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6C8828A4,00000000,?,6C882925,6C87D339,00000003,00000000), ref: 6C88282F
                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6C882842
                                                  • FreeLibrary.KERNEL32(00000000,?,?,6C8828A4,00000000,?,6C882925,6C87D339,00000003,00000000), ref: 6C882865
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                  • String ID: CorExitProcess$mscoree.dll
                                                  • API String ID: 4061214504-1276376045
                                                  • Opcode ID: da50705cfa74b3d5abf265615c5b867e33715afb646a5cf2a59880c7560d9720
                                                  • Instruction ID: ff412262c46279954a32d0f42db104c90e547996ed273bab9c841ad7901bc567
                                                  • Opcode Fuzzy Hash: da50705cfa74b3d5abf265615c5b867e33715afb646a5cf2a59880c7560d9720
                                                  • Instruction Fuzzy Hash: C4F08231612528FBDF219B94DE0DB9DBB78EB0135AF120474A800B2950CF348E41EB90
                                                  Function 6C87AA17 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog3.LIBCMT ref: 6C87AA1E
                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 6C87AA29
                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 6C87AA97
                                                    • Part of subcall function 6C87A920: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6C87A938
                                                  • std::locale::_Setgloballocale.LIBCPMT ref: 6C87AA44
                                                  • _Yarn.LIBCPMT ref: 6C87AA5A
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                                  • String ID:
                                                  • API String ID: 1088826258-0
                                                  • Opcode ID: 587f0cc158366212f8178a117c17545c62259e43af0adbdac7318997c3c33ccd
                                                  • Instruction ID: e556aa9e2ba13c1436c56435513981dd76136b04dd4374885cb3514dd42980aa
                                                  • Opcode Fuzzy Hash: 587f0cc158366212f8178a117c17545c62259e43af0adbdac7318997c3c33ccd
                                                  • Instruction Fuzzy Hash: EA01B175B052209FDB27DB24C6445FC7BB1FFC5644B251868D80117780EF34EA06DBA1
                                                  Function 6C8F9E3F Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 452COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: $!$@
                                                  • API String ID: 3519838083-2517134481
                                                  • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                                  • Instruction ID: 07b7f8ddacba28a1ab5cd00b59e9baf3c5adc93d24f2794e43916d6069f02ab6
                                                  • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                                  • Instruction Fuzzy Hash: 9B129E30A05249DFCB24CFA8C6D0ADDBBB1FF48358F148869E855ABB51D731E946CB60
                                                  Function 6C8C5B91 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 284COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: H_prolog__aulldiv
                                                  • String ID: $SJ
                                                  • API String ID: 4125985754-3948962906
                                                  • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                                  • Instruction ID: d27ec250033643815fb83fc6ae91b1219b029f35051adf46b6985bc1158b861d
                                                  • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                                  • Instruction Fuzzy Hash: 24B13CB1A013099FCF24CF99CA809AEBBB1FF58314B60892ED516A7B50D730EA45DB51
                                                  Function 6C742020 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 6C87AA17: __EH_prolog3.LIBCMT ref: 6C87AA1E
                                                    • Part of subcall function 6C87AA17: std::_Lockit::_Lockit.LIBCPMT ref: 6C87AA29
                                                    • Part of subcall function 6C87AA17: std::locale::_Setgloballocale.LIBCPMT ref: 6C87AA44
                                                    • Part of subcall function 6C87AA17: _Yarn.LIBCPMT ref: 6C87AA5A
                                                    • Part of subcall function 6C87AA17: std::_Lockit::~_Lockit.LIBCPMT ref: 6C87AA97
                                                    • Part of subcall function 6C742F60: std::_Lockit::_Lockit.LIBCPMT ref: 6C742F95
                                                    • Part of subcall function 6C742F60: std::_Lockit::_Lockit.LIBCPMT ref: 6C742FAF
                                                    • Part of subcall function 6C742F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6C742FD0
                                                    • Part of subcall function 6C742F60: __Getctype.LIBCPMT ref: 6C743084
                                                    • Part of subcall function 6C742F60: std::_Facet_Register.LIBCPMT ref: 6C74309C
                                                    • Part of subcall function 6C742F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6C7430B7
                                                  • std::ios_base::_Addstd.LIBCPMT ref: 6C74211B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$AddstdFacet_GetctypeH_prolog3RegisterSetgloballocaleYarnstd::ios_base::_std::locale::_
                                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                  • API String ID: 3332196525-1866435925
                                                  • Opcode ID: f94019bab166f3f0f3baa3936370f33352295e8505ee9473fd2890350102b214
                                                  • Instruction ID: 727afb04d9d3d3dad6a58cfeec4aa1071538532ee18ce9ce509020789273a008
                                                  • Opcode Fuzzy Hash: f94019bab166f3f0f3baa3936370f33352295e8505ee9473fd2890350102b214
                                                  • Instruction Fuzzy Hash: A641DFB0A003099FEB10CF64C9497AEBBB1FF48314F108668E819AB791E775D995CF90
                                                  Function 6C8C91D6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: $CK$CK
                                                  • API String ID: 3519838083-2957773085
                                                  • Opcode ID: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                                                  • Instruction ID: 21619e0e79c03461a01b512f208f50ff2788597a8dccf6291a85c7ce0bffe8e6
                                                  • Opcode Fuzzy Hash: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                                                  • Instruction Fuzzy Hash: D5219571F01205CBCB24DFE8C5801EEF7B6BB95318F145AAEC462A3B91C7748A05CA96
                                                  Function 6C8E0584 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: 0$LrJ$x
                                                  • API String ID: 3519838083-658305261
                                                  • Opcode ID: 4d1a12b996d8cdd79ba2c3eb3f59f6bf691634cc710ec0f5f651f2212a36eb1c
                                                  • Instruction ID: bcf8c79eadd3db7a5952cf96c4dfef852c9ac534b0328f384631c092f3b9e2e9
                                                  • Opcode Fuzzy Hash: 4d1a12b996d8cdd79ba2c3eb3f59f6bf691634cc710ec0f5f651f2212a36eb1c
                                                  • Instruction Fuzzy Hash: 5A216D32D0121D9BCF14DBD8CA90BEEB7B5EF99308F20086AD40177641DB765E09CBA1
                                                  Function 6C8D7EC7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 6C8D7ECC
                                                    • Part of subcall function 6C8C258A: __EH_prolog.LIBCMT ref: 6C8C258F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: :hJ$dJ$xJ
                                                  • API String ID: 3519838083-2437443688
                                                  • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                                  • Instruction ID: db49cd983f2477d6441045a006b3ebdcadc34602e98772bc89dd6e2812fe87de
                                                  • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                                  • Instruction Fuzzy Hash: D121C9B0801B40CFC760CF6AC24428ABBF4BF29708B00CD6EC4AA97B11D7B8A509CF55
                                                  Function 6C88E480 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • SetFilePointerEx.KERNEL32(00000000,?,00000000,6C88E7C0,6C741DEA,00008000,6C88E7C0,?,?,?,6C88E36F,6C88E7C0,?,00000000,6C741DEA), ref: 6C88E4B9
                                                  • GetLastError.KERNEL32(?,?,?,6C88E36F,6C88E7C0,?,00000000,6C741DEA,?,6C897D8E,6C88E7C0,000000FF,000000FF,00000002,00008000,6C88E7C0), ref: 6C88E4C3
                                                  • __dosmaperr.LIBCMT ref: 6C88E4CA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: ErrorFileLastPointer__dosmaperr
                                                  • String ID: 8Q
                                                  • API String ID: 2336955059-4022487301
                                                  • Opcode ID: 770f750082120c0b9a5914a52744e94513942996bf19428e61716e17a4d0eb6b
                                                  • Instruction ID: 6ea4ae2a0097d69bf5a20d6cea94cc9313b94ea06505cab832563fecd50adbf4
                                                  • Opcode Fuzzy Hash: 770f750082120c0b9a5914a52744e94513942996bf19428e61716e17a4d0eb6b
                                                  • Instruction Fuzzy Hash: BB012836711914BBCB258F9DCE04C9E3B2DEBC6334B250618E8259BA80EA31D90187E0
                                                  Function 6C8CED0E Relevance: 6.4, Strings: 5, Instructions: 105COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: <J$DJ$HJ$TJ$]
                                                  • API String ID: 0-686860805
                                                  • Opcode ID: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                                  • Instruction ID: 2c25dfa1ab54f67375bb4560038a64f2c83565c6a428b08abf375f7bb224dc54
                                                  • Opcode Fuzzy Hash: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                                  • Instruction Fuzzy Hash: C2419670D05249ABCF34DFE4D6918EEB774AF11308B108979D52167E50EB35EA49CB82
                                                  Function 6C8C9331 Relevance: 6.1, APIs: 4, Instructions: 76COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: __aulldiv
                                                  • String ID:
                                                  • API String ID: 3732870572-0
                                                  • Opcode ID: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                                  • Instruction ID: 08f7c65e00736b4a5d24301ec2de68d3c8befa2aba9b0044367cef3ae9b72eb3
                                                  • Opcode Fuzzy Hash: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                                  • Instruction Fuzzy Hash: 5A118E76200308BEEB314BA4CD80EAB7BB9EBD9748F008869F55156A90CB71EC049721
                                                  Function 6C8880A2 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(00000008,?,00000000,6C88BB43), ref: 6C8880A7
                                                  • _free.LIBCMT ref: 6C888104
                                                  • _free.LIBCMT ref: 6C88813A
                                                  • SetLastError.KERNEL32(00000000,00000008,000000FF), ref: 6C888145
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast_free
                                                  • String ID:
                                                  • API String ID: 2283115069-0
                                                  • Opcode ID: 8443ee589b6ef1479af849257c4838b6e1b6f4e84ff485629cc4607bc8522faa
                                                  • Instruction ID: 323f9beaa13aaeff226530beeb375b07a8a7dfe3fedafe16d0c330b3016bbd7d
                                                  • Opcode Fuzzy Hash: 8443ee589b6ef1479af849257c4838b6e1b6f4e84ff485629cc4607bc8522faa
                                                  • Instruction Fuzzy Hash: BD118A76347115AADB71597D9E84D9B226AABC277C7350E3AF12492EC0DF628C058220
                                                  Function 6C8995AA Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • WriteConsoleW.KERNEL32(00000000,?,6C897DDC,00000000,00000000,?,6C898241,00000000,00000001,00000000,6C88E7C0,?,6C88F976,?,?,6C88E7C0), ref: 6C8995C1
                                                  • GetLastError.KERNEL32(?,6C898241,00000000,00000001,00000000,6C88E7C0,?,6C88F976,?,?,6C88E7C0,?,6C88E7C0,?,6C88F40C,6C8991A6), ref: 6C8995CD
                                                    • Part of subcall function 6C89961E: CloseHandle.KERNEL32(FFFFFFFE,6C8995DD,?,6C898241,00000000,00000001,00000000,6C88E7C0,?,6C88F976,?,?,6C88E7C0,?,6C88E7C0), ref: 6C89962E
                                                  • ___initconout.LIBCMT ref: 6C8995DD
                                                    • Part of subcall function 6C8995FF: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6C89959B,6C89822E,6C88E7C0,?,6C88F976,?,?,6C88E7C0,?), ref: 6C899612
                                                  • WriteConsoleW.KERNEL32(00000000,?,6C897DDC,00000000,?,6C898241,00000000,00000001,00000000,6C88E7C0,?,6C88F976,?,?,6C88E7C0,?), ref: 6C8995F2
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                  • String ID:
                                                  • API String ID: 2744216297-0
                                                  • Opcode ID: 37b4f023dd1968830222dcd38efc5afaf6eed75b52a6662bf46a5f07987c03ff
                                                  • Instruction ID: bbc23cc35a066d5eaacb1e4997d985587bae3b13f82c896a0c696bf11b00243b
                                                  • Opcode Fuzzy Hash: 37b4f023dd1968830222dcd38efc5afaf6eed75b52a6662bf46a5f07987c03ff
                                                  • Instruction Fuzzy Hash: 1EF01C36205128BFCF321FD9DC44A8E3F76FF0A7A5F054520FA0995624DA328860EBA1
                                                  Function 6C8B1072 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 398COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 6C8B1077
                                                    • Part of subcall function 6C8B0FF5: __EH_prolog.LIBCMT ref: 6C8B0FFA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: :$\
                                                  • API String ID: 3519838083-1166558509
                                                  • Opcode ID: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                                                  • Instruction ID: 63b66636560689ce3a00de142b1faaf6f61f402c534826b2c63bf04e687cb450
                                                  • Opcode Fuzzy Hash: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                                                  • Instruction Fuzzy Hash: F9E1B0709006099ACB31DFA8C7907EEB7B1AF05318F10492DD856BFB90EB75E94ACB51
                                                  Function 6C8FD354 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 234COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: H_prolog__aullrem
                                                  • String ID: d%K
                                                  • API String ID: 3415659256-3110269457
                                                  • Opcode ID: edd8db3a4067630c511c1f9d0118cc4b792e07b2613ebc31a4b030f5161dda76
                                                  • Instruction ID: eddcebf898be7ce4f32f4bb57352946e8fc73010ad41058ac5fd31635dd2f4eb
                                                  • Opcode Fuzzy Hash: edd8db3a4067630c511c1f9d0118cc4b792e07b2613ebc31a4b030f5161dda76
                                                  • Instruction Fuzzy Hash: C7811771A002089FDF21CF58C640BDEB7F5AF5938CF24886ADA64AF641D771E906CB90
                                                  Function 6C886814 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 230COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: H_prolog3_
                                                  • String ID: 8Q
                                                  • API String ID: 2427045233-4022487301
                                                  • Opcode ID: 2277e6f4f137773da379cf3b0cb0b26281334e50b8dd5c6d85d796086e5ae389
                                                  • Instruction ID: 0e8bbdc91f0e7a81d013fbce545964126be251b7f760b53872ae167b4047407c
                                                  • Opcode Fuzzy Hash: 2277e6f4f137773da379cf3b0cb0b26281334e50b8dd5c6d85d796086e5ae389
                                                  • Instruction Fuzzy Hash: DD71F770D562169BDF318F99CB406FE7A75AF45318F248A39E820E7E80DB39D845C760
                                                  Function 6C8D6C20 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 224COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: @$hfJ
                                                  • API String ID: 3519838083-1391159562
                                                  • Opcode ID: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                                  • Instruction ID: ffad3a0681173eccb0045970e33705ac9155a10c105535540df82e43ae562156
                                                  • Opcode Fuzzy Hash: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                                  • Instruction Fuzzy Hash: 67914870910609DFCB20DF99CA909DEFBF4BF18308F65492EE456E7A90D770AA48CB10
                                                  Function 6C8CBC58 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 213COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 6C8CBC5D
                                                    • Part of subcall function 6C8CA61A: __EH_prolog.LIBCMT ref: 6C8CA61F
                                                    • Part of subcall function 6C8CAA2E: __EH_prolog.LIBCMT ref: 6C8CAA33
                                                    • Part of subcall function 6C8CBEA5: __EH_prolog.LIBCMT ref: 6C8CBEAA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: WZJ
                                                  • API String ID: 3519838083-1089469559
                                                  • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                                  • Instruction ID: 36046357c25559e38532e194954f26b48d648923cf04188ef4665fd82d31b29e
                                                  • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                                  • Instruction Fuzzy Hash: E9815C31E00558DFCF25DFE8D690AEDBBB4AF19318F1048AAE51167790DB30AE09CB61
                                                  Function 6C8D2F9C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: <dJ$Q
                                                  • API String ID: 3519838083-2252229148
                                                  • Opcode ID: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                                  • Instruction ID: 54b01d60cbeb661bcec14de73ed3d93ddda6518458b5fc4d182bd01fb1d3c60c
                                                  • Opcode Fuzzy Hash: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                                  • Instruction Fuzzy Hash: 8D518F7190424AEFCF21DFD8CA809EDB7B1BF48318F11892EE515AB650D731AE4ACB50
                                                  Function 6C8CE9B9 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: $D^J
                                                  • API String ID: 3519838083-3977321784
                                                  • Opcode ID: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                                                  • Instruction ID: fc2c07ad20abee729d35ea5286147334a5f82062b1dcce233f0c57694713d17c
                                                  • Opcode Fuzzy Hash: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                                                  • Instruction Fuzzy Hash: C1412821B045A06FD7369B6C86927E8BBA16F37208F148D78C49217EC1DB65D98BC3D2
                                                  Function 6C8905EE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,6C897DC6), ref: 6C89070B
                                                  • __dosmaperr.LIBCMT ref: 6C890712
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast__dosmaperr
                                                  • String ID: 8Q
                                                  • API String ID: 1659562826-4022487301
                                                  • Opcode ID: 9260b2b475cd342cebb498e29a9ce547e1e0476b3a33fc4af6f7091f7aecb21e
                                                  • Instruction ID: 4e7c6e0be5e97db626adda0ec198e4c635560f080a2d2ee2f5af1847e96d83f6
                                                  • Opcode Fuzzy Hash: 9260b2b475cd342cebb498e29a9ce547e1e0476b3a33fc4af6f7091f7aecb21e
                                                  • Instruction Fuzzy Hash: 32416B716092D8AFDB328F5CCA80AA97FF5EF8B354F144959E8849BA41D3319C11CBA0
                                                  Function 6C7426E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: _strlen
                                                  • String ID: U#tl$q!tl
                                                  • API String ID: 4218353326-524205392
                                                  • Opcode ID: d3afa214fb3c3160147337b2c04cd1a7c89793c9e115090aee0302ebf8fc7419
                                                  • Instruction ID: 48ed809422805007c39922d2f0cf0277e8509cba881ee366be76f1f26148f5de
                                                  • Opcode Fuzzy Hash: d3afa214fb3c3160147337b2c04cd1a7c89793c9e115090aee0302ebf8fc7419
                                                  • Instruction Fuzzy Hash: 2241D0B2C002189BDB10DFA8D984BDEBBB9FF58354F144635E805E7741E3319958CBA1
                                                  Function 6C8E812C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 102COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: X&L$p|J
                                                  • API String ID: 3519838083-2944591232
                                                  • Opcode ID: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                                                  • Instruction ID: ec6fa5527af4a3240c6fac32c7aeb4813854a93936be2840503527522df8efca
                                                  • Opcode Fuzzy Hash: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                                                  • Instruction Fuzzy Hash: A9314731685909CBD7319B9CDF01BED7771EB1B328F20093FD510A6EE2CB618986CA54
                                                  Function 6C8E7C24 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 100COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: 0|J$`)L
                                                  • API String ID: 3519838083-117937767
                                                  • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                                  • Instruction ID: 8cb39c05c64766db06e15a708f643d5a63659c08a9f402b5caa4a5ed346c40f2
                                                  • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                                  • Instruction Fuzzy Hash: 62418031601785EFDB219FA4C6907EABBE2FF4A209F00482EE45A97611CB716905CB91
                                                  Function 6C8EACB6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: __aulldiv
                                                  • String ID: 3333
                                                  • API String ID: 3732870572-2924271548
                                                  • Opcode ID: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                                  • Instruction ID: ffbcbe3fdd21b889e384f746b8d75c46ea6c36e67a0e4b78fda1ef26ff30141f
                                                  • Opcode Fuzzy Hash: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                                  • Instruction Fuzzy Hash: FB219CB0A407046EE730CF698980B9BBAFDEB99B15F10CD2EA146D7B40D770D9048755
                                                  Function 6C8E3906 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: @$LuJ
                                                  • API String ID: 3519838083-205571748
                                                  • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                                  • Instruction ID: 61b1a592a7890e92430cc7ecc9a8ab15248940d4141ed7b7c499940bd5f11913
                                                  • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                                  • Instruction Fuzzy Hash: CB016171E01209DACB20DF9985805AEF7B4EF6A704F50882EE569F3A51C334AE04CB55
                                                  Function 6C8BF0AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: @$xMJ
                                                  • API String ID: 3519838083-951924499
                                                  • Opcode ID: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                                                  • Instruction ID: 0371f844672572ee478821fb7e5e4d3272923f4a64b8fbff5acc0df75eb2375a
                                                  • Opcode Fuzzy Hash: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                                                  • Instruction Fuzzy Hash: 0E113979A01209DBCB11CFA9C5905AEF7B4FF68308B90CC6EE469E7B50D3349A05CB95
                                                  Function 6C891418 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 6C891439
                                                  • HeapReAlloc.KERNEL32(00000000,?,?,00000004,00000000,?,6C88DD2A,?,00000004,?,4B42FCB6,?,?,6C882E7C,4B42FCB6,?), ref: 6C891475
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1844259462.000000006C6F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6F0000, based on PE: true
                                                  • Associated: 00000005.00000002.1844230273.000000006C6F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845569255.000000006C89B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846972146.000000006CA67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: AllocHeap_free
                                                  • String ID: 8Q
                                                  • API String ID: 1080816511-4022487301
                                                  • Opcode ID: e3cba969d2ae26a110a8fb32d8d06ded89bcb7e80c727b598c4fa39a7591aeb5
                                                  • Instruction ID: 98977dc7535350e0a5f9d53f7f721558a090bb70b3f7a7525970fc966b2d9e90
                                                  • Opcode Fuzzy Hash: e3cba969d2ae26a110a8fb32d8d06ded89bcb7e80c727b598c4fa39a7591aeb5
                                                  • Instruction Fuzzy Hash: 71F0C83260E515669B311A2E5E40A8B277E9FC6BB8B118925E8165AE80DB30D40581A1
                                                  Function 6C8E6431 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: H_prologctype
                                                  • String ID: |zJ
                                                  • API String ID: 3037903784-3782439380
                                                  • Opcode ID: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                                                  • Instruction ID: 874f57e0388f2164eb7f7cecd82bef8ed70fda3244855e43645ca49542bc5670
                                                  • Opcode Fuzzy Hash: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                                                  • Instruction Fuzzy Hash: 0FE0E5326011249BE7248B4CCA017DEF3A8FF5971CF10441F9012E3A41CBB1A800C681
                                                  Function 6C8DD143 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID: H_prologctype
                                                  • String ID: <oJ
                                                  • API String ID: 3037903784-2791053824
                                                  • Opcode ID: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                                                  • Instruction ID: 281e40be11680a422a15c91195bae16c82740bc9e4f41028d4fbcf997fb5296f
                                                  • Opcode Fuzzy Hash: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                                                  • Instruction Fuzzy Hash: 72E0ED32A05120ABDB249F48CA10BDEF7B8EF61718F12041FA021A7B52CBB1E800CB90
                                                  Function 6C9124AB Relevance: 5.2, Strings: 4, Instructions: 237COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @ K$DJ$T)K$X/K
                                                  • API String ID: 0-3815299647
                                                  • Opcode ID: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                                                  • Instruction ID: ede42baa6a1d5428a5d45f71d111d0aef562e2b0f652f6479909c09cb5ebe0e0
                                                  • Opcode Fuzzy Hash: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                                                  • Instruction Fuzzy Hash: 3E91A134608B099BCB14FF68C6557EB73A6AF4330CF104829C8655BF82DB76E94AC751
                                                  Function 6C907E19 Relevance: 5.2, Strings: 4, Instructions: 161COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1845636177.000000006C8AB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C8AB000, based on PE: true
                                                  • Associated: 00000005.00000002.1846202425.000000006C976000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1846262669.000000006C97C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c6f0000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: D)K$H)K$P)K$T)K
                                                  • API String ID: 0-2262112463
                                                  • Opcode ID: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                                                  • Instruction ID: ef5c68d724cd6e981b277e9fce72cd3bc16c9948827f57b889d34a4b341a276c
                                                  • Opcode Fuzzy Hash: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                                                  • Instruction Fuzzy Hash: 9E51C131A042099BCF14DFD8DA40ADEB7B5FF0532CF10482EE81167A91DB76E959CB54

                                                  Execution Graph

                                                  Execution Coverage:4%
                                                  Dynamic/Decrypted Code Coverage:0%
                                                  Signature Coverage:0.3%
                                                  Total number of Nodes:2000
                                                  Total number of Limit Nodes:40
                                                  execution_graph 73224 1242d1 73226 1242bd 73224->73226 73225 1242c5 73226->73225 73228 121e0c 73226->73228 73229 121e15 73228->73229 73230 121e1c malloc 73228->73230 73229->73230 73231 121e2a _CxxThrowException 73230->73231 73232 121e3e 73230->73232 73231->73232 73232->73225 73233 15acd3 73234 15acf1 73233->73234 73235 15ace0 73233->73235 73235->73234 73239 15acf8 73235->73239 73240 15c0b3 __EH_prolog 73239->73240 73244 15c0ed 73240->73244 73247 147193 73240->73247 73255 121e40 free 73240->73255 73242 15aceb 73246 121e40 free 73242->73246 73256 121e40 free 73244->73256 73246->73234 73248 14719d __EH_prolog 73247->73248 73257 152db9 free ctype 73248->73257 73250 1471b3 73258 1471d5 free __EH_prolog ctype 73250->73258 73252 1471bf 73259 121e40 free 73252->73259 73254 1471c7 73254->73240 73255->73240 73256->73242 73257->73250 73258->73252 73259->73254 73260 19f190 73261 121e0c ctype 2 API calls 73260->73261 73262 19f1b0 73261->73262 73264 1a69d0 73265 1a69d7 malloc 73264->73265 73266 1a69d4 73264->73266 73267 12b5d9 73268 12b5e6 73267->73268 73269 12b5f7 73267->73269 73268->73269 73273 12b5fe 73268->73273 73274 12b608 __EH_prolog 73273->73274 73280 1a6a40 VirtualFree 73274->73280 73276 12b63d 73281 12764c 73276->73281 73279 121e40 free 73279->73269 73280->73276 73282 127656 CloseHandle 73281->73282 73283 127661 73281->73283 73282->73283 73283->73279 73284 131ade 73285 131ae8 __EH_prolog 73284->73285 73335 1213f5 73285->73335 73288 131b32 6 API calls 73290 131b8d 73288->73290 73297 131bf8 73290->73297 73353 131ea4 9 API calls 73290->73353 73291 131b24 _CxxThrowException 73291->73288 73293 131bdf 73354 1227bb 73293->73354 73299 131c89 73297->73299 73361 141d73 5 API calls __EH_prolog 73297->73361 73349 131eb9 73299->73349 73303 131cb2 _CxxThrowException 73303->73299 73336 1213ff __EH_prolog 73335->73336 73362 147ebb 73336->73362 73339 121438 73341 121e0c ctype 2 API calls 73339->73341 73346 12144d 73341->73346 73342 1214f4 73342->73288 73352 141d73 5 API calls __EH_prolog 73342->73352 73346->73342 73347 121507 73346->73347 73367 121265 5 API calls 2 library calls 73346->73367 73368 1604d2 73346->73368 73374 121524 malloc _CxxThrowException __EH_prolog ctype 73346->73374 73375 122fec 73347->73375 73383 129313 GetCurrentProcess OpenProcessToken 73349->73383 73352->73291 73353->73293 73355 1227c7 73354->73355 73356 1227e3 73354->73356 73355->73356 73357 121e0c ctype 2 API calls 73355->73357 73360 121e40 free 73356->73360 73358 1227da 73357->73358 73390 121e40 free 73358->73390 73360->73297 73361->73303 73363 12142b 73362->73363 73365 147ec6 73362->73365 73363->73339 73366 121212 free ctype 73363->73366 73364 121e40 free ctype 73364->73365 73365->73363 73365->73364 73366->73339 73367->73346 73369 160513 73368->73369 73370 1604df 73368->73370 73369->73346 73371 1604fd 73370->73371 73372 1604e8 _CxxThrowException 73370->73372 73381 160551 malloc _CxxThrowException free memcpy ctype 73371->73381 73372->73371 73374->73346 73376 122ff8 73375->73376 73377 122ffc 73375->73377 73376->73342 73377->73376 73378 121e0c ctype 2 API calls 73377->73378 73379 123010 73378->73379 73382 121e40 free 73379->73382 73381->73369 73382->73376 73384 12933a LookupPrivilegeValueW 73383->73384 73387 129390 73383->73387 73385 129382 73384->73385 73386 12934c AdjustTokenPrivileges 73384->73386 73389 129385 CloseHandle 73385->73389 73386->73385 73388 129372 GetLastError 73386->73388 73388->73389 73389->73387 73390->73356 73391 13459e 73392 1345ab 73391->73392 73396 1345bc 73391->73396 73392->73396 73397 1345c3 73392->73397 73398 1345cd __EH_prolog 73397->73398 73426 1379b2 free ctype 73398->73426 73400 1345e8 73427 121e40 free 73400->73427 73402 1345f3 73428 152db9 free ctype 73402->73428 73404 134609 73429 121e40 free 73404->73429 73406 134610 73430 121e40 free 73406->73430 73408 13461b 73431 121e40 free 73408->73431 73410 134626 73432 13794c free ctype 73410->73432 73412 134638 73433 152db9 free ctype 73412->73433 73414 13465b 73434 121e40 free 73414->73434 73416 13468e 73435 121e40 free 73416->73435 73418 1346ae 73436 134733 free __EH_prolog ctype 73418->73436 73420 1346be 73437 121e40 free 73420->73437 73422 1346e8 73438 121e40 free 73422->73438 73424 1345b6 73425 121e40 free 73424->73425 73425->73396 73426->73400 73427->73402 73428->73404 73429->73406 73430->73408 73431->73410 73432->73412 73433->73414 73434->73416 73435->73418 73436->73420 73437->73422 73438->73424 73439 14a7c5 73456 14a7e9 73439->73456 73472 14a96b 73439->73472 73440 14ade3 73544 121e40 free 73440->73544 73442 14a952 73442->73472 73525 14e0b0 6 API calls 73442->73525 73443 14adeb 73545 121e40 free 73443->73545 73447 14ae99 73450 121e0c ctype 2 API calls 73447->73450 73448 14ac1e 73531 121e40 free 73448->73531 73454 14aea9 memset memset 73450->73454 73452 14ac26 73532 121e40 free 73452->73532 73453 14adf3 73453->73447 73458 1604d2 malloc _CxxThrowException free _CxxThrowException memcpy 73453->73458 73457 14aedd 73454->73457 73456->73442 73464 1604d2 5 API calls 73456->73464 73524 14e0b0 6 API calls 73456->73524 73546 121e40 free 73457->73546 73458->73453 73460 14aee5 73547 121e40 free 73460->73547 73464->73456 73465 14aef0 73548 121e40 free 73465->73548 73468 14ac2e 73549 121e40 free 73468->73549 73469 14c430 73550 121e40 free 73469->73550 73472->73440 73472->73448 73474 14ac6c 73472->73474 73486 14ad88 73472->73486 73491 14ad17 73472->73491 73492 14acbc 73472->73492 73506 13101c 73472->73506 73509 1498f2 73472->73509 73515 14cc6f 73472->73515 73526 149531 5 API calls __EH_prolog 73472->73526 73527 1480c1 malloc _CxxThrowException __EH_prolog 73472->73527 73528 14c820 5 API calls 2 library calls 73472->73528 73529 14814d 6 API calls 73472->73529 73530 148125 free ctype 73472->73530 73473 14c438 73551 121e40 free 73473->73551 73533 121e40 free 73474->73533 73478 14c443 73552 121e40 free 73478->73552 73479 14ac85 73534 121e40 free 73479->73534 73482 14c44e 73553 121e40 free 73482->73553 73484 14c459 73541 148125 free ctype 73486->73541 73490 14ad93 73542 121e40 free 73490->73542 73538 148125 free ctype 73491->73538 73535 148125 free ctype 73492->73535 73496 14ad3c 73539 121e40 free 73496->73539 73497 14adac 73543 121e40 free 73497->73543 73498 14acc7 73536 121e40 free 73498->73536 73502 14ace0 73537 121e40 free 73502->73537 73503 14ad55 73540 121e40 free 73503->73540 73554 12b95a 73506->73554 73510 1498fc __EH_prolog 73509->73510 73570 149987 73510->73570 73512 149970 73512->73472 73514 149911 73514->73512 73574 14ef8d 12 API calls 2 library calls 73514->73574 73617 16f445 73515->73617 73623 16cf91 73515->73623 73631 165505 73515->73631 73516 14cc8b 73520 14cccb 73516->73520 73635 14979e VariantClear __EH_prolog 73516->73635 73518 14ccb1 73518->73520 73636 14cae9 VariantClear 73518->73636 73520->73472 73524->73456 73525->73472 73526->73472 73527->73472 73528->73472 73529->73472 73530->73472 73531->73452 73532->73468 73533->73479 73534->73468 73535->73498 73536->73502 73537->73468 73538->73496 73539->73503 73540->73468 73541->73490 73542->73497 73543->73468 73544->73443 73545->73453 73546->73460 73547->73465 73548->73468 73549->73469 73550->73473 73551->73478 73552->73482 73553->73484 73555 12b969 73554->73555 73558 12b97d 73554->73558 73555->73558 73560 127731 73555->73560 73557 12b9ee 73557->73558 73568 12b8ec GetLastError 73557->73568 73558->73472 73561 12775c SetFilePointer 73560->73561 73562 127740 73560->73562 73563 127780 GetLastError 73561->73563 73566 1277a1 73561->73566 73562->73561 73564 12778c 73563->73564 73563->73566 73569 1276d6 SetFilePointer GetLastError 73564->73569 73566->73557 73567 127796 SetLastError 73567->73566 73568->73558 73569->73567 73571 149991 __EH_prolog 73570->73571 73575 1780aa 73571->73575 73572 1499a8 73572->73514 73574->73512 73576 1780b4 __EH_prolog 73575->73576 73577 121e0c ctype 2 API calls 73576->73577 73578 1780bf 73577->73578 73579 1780d3 73578->73579 73581 16bdb5 73578->73581 73579->73572 73582 16bdbf __EH_prolog 73581->73582 73587 16be69 73582->73587 73584 16bdef 73591 122e04 73584->73591 73588 16be73 __EH_prolog 73587->73588 73594 165e2b 73588->73594 73590 16be7f 73590->73584 73592 121e0c ctype 2 API calls 73591->73592 73593 122e11 73592->73593 73593->73579 73595 165e35 __EH_prolog 73594->73595 73600 1608b6 73595->73600 73597 165e41 73605 13dfc9 malloc _CxxThrowException __EH_prolog 73597->73605 73599 165e57 73599->73590 73606 129c60 73600->73606 73602 1608c4 73611 129c8f GetModuleHandleA GetProcAddress 73602->73611 73604 1608f3 __aulldiv 73604->73597 73605->73599 73616 129c4d GetCurrentProcess GetProcessAffinityMask 73606->73616 73608 129c6e 73609 129c80 GetSystemInfo 73608->73609 73610 129c79 73608->73610 73609->73602 73610->73602 73612 129cc4 GlobalMemoryStatusEx 73611->73612 73613 129cef GlobalMemoryStatus 73611->73613 73612->73613 73615 129cce 73612->73615 73614 129d08 73613->73614 73614->73615 73615->73604 73616->73608 73618 16f455 73617->73618 73637 131092 73618->73637 73620 16f478 73620->73516 73624 16cf9b __EH_prolog 73623->73624 73625 16f445 14 API calls 73624->73625 73626 16d018 73625->73626 73628 16d01f 73626->73628 73689 171511 73626->73689 73628->73516 73629 16d08b 73629->73628 73695 172c5d 11 API calls 2 library calls 73629->73695 73632 16550f __EH_prolog 73631->73632 74059 164e8a 73632->74059 73635->73518 73636->73520 73639 12b95a 6 API calls 73637->73639 73638 1310aa 73638->73620 73640 16f1b2 73638->73640 73639->73638 73641 16f1bc __EH_prolog 73640->73641 73650 131168 73641->73650 73643 16f1d3 73644 16f231 memcpy 73643->73644 73645 16f21c _CxxThrowException 73643->73645 73646 16f1e6 73643->73646 73648 16f24c 73644->73648 73645->73644 73646->73620 73647 16f2f0 memmove 73647->73648 73648->73646 73648->73647 73649 16f31a memcpy 73648->73649 73649->73646 73653 13111c 73650->73653 73655 131130 73653->73655 73654 13115f 73654->73643 73655->73654 73658 12b668 73655->73658 73677 12d331 73655->73677 73661 12b675 73658->73661 73663 127731 5 API calls 73661->73663 73664 12b7e7 73661->73664 73665 12b81b 73661->73665 73667 12b6aa 73661->73667 73668 12b811 73661->73668 73670 12b7ad 73661->73670 73675 12b864 73661->73675 73686 127b4f ReadFile 73661->73686 73662 12b8aa GetLastError 73662->73667 73663->73661 73669 127731 5 API calls 73664->73669 73664->73675 73666 12b839 memcpy 73665->73666 73665->73667 73666->73667 73667->73655 73687 12b8ec GetLastError 73668->73687 73671 12b80d 73669->73671 73670->73661 73676 12b8c7 73670->73676 73685 1a6a20 VirtualAlloc 73670->73685 73671->73668 73671->73675 73681 127b7c 73675->73681 73676->73667 73678 12d355 73677->73678 73679 12d374 73678->73679 73680 12b668 10 API calls 73678->73680 73679->73655 73680->73679 73682 127b89 73681->73682 73688 127b4f ReadFile 73682->73688 73684 127b9a 73684->73662 73684->73667 73685->73670 73686->73661 73687->73667 73688->73684 73690 17151b __EH_prolog 73689->73690 73696 1710d3 73690->73696 73693 171552 _CxxThrowException 73693->73629 73694 171589 73694->73629 73695->73628 73697 1710dd __EH_prolog 73696->73697 73728 16d1b7 73697->73728 73699 1712ef 73699->73693 73699->73694 73700 1711f4 73700->73699 73727 12b95a 6 API calls 73700->73727 73701 17139e 73701->73699 73702 1713c4 73701->73702 73704 121e0c ctype 2 API calls 73701->73704 73705 131168 10 API calls 73702->73705 73704->73702 73708 1713da 73705->73708 73706 131168 10 API calls 73706->73700 73710 1713f9 73708->73710 73720 1713de 73708->73720 73770 16ef67 _CxxThrowException 73708->73770 73735 16f047 73710->73735 73713 1714ba 73774 170943 50 API calls 2 library calls 73713->73774 73715 171450 73739 1706ae 73715->73739 73717 1714e7 73775 152db9 free ctype 73717->73775 73776 121e40 free 73720->73776 73727->73701 73777 16d23c 73728->73777 73730 16d1ed 73784 121e40 free 73730->73784 73732 16d209 73785 121e40 free 73732->73785 73734 16d21c 73734->73699 73734->73700 73734->73706 73736 16f063 73735->73736 73737 16f072 73736->73737 73813 16ef67 _CxxThrowException 73736->73813 73737->73713 73737->73715 73771 16ef67 _CxxThrowException 73737->73771 73740 1706b8 __EH_prolog 73739->73740 73814 1703f4 73740->73814 73745 1708e3 _CxxThrowException 73748 1708f7 73745->73748 73751 16b8dc ctype free 73748->73751 73753 170914 73751->73753 73951 121e40 free 73753->73951 73754 121e0c ctype 2 API calls 73759 170715 73754->73759 73758 17091c 73952 121e40 free 73758->73952 73759->73745 73759->73748 73759->73754 73768 16ef67 _CxxThrowException 73759->73768 73769 170877 73759->73769 73844 1312a5 73759->73844 73849 12429a 73759->73849 73855 1681ec 73759->73855 73763 170924 73953 121e40 free 73763->73953 73768->73759 73941 16b8dc 73769->73941 73770->73710 73771->73715 73774->73717 73775->73720 73776->73699 73786 16d2b8 73777->73786 73782 16d25e 73803 121e40 free 73782->73803 73783 16d275 73783->73730 73784->73732 73785->73734 73805 121e40 free 73786->73805 73788 16d2c8 73806 121e40 free 73788->73806 73790 16d2dc 73807 121e40 free 73790->73807 73792 16d2e7 73808 121e40 free 73792->73808 73794 16d2f2 73809 121e40 free 73794->73809 73796 16d2fd 73810 121e40 free 73796->73810 73798 16d308 73811 121e40 free 73798->73811 73800 16d313 73801 16d246 73800->73801 73812 121e40 free 73800->73812 73801->73782 73804 121e40 free 73801->73804 73803->73783 73804->73782 73805->73788 73806->73790 73807->73792 73808->73794 73809->73796 73810->73798 73811->73800 73812->73801 73813->73737 73815 16f047 _CxxThrowException 73814->73815 73816 170407 73815->73816 73818 16f047 _CxxThrowException 73816->73818 73819 170475 73816->73819 73817 17049a 73820 1704b8 73817->73820 73959 17159a malloc _CxxThrowException free ctype 73817->73959 73821 170421 73818->73821 73819->73817 73958 16fa3f 22 API calls 2 library calls 73819->73958 73823 1704e8 73820->73823 73824 1704cd 73820->73824 73825 17043e 73821->73825 73955 16ef67 _CxxThrowException 73821->73955 73961 177c4a malloc _CxxThrowException free ctype 73823->73961 73960 16fff0 9 API calls 2 library calls 73824->73960 73956 16f93c 7 API calls 2 library calls 73825->73956 73826 170492 73830 16f047 _CxxThrowException 73826->73830 73830->73817 73832 1704db 73836 16f047 _CxxThrowException 73832->73836 73834 1704e3 73839 17054a 73834->73839 73963 16ef67 _CxxThrowException 73834->73963 73835 170446 73837 17046d 73835->73837 73957 16ef67 _CxxThrowException 73835->73957 73836->73834 73838 16f047 _CxxThrowException 73837->73838 73838->73819 73839->73759 73841 1704f3 73841->73834 73962 13089e malloc _CxxThrowException free _CxxThrowException memcpy 73841->73962 73845 1604d2 5 API calls 73844->73845 73846 1312ad 73845->73846 73847 121e0c ctype 2 API calls 73846->73847 73848 1312b4 73847->73848 73848->73759 73850 1242a7 73849->73850 73851 1242c5 73849->73851 73852 1242b3 73850->73852 73964 121e40 free 73850->73964 73851->73759 73852->73851 73854 121e0c ctype 2 API calls 73852->73854 73854->73851 73856 1681f6 __EH_prolog 73855->73856 73965 16f749 73856->73965 73858 16824e 74033 1691cc free ctype 73858->74033 73860 16823b 73860->73858 73969 168f58 73860->73969 73942 16b8e6 __EH_prolog 73941->73942 74057 121e40 free 73942->74057 73944 16b90d 74058 15e647 free ctype 73944->74058 73946 16b915 73947 121e40 free 73946->73947 73951->73758 73952->73763 73955->73825 73956->73835 73957->73837 73958->73826 73959->73820 73960->73832 73961->73841 73962->73841 73963->73839 73964->73852 73966 16f779 73965->73966 73967 16f797 73966->73967 73968 16f782 _CxxThrowException 73966->73968 73967->73860 73968->73967 73970 168f6a 73969->73970 74057->73944 74058->73946 74060 164e94 __EH_prolog 74059->74060 74061 122e04 2 API calls 74060->74061 74076 164f1d 74060->74076 74062 164ed7 74061->74062 74191 137fc5 74062->74191 74064 164f37 74067 164f63 74064->74067 74068 164f41 74064->74068 74065 164f0a 74212 12965d 74065->74212 74069 122f88 3 API calls 74067->74069 74071 12965d VariantClear 74068->74071 74072 164f71 74069->74072 74074 164f4c 74071->74074 74075 12965d VariantClear 74072->74075 74217 121e40 free 74074->74217 74078 164f80 74075->74078 74076->73516 74218 135bcf malloc _CxxThrowException 74078->74218 74080 164f9a 74219 122e47 74080->74219 74084 164fbd 74085 122e04 2 API calls 74084->74085 74086 164fd1 74085->74086 74087 122e04 2 API calls 74086->74087 74094 164fdd 74087->74094 74088 165404 74273 121e40 free 74088->74273 74090 16540c 74274 121e40 free 74090->74274 74092 165414 74275 121e40 free 74092->74275 74094->74088 74226 135bcf malloc _CxxThrowException 74094->74226 74096 165099 74227 122da9 74096->74227 74097 16541c 74276 121e40 free 74097->74276 74101 165424 74277 121e40 free 74101->74277 74102 122fec 3 API calls 74104 1650b6 74102->74104 74230 121e40 free 74104->74230 74105 16542c 74278 121e40 free 74105->74278 74108 1650be 74231 121e40 free 74108->74231 74110 1650cd 74111 122f88 3 API calls 74110->74111 74112 1650e3 74111->74112 74113 165100 74112->74113 74114 1650f1 74112->74114 74238 123044 malloc _CxxThrowException free ctype 74113->74238 74232 1230ea 74114->74232 74117 1650fe 74239 131029 6 API calls 74117->74239 74119 16511a 74120 165120 74119->74120 74121 16516b 74119->74121 74240 121e40 free 74120->74240 74246 13089e malloc _CxxThrowException free _CxxThrowException memcpy 74121->74246 74124 165128 74241 121e40 free 74124->74241 74125 165187 74128 1604d2 5 API calls 74125->74128 74127 165130 74242 121e40 free 74127->74242 74130 1651ba 74128->74130 74247 160516 malloc _CxxThrowException ctype 74130->74247 74131 165138 74243 121e40 free 74131->74243 74134 1651c5 74139 1651f5 74134->74139 74140 16522d 74134->74140 74135 165140 74244 121e40 free 74135->74244 74137 165148 74245 121e40 free 74137->74245 74248 121e40 free 74139->74248 74141 122e04 2 API calls 74140->74141 74156 165235 74141->74156 74143 1651fd 74249 121e40 free 74143->74249 74146 165205 74148 16532e 74259 121e40 free 74148->74259 74155 1653a3 74266 121e40 free 74155->74266 74156->74148 74156->74155 74175 1604d2 5 API calls 74156->74175 74189 122e04 2 API calls 74156->74189 74254 16545c 5 API calls 2 library calls 74156->74254 74255 131029 6 API calls 74156->74255 74256 13089e malloc _CxxThrowException free _CxxThrowException memcpy 74156->74256 74257 160516 malloc _CxxThrowException ctype 74156->74257 74258 121e40 free 74156->74258 74175->74156 74189->74156 74192 137fcf __EH_prolog 74191->74192 74194 138061 74192->74194 74196 13805c 74192->74196 74197 138019 74192->74197 74200 137ff4 74192->74200 74193 13800a 74288 129736 VariantClear 74193->74288 74194->74196 74209 138025 74194->74209 74287 129630 VariantClear 74196->74287 74197->74200 74201 13801e 74197->74201 74198 1380b8 74203 12965d VariantClear 74198->74203 74200->74193 74279 12950d 74200->74279 74204 138042 74201->74204 74205 138022 74201->74205 74207 1380c0 74203->74207 74285 129597 VariantClear 74204->74285 74208 138032 74205->74208 74205->74209 74207->74064 74207->74065 74284 129604 VariantClear 74208->74284 74209->74193 74286 1295df VariantClear 74209->74286 74213 129685 74212->74213 74215 129665 74212->74215 74216 121e40 free 74213->74216 74214 12967e VariantClear 74214->74213 74215->74213 74215->74214 74216->74076 74217->74076 74218->74080 74220 122e57 74219->74220 74295 122ba6 74220->74295 74223 122f1c 74224 122ba6 2 API calls 74223->74224 74225 122f2c 74224->74225 74225->74084 74226->74096 74298 122d4d 74227->74298 74229 122dc6 74229->74102 74230->74108 74231->74110 74233 1230fd 74232->74233 74234 121e0c ctype 2 API calls 74233->74234 74237 12311d 74233->74237 74235 123113 74234->74235 74301 121e40 free 74235->74301 74237->74117 74238->74117 74239->74119 74240->74124 74241->74127 74242->74131 74243->74135 74244->74137 74245->74076 74246->74125 74247->74134 74248->74143 74249->74146 74254->74156 74255->74156 74256->74156 74257->74156 74258->74156 74273->74090 74274->74092 74275->74097 74276->74101 74277->74105 74278->74076 74289 129767 74279->74289 74281 129518 SysAllocStringLen 74282 129539 _CxxThrowException 74281->74282 74283 12954f 74281->74283 74282->74283 74283->74193 74284->74193 74285->74193 74286->74193 74287->74193 74288->74198 74290 129770 74289->74290 74291 129779 74289->74291 74290->74281 74294 129686 VariantClear 74291->74294 74293 129780 74293->74281 74294->74293 74296 121e0c ctype 2 API calls 74295->74296 74297 122bbb 74296->74297 74297->74223 74299 122ba6 2 API calls 74298->74299 74300 122d68 74299->74300 74300->74229 74300->74300 74301->74237 74302 160343 74307 16035f 74302->74307 74305 160358 74308 160369 __EH_prolog 74307->74308 74324 13139e 74308->74324 74313 160143 ctype free 74314 16039a 74313->74314 74334 121e40 free 74314->74334 74316 1603a2 74335 121e40 free 74316->74335 74318 1603aa 74336 1603d8 74318->74336 74323 121e40 free 74323->74305 74325 1313b3 74324->74325 74326 1313ae 74324->74326 74328 1601c4 74325->74328 74352 1b7ea0 SetEvent GetLastError 74326->74352 74329 1601ce __EH_prolog 74328->74329 74332 160203 74329->74332 74354 121e40 free 74329->74354 74331 16020b 74331->74313 74353 121e40 free 74332->74353 74334->74316 74335->74318 74337 1603e2 __EH_prolog 74336->74337 74338 13139e ctype 2 API calls 74337->74338 74339 1603fb 74338->74339 74355 1b7d50 74339->74355 74341 160403 74342 1b7d50 ctype 2 API calls 74341->74342 74343 16040b 74342->74343 74344 1b7d50 ctype 2 API calls 74343->74344 74345 1603b7 74344->74345 74346 16004a 74345->74346 74347 160054 __EH_prolog 74346->74347 74361 121e40 free 74347->74361 74349 160067 74362 121e40 free 74349->74362 74351 16006f 74351->74305 74351->74323 74352->74325 74353->74331 74354->74329 74356 1b7d7b 74355->74356 74357 1b7d59 CloseHandle 74355->74357 74356->74341 74358 1b7d75 74357->74358 74359 1b7d64 GetLastError 74357->74359 74358->74356 74359->74356 74360 1b7d6e 74359->74360 74360->74341 74361->74349 74362->74351 74363 12b144 74364 12b153 74363->74364 74366 12b159 74363->74366 74367 1311b4 74364->74367 74368 1311c1 74367->74368 74369 1311eb 74368->74369 74372 16ae7c 74368->74372 74377 16af27 74368->74377 74369->74366 74373 16ae86 74372->74373 74384 137190 74373->74384 74397 137140 74373->74397 74374 16aebb 74374->74368 74381 16af36 74377->74381 74378 16b010 74378->74368 74379 16aeeb 107 API calls 74379->74381 74381->74378 74381->74379 74482 12bd0c 74381->74482 74487 16ad3a 74381->74487 74491 16aebf 107 API calls 74381->74491 74385 13719a __EH_prolog 74384->74385 74386 1371b0 74385->74386 74389 1371dd 74385->74389 74427 134d78 74386->74427 74401 136fc5 74389->74401 74390 1372b4 74391 134d78 VariantClear 74390->74391 74392 1372c0 74390->74392 74391->74392 74393 137140 7 API calls 74392->74393 74394 1371b7 74392->74394 74393->74394 74394->74374 74395 1372a3 SetFileSecurityW 74395->74390 74396 137236 74396->74390 74396->74394 74396->74395 74398 13718d 74397->74398 74399 13714b 74397->74399 74398->74374 74399->74398 74481 134dff 7 API calls 2 library calls 74399->74481 74402 136fcf __EH_prolog 74401->74402 74430 1344a6 74402->74430 74404 13706a 74433 1368ac 74404->74433 74408 13709e 74457 121e40 free 74408->74457 74410 137029 74410->74404 74452 134dff 7 API calls 2 library calls 74410->74452 74411 137051 74411->74404 74415 1311b4 107 API calls 74411->74415 74414 1370c0 74453 126096 15 API calls 2 library calls 74414->74453 74415->74404 74416 13712e 74416->74396 74418 1370d1 74419 1370e2 74418->74419 74454 134dff 7 API calls 2 library calls 74418->74454 74424 1370e6 74419->74424 74455 136b5e 69 API calls 2 library calls 74419->74455 74422 1370fd 74423 137103 74422->74423 74422->74424 74456 121e40 free 74423->74456 74424->74408 74426 13710b 74426->74416 74474 149262 74427->74474 74431 122e04 2 API calls 74430->74431 74432 1344be 74431->74432 74432->74404 74432->74410 74451 136e71 12 API calls 2 library calls 74432->74451 74434 1368b6 __EH_prolog 74433->74434 74435 136921 74434->74435 74448 1368c5 74434->74448 74459 127d4b 74434->74459 74436 136962 74435->74436 74441 136998 74435->74441 74465 136a17 6 API calls 2 library calls 74435->74465 74436->74441 74466 122dcd malloc _CxxThrowException 74436->74466 74442 1369e1 74441->74442 74458 127c3b SetFileTime 74441->74458 74469 12bcf8 CloseHandle 74442->74469 74444 13697a 74467 136b09 13 API calls __EH_prolog 74444->74467 74448->74408 74448->74414 74449 13698c 74468 121e40 free 74449->74468 74451->74410 74452->74411 74453->74418 74454->74419 74455->74422 74456->74426 74457->74416 74458->74442 74470 1277c8 74459->74470 74462 127d76 74462->74435 74464 134dff 7 API calls 2 library calls 74462->74464 74464->74435 74465->74436 74466->74444 74467->74449 74468->74441 74469->74448 74471 127731 5 API calls 74470->74471 74472 1277db 74471->74472 74472->74462 74473 127d3c SetEndOfFile 74472->74473 74473->74462 74475 14926c __EH_prolog 74474->74475 74476 1492fc 74475->74476 74480 1492a4 74475->74480 74477 12965d VariantClear 74476->74477 74479 134d91 74477->74479 74478 12965d VariantClear 74478->74479 74479->74394 74480->74478 74481->74398 74492 127ca2 74482->74492 74485 12bd3d 74485->74381 74488 16ad44 __EH_prolog 74487->74488 74500 136305 74488->74500 74489 16adbf 74489->74381 74491->74381 74494 127caf 74492->74494 74495 127cdb 74494->74495 74497 127c68 74494->74497 74495->74485 74496 12b8ec GetLastError 74495->74496 74496->74485 74498 127c76 74497->74498 74499 127c79 WriteFile 74497->74499 74498->74499 74499->74494 74501 13630f __EH_prolog 74500->74501 74537 1362b9 74501->74537 74503 136427 74507 12965d VariantClear 74503->74507 74505 13644a 74506 12965d VariantClear 74505->74506 74508 13646b 74506->74508 74526 136445 74507->74526 74541 135126 74508->74541 74513 134d78 VariantClear 74514 136499 74513->74514 74514->74526 74528 1364ca 74514->74528 74697 135110 9 API calls 74514->74697 74516 1365de 74517 1365e7 74516->74517 74518 13669e 74516->74518 74522 121e0c ctype 2 API calls 74517->74522 74530 1365f6 74517->74530 74524 136754 74518->74524 74525 1366b8 74518->74525 74518->74526 74519 1364da 74519->74516 74519->74526 74699 13789c free memmove ctype 74519->74699 74522->74530 74587 135bea 74524->74587 74527 121e0c ctype 2 API calls 74525->74527 74526->74489 74527->74526 74528->74519 74528->74526 74698 1242e3 CharUpperW 74528->74698 74700 1436ea 74530->74700 74531 13665c 74712 1231e5 malloc _CxxThrowException free _CxxThrowException 74531->74712 74533 13666b 74713 121e40 free 74533->74713 74538 1362c9 74537->74538 74714 148fa4 74538->74714 74542 135130 __EH_prolog 74541->74542 74543 1351b4 74542->74543 74548 13518e 74542->74548 74758 123097 malloc _CxxThrowException free SysStringLen ctype 74542->74758 74546 12965d VariantClear 74543->74546 74543->74548 74545 12965d VariantClear 74554 13527f 74545->74554 74547 1351bc 74546->74547 74547->74548 74549 135206 74547->74549 74550 135289 74547->74550 74548->74545 74759 123097 malloc _CxxThrowException free SysStringLen ctype 74549->74759 74550->74548 74551 135221 74550->74551 74553 12965d VariantClear 74551->74553 74555 13522d 74553->74555 74554->74526 74583 148b05 74554->74583 74555->74554 74556 135351 74555->74556 74760 135459 malloc _CxxThrowException __EH_prolog 74555->74760 74556->74554 74563 1353a1 74556->74563 74765 1235e7 memmove 74556->74765 74559 1352ba 74761 128011 5 API calls ctype 74559->74761 74561 1352cf 74574 1352fd 74561->74574 74762 12823d 10 API calls 2 library calls 74561->74762 74563->74554 74766 1243b7 5 API calls 2 library calls 74563->74766 74565 1352e5 74567 122fec 3 API calls 74565->74567 74569 1352f5 74567->74569 74568 13540e 74768 13789c free memmove ctype 74568->74768 74763 121e40 free 74569->74763 74573 1353df 74573->74568 74575 13541c 74573->74575 74767 1242e3 CharUpperW 74573->74767 74764 1354a0 free ctype 74574->74764 74576 1436ea 5 API calls 74575->74576 74577 135427 74576->74577 74578 122fec 3 API calls 74577->74578 74579 135433 74578->74579 74769 121e40 free 74579->74769 74581 13543b 74770 152db9 free ctype 74581->74770 74584 148b2e 74583->74584 74585 12965d VariantClear 74584->74585 74586 13648a 74585->74586 74586->74513 74586->74526 74588 135bf4 __EH_prolog 74587->74588 74771 1354c0 74588->74771 74591 135e17 74591->74526 74592 148b05 VariantClear 74593 135c34 74592->74593 74593->74591 74786 135630 74593->74786 74596 1436ea 5 API calls 74597 135c51 74596->74597 74598 135c60 74597->74598 74886 1357c1 53 API calls 2 library calls 74597->74886 74599 122f1c 2 API calls 74598->74599 74601 135c6c 74599->74601 74604 135caa 74601->74604 74887 136217 4 API calls 2 library calls 74601->74887 74603 135c91 74605 122fec 3 API calls 74603->74605 74607 135d49 74604->74607 74612 122e04 2 API calls 74604->74612 74606 135c9e 74605->74606 74888 121e40 free 74606->74888 74608 135d91 74607->74608 74609 135d55 74607->74609 74616 135da6 74608->74616 74807 1358be 74608->74807 74611 122fec 3 API calls 74609->74611 74615 135d66 74611->74615 74614 135cd2 74612->74614 74889 121e40 free 74614->74889 74617 135d73 74615->74617 74894 125b2d 11 API calls 2 library calls 74615->74894 74618 122fec 3 API calls 74616->74618 74676 135d8c 74616->74676 74617->74616 74621 135d7b 74617->74621 74620 135dd1 74618->74620 74625 135de7 74620->74625 74635 135e41 74620->74635 74620->74676 74626 137140 7 API calls 74621->74626 74621->74676 74624 135cf5 74624->74607 74632 122fec 3 API calls 74624->74632 74895 136b5e 69 API calls 2 library calls 74625->74895 74626->74676 74627 1361fa 74910 121e40 free 74627->74910 74628 135eb0 74631 121e0c ctype 2 API calls 74628->74631 74645 135eb7 74631->74645 74634 135d0c 74632->74634 74633 135e01 74636 135e20 74633->74636 74637 135e07 74633->74637 74890 121089 malloc _CxxThrowException free _CxxThrowException 74634->74890 74635->74628 74898 134115 VariantClear _CxxThrowException __EH_prolog 74635->74898 74642 137140 7 API calls 74636->74642 74636->74676 74896 121e40 free 74637->74896 74641 135e0f 74897 121e40 free 74641->74897 74642->74676 74643 135d16 74646 122f1c 2 API calls 74643->74646 74880 127c0d 74645->74880 74647 135d25 74646->74647 74891 143333 malloc _CxxThrowException free 74647->74891 74651 135e6e 74651->74628 74656 135ea5 74651->74656 74657 135ece 74651->74657 74651->74676 74653 135d31 74661 122fec 3 API calls 74656->74661 74899 125c7e 11 API calls 2 library calls 74657->74899 74661->74628 74665 135ed8 74667 135f01 74665->74667 74668 135edc 74665->74668 74909 121e40 free 74676->74909 74697->74528 74698->74528 74699->74516 74701 1436f4 __EH_prolog 74700->74701 74702 122e04 2 API calls 74701->74702 74703 14370a 74702->74703 74704 143736 74703->74704 75215 121089 malloc _CxxThrowException free _CxxThrowException 74703->75215 75216 1231e5 malloc _CxxThrowException free _CxxThrowException 74703->75216 74705 122f1c 2 API calls 74704->74705 74708 143742 74705->74708 75214 121e40 free 74708->75214 74710 136633 74710->74531 74710->74533 74711 121089 malloc _CxxThrowException free _CxxThrowException 74710->74711 74711->74531 74712->74533 74713->74526 74715 148fae __EH_prolog 74714->74715 74716 147ebb free 74715->74716 74717 148ff2 74716->74717 74748 148b64 74717->74748 74721 149020 74722 122fec 3 API calls 74721->74722 74730 136302 74721->74730 74723 14903a 74722->74723 74736 14904d 74723->74736 74752 148b80 VariantClear 74723->74752 74725 149244 74757 1243b7 5 API calls 2 library calls 74725->74757 74726 1491b0 74755 148b9c 10 API calls 2 library calls 74726->74755 74729 149144 74731 122f88 3 API calls 74729->74731 74734 14917b 74729->74734 74730->74503 74730->74505 74730->74526 74731->74734 74732 149100 74735 12965d VariantClear 74732->74735 74733 1490d6 74733->74732 74739 1490e7 74733->74739 74754 148f2e 9 API calls 74733->74754 74734->74725 74734->74726 74735->74730 74736->74729 74736->74730 74736->74732 74736->74733 74753 123097 malloc _CxxThrowException free SysStringLen ctype 74736->74753 74737 1491c0 74737->74730 74741 122f88 3 API calls 74737->74741 74743 12965d VariantClear 74739->74743 74746 1491ff 74741->74746 74742 149112 74742->74732 74744 148b64 VariantClear 74742->74744 74743->74729 74745 149123 74744->74745 74745->74732 74745->74739 74746->74730 74756 1250ff free ctype 74746->74756 74749 148b05 VariantClear 74748->74749 74750 148b6f 74749->74750 74750->74730 74751 148f2e 9 API calls 74750->74751 74751->74721 74752->74736 74753->74733 74754->74742 74755->74737 74756->74730 74757->74730 74758->74543 74759->74551 74760->74559 74761->74561 74762->74565 74763->74574 74764->74556 74765->74556 74766->74573 74767->74573 74768->74575 74769->74581 74770->74554 74772 1354ca __EH_prolog 74771->74772 74773 12965d VariantClear 74772->74773 74776 135507 74772->74776 74778 135528 74773->74778 74774 12965d VariantClear 74775 135567 74774->74775 74775->74591 74775->74592 74776->74774 74777 135572 74779 12965d VariantClear 74777->74779 74778->74776 74778->74777 74780 13558e 74779->74780 74911 134cac VariantClear __EH_prolog 74780->74911 74782 1355a1 74782->74775 74912 134cac VariantClear __EH_prolog 74782->74912 74784 1355b8 74784->74775 74913 134cac VariantClear __EH_prolog 74784->74913 74788 13563a __EH_prolog 74786->74788 74789 135679 74788->74789 74914 143558 10 API calls 2 library calls 74788->74914 74790 122f1c 2 API calls 74789->74790 74806 13571a 74789->74806 74791 135696 74790->74791 74915 143333 malloc _CxxThrowException free 74791->74915 74793 1356a2 74794 1356c5 74793->74794 74795 1356ad 74793->74795 74797 1356b4 74794->74797 74917 124adf wcscmp 74794->74917 74916 137853 5 API calls 2 library calls 74795->74916 74798 135707 74797->74798 74919 121089 malloc _CxxThrowException free _CxxThrowException 74797->74919 74920 1231e5 malloc _CxxThrowException free _CxxThrowException 74798->74920 74802 1356d2 74802->74797 74918 137853 5 API calls 2 library calls 74802->74918 74803 135712 74921 121e40 free 74803->74921 74806->74596 74808 1358c8 __EH_prolog 74807->74808 74809 122e04 2 API calls 74808->74809 74810 1358e9 74809->74810 74922 126c72 74810->74922 74814 135905 74818 135b2d 74829 122f1c 2 API calls 74818->74829 74834 135a38 74818->74834 75196 127bf0 74880->75196 74886->74598 74887->74603 74888->74604 74889->74624 74890->74643 74891->74653 74894->74617 74895->74633 74896->74641 74897->74591 74898->74651 74899->74665 74909->74627 74910->74591 74911->74782 74912->74784 74913->74775 74914->74789 74915->74793 74916->74797 74917->74802 74918->74797 74919->74798 74920->74803 74921->74806 74924 126c7c __EH_prolog 74922->74924 74923 126cd3 74926 126ce2 74923->74926 74930 126d87 74923->74930 74924->74923 74925 126cb7 74924->74925 74927 122f88 3 API calls 74925->74927 74929 122f88 3 API calls 74926->74929 74928 126cc7 74927->74928 74928->74814 74928->74818 74934 126cf5 74929->74934 74931 122e47 2 API calls 74930->74931 74940 126f4a 74930->74940 74932 126db0 74931->74932 74939 126fd1 74940->74939 74942 126f7e 74940->74942 75199 12759a 75196->75199 75214->74710 75215->74703 75216->74703 75217 14d3c2 75218 14d3e9 75217->75218 75219 12965d VariantClear 75218->75219 75220 14d42a 75219->75220 75221 14d883 2 API calls 75220->75221 75222 14d4b1 75221->75222 75308 148d4a 75222->75308 75225 148b05 VariantClear 75227 14d4e3 75225->75227 75325 142a72 75227->75325 75229 122fec 3 API calls 75230 14d594 75229->75230 75231 14d742 75230->75231 75232 14d5cd 75230->75232 75356 14cd49 malloc _CxxThrowException free 75231->75356 75233 14d7d9 75232->75233 75329 149317 75232->75329 75359 121e40 free 75233->75359 75236 14d754 75239 122fec 3 API calls 75236->75239 75242 14d763 75239->75242 75240 14d7e1 75360 121e40 free 75240->75360 75241 14d5f1 75245 1604d2 5 API calls 75241->75245 75357 121e40 free 75242->75357 75244 14d7e9 75247 14326b free 75244->75247 75248 14d5f9 75245->75248 75259 14d69a 75247->75259 75335 14e332 75248->75335 75249 14d76b 75358 121e40 free 75249->75358 75252 14d773 75254 14326b free 75252->75254 75254->75259 75256 14d610 75342 121e40 free 75256->75342 75258 14d618 75343 14326b 75258->75343 75261 14d2a8 75261->75259 75283 14d883 75261->75283 75264 122fec 3 API calls 75265 14d361 75264->75265 75284 14d88d __EH_prolog 75283->75284 75285 122e04 2 API calls 75284->75285 75286 14d8c6 75285->75286 75287 122e04 2 API calls 75286->75287 75288 14d8d2 75287->75288 75289 122e04 2 API calls 75288->75289 75290 14d8de 75289->75290 75361 142b63 75290->75361 75293 142b63 2 API calls 75294 14d34f 75293->75294 75294->75264 75315 148d54 __EH_prolog 75308->75315 75309 148e15 75312 148e2d 75309->75312 75314 148e5e 75309->75314 75316 148e21 75309->75316 75310 148e09 75311 12965d VariantClear 75310->75311 75324 148e11 75311->75324 75313 148e2b 75312->75313 75312->75314 75320 12965d VariantClear 75313->75320 75317 12965d VariantClear 75314->75317 75318 148da4 75315->75318 75369 122b55 malloc _CxxThrowException free _CxxThrowException ctype 75315->75369 75370 123097 malloc _CxxThrowException free SysStringLen ctype 75316->75370 75317->75324 75318->75309 75318->75310 75318->75324 75322 148e47 75320->75322 75322->75324 75371 148e7c 6 API calls __EH_prolog 75322->75371 75324->75225 75326 142a82 75325->75326 75327 122e04 2 API calls 75326->75327 75328 142a9f 75327->75328 75328->75229 75331 149321 __EH_prolog 75329->75331 75330 12965d VariantClear 75332 1493d0 75330->75332 75334 149360 75331->75334 75372 129686 VariantClear 75331->75372 75332->75233 75332->75241 75334->75330 75336 14e33c __EH_prolog 75335->75336 75337 121e0c ctype 2 API calls 75336->75337 75338 14e34a 75337->75338 75340 14d608 75338->75340 75373 14e3d1 malloc _CxxThrowException __EH_prolog 75338->75373 75341 121e40 free 75340->75341 75341->75256 75342->75258 75344 143275 __EH_prolog 75343->75344 75374 142c0b 75344->75374 75347 142c0b ctype free 75348 143296 75347->75348 75379 121e40 free 75348->75379 75350 14329e 75380 121e40 free 75350->75380 75352 1432a6 75381 121e40 free 75352->75381 75354 1432ae 75354->75261 75356->75236 75357->75249 75358->75252 75359->75240 75360->75244 75362 142b6d __EH_prolog 75361->75362 75363 122e04 2 API calls 75362->75363 75364 142b9a 75363->75364 75365 122e04 2 API calls 75364->75365 75366 142ba5 75365->75366 75366->75293 75369->75318 75370->75313 75371->75324 75372->75334 75373->75340 75382 121e40 free 75374->75382 75376 142c16 75383 121e40 free 75376->75383 75378 142c1e 75378->75347 75379->75350 75380->75352 75381->75354 75382->75376 75383->75378 75384 14d948 75414 14dac7 75384->75414 75386 14d94f 75387 122e04 2 API calls 75386->75387 75388 14d97b 75387->75388 75389 122e04 2 API calls 75388->75389 75390 14d987 75389->75390 75393 14d9e7 75390->75393 75422 126404 75390->75422 75396 14da36 75393->75396 75397 14da0f 75393->75397 75399 14da94 75396->75399 75407 122da9 2 API calls 75396->75407 75411 1604d2 5 API calls 75396->75411 75449 121524 malloc _CxxThrowException __EH_prolog ctype 75396->75449 75450 121e40 free 75396->75450 75447 121e40 free 75397->75447 75398 14d9bf 75445 121e40 free 75398->75445 75451 121e40 free 75399->75451 75401 14da17 75448 121e40 free 75401->75448 75405 14d9c7 75446 121e40 free 75405->75446 75406 14da9c 75452 121e40 free 75406->75452 75407->75396 75410 14d9cf 75411->75396 75415 14dad1 __EH_prolog 75414->75415 75416 122e04 2 API calls 75415->75416 75417 14db33 75416->75417 75418 122e04 2 API calls 75417->75418 75419 14db3f 75418->75419 75420 122e04 2 API calls 75419->75420 75421 14db55 75420->75421 75421->75386 75453 12631f 75422->75453 75425 122f88 3 API calls 75426 126423 75425->75426 75427 122f88 3 API calls 75426->75427 75428 12643d 75427->75428 75429 137e5a 75428->75429 75430 137e64 __EH_prolog 75429->75430 75509 138179 75430->75509 75433 147ebb free 75434 137e7f 75433->75434 75435 122fec 3 API calls 75434->75435 75436 137e9a 75435->75436 75437 122da9 2 API calls 75436->75437 75438 137ea7 75437->75438 75439 126c72 44 API calls 75438->75439 75440 137eb7 75439->75440 75514 121e40 free 75440->75514 75442 137ecb 75443 137ed8 75442->75443 75515 12757d GetLastError 75442->75515 75443->75393 75443->75398 75445->75405 75446->75410 75447->75401 75448->75410 75449->75396 75450->75396 75451->75406 75452->75410 75454 129245 75453->75454 75457 1290da 75454->75457 75458 1290e4 __EH_prolog 75457->75458 75459 122f88 3 API calls 75458->75459 75460 1290f7 75459->75460 75461 12915d 75460->75461 75466 129109 75460->75466 75462 122e04 2 API calls 75461->75462 75463 129165 75462->75463 75464 1291be 75463->75464 75467 129174 75463->75467 75503 126332 6 API calls 2 library calls 75464->75503 75469 122e47 2 API calls 75466->75469 75481 126414 75466->75481 75470 122f88 3 API calls 75467->75470 75468 12917d 75496 1291ca 75468->75496 75501 12859e malloc _CxxThrowException free _CxxThrowException 75468->75501 75471 129122 75469->75471 75470->75468 75498 128f57 memmove 75471->75498 75475 129185 75480 122e04 2 API calls 75475->75480 75476 12912e 75477 12914d 75476->75477 75499 1231e5 malloc _CxxThrowException free _CxxThrowException 75476->75499 75500 121e40 free 75477->75500 75482 129197 75480->75482 75481->75425 75481->75426 75483 1291ce 75482->75483 75484 12919f 75482->75484 75486 122f88 3 API calls 75483->75486 75485 1291b9 75484->75485 75502 121089 malloc _CxxThrowException free _CxxThrowException 75484->75502 75504 123199 malloc _CxxThrowException free _CxxThrowException 75485->75504 75486->75485 75489 1291e6 75505 128f57 memmove 75489->75505 75491 1291ee 75492 1291f2 75491->75492 75493 122fec 3 API calls 75491->75493 75507 121e40 free 75492->75507 75495 129212 75493->75495 75506 1231e5 malloc _CxxThrowException free _CxxThrowException 75495->75506 75508 121e40 free 75496->75508 75498->75476 75499->75477 75500->75481 75501->75475 75502->75485 75503->75468 75504->75489 75505->75491 75506->75492 75507->75496 75508->75481 75512 138906 75509->75512 75510 137e77 75510->75433 75512->75510 75516 138804 free ctype 75512->75516 75517 121e40 free 75512->75517 75514->75442 75515->75443 75516->75512 75517->75512 75518 1a6bc6 75519 1a6bcd 75518->75519 75521 1a6bca 75518->75521 75520 1a6bd1 malloc 75519->75520 75519->75521 75520->75521 75522 155475 75523 122fec 3 API calls 75522->75523 75524 1554b4 75523->75524 75527 15c911 75524->75527 75526 1554bb 75528 15c926 GetTickCount 75527->75528 75529 15c92f 75527->75529 75528->75529 75551 15c96d 75529->75551 75558 15cb64 75529->75558 75591 122ab1 strcmp 75529->75591 75533 15c9ce 75536 1227bb 3 API calls 75533->75536 75533->75558 75534 15c95b 75534->75551 75592 123542 wcscmp 75534->75592 75538 15c9e2 75536->75538 75539 15ca0a 75538->75539 75594 12286d 75538->75594 75540 15ca21 75539->75540 75541 12286d 5 API calls 75539->75541 75547 12286d 5 API calls 75540->75547 75566 15cb10 75540->75566 75542 15ca16 75541->75542 75601 1228fa malloc _CxxThrowException free memcpy _CxxThrowException 75542->75601 75550 15ca40 75547->75550 75549 15cb59 75613 15cb92 malloc _CxxThrowException free 75549->75613 75554 122fec 3 API calls 75550->75554 75551->75558 75572 15c86a 75551->75572 75557 15ca4e 75554->75557 75602 122033 75557->75602 75558->75526 75559 15cb50 75562 1227bb 3 API calls 75559->75562 75560 15cb49 75612 121f91 fflush 75560->75612 75562->75549 75564 15caf5 75611 1228fa malloc _CxxThrowException free memcpy _CxxThrowException 75564->75611 75580 15cb74 75566->75580 75567 122fec 3 API calls 75570 15ca6a 75567->75570 75570->75564 75570->75567 75571 122033 10 API calls 75570->75571 75609 123599 memmove 75570->75609 75610 123402 malloc _CxxThrowException free memmove _CxxThrowException 75570->75610 75571->75570 75573 15c88c __aulldiv 75572->75573 75574 15c8d3 strlen 75573->75574 75575 15c900 75574->75575 75579 15c8f1 75574->75579 75576 1228a1 5 API calls 75575->75576 75578 15c90c 75576->75578 75577 12286d 5 API calls 75577->75579 75578->75533 75593 122ab1 strcmp 75578->75593 75579->75575 75579->75577 75581 15cb7c strcmp 75580->75581 75582 15cb1c 75580->75582 75581->75582 75582->75549 75583 15c7d7 75582->75583 75584 15c849 75583->75584 75585 15c7ea 75583->75585 75586 15c85a fputs 75584->75586 75615 121f91 fflush 75584->75615 75589 15c7fe fputs 75585->75589 75614 1225cb malloc _CxxThrowException free _CxxThrowException ctype 75585->75614 75586->75559 75586->75560 75589->75584 75591->75534 75592->75551 75593->75533 75616 121e9d 75594->75616 75597 1228a1 75598 1228b0 75597->75598 75598->75598 75621 12267f 75598->75621 75600 1228bf 75600->75539 75601->75540 75603 12203b 75602->75603 75604 122054 75603->75604 75605 122045 75603->75605 75632 1237ff 9 API calls 75604->75632 75631 12421e malloc _CxxThrowException free _CxxThrowException _CxxThrowException 75605->75631 75608 122052 75608->75570 75609->75570 75610->75570 75611->75566 75612->75559 75613->75558 75614->75589 75615->75586 75617 121ea8 75616->75617 75618 121ead 75616->75618 75620 12263c malloc _CxxThrowException free memcpy _CxxThrowException 75617->75620 75618->75597 75620->75618 75622 1226c2 75621->75622 75623 122693 75621->75623 75622->75600 75624 1226c8 _CxxThrowException 75623->75624 75625 1226bc 75623->75625 75626 1226dd 75624->75626 75630 122595 malloc _CxxThrowException free memcpy ctype 75625->75630 75628 121e0c ctype 2 API calls 75626->75628 75629 1226ea 75628->75629 75629->75600 75630->75622 75631->75608 75632->75608 75633 15adb7 75634 15adc1 __EH_prolog 75633->75634 75649 1226dd 75634->75649 75636 15ae1d 75637 122e04 2 API calls 75636->75637 75638 15ae38 75637->75638 75639 122e04 2 API calls 75638->75639 75640 15ae44 75639->75640 75641 122e04 2 API calls 75640->75641 75642 15ae68 75641->75642 75652 15ad29 75642->75652 75646 15ae94 75647 122e04 2 API calls 75646->75647 75648 15aeb2 75647->75648 75650 121e0c ctype 2 API calls 75649->75650 75651 1226ea 75650->75651 75651->75636 75653 15ad33 __EH_prolog 75652->75653 75654 122e04 2 API calls 75653->75654 75655 15ad5f 75654->75655 75656 122e04 2 API calls 75655->75656 75657 15ad72 75656->75657 75658 15af2d 75657->75658 75659 15af37 __EH_prolog 75658->75659 75670 1334f4 malloc _CxxThrowException __EH_prolog 75659->75670 75661 15afac 75662 122e04 2 API calls 75661->75662 75663 15afbb 75662->75663 75664 122e04 2 API calls 75663->75664 75665 15afca 75664->75665 75666 122e04 2 API calls 75665->75666 75667 15afd9 75666->75667 75668 122e04 2 API calls 75667->75668 75669 15afe8 75668->75669 75669->75646 75670->75661 75671 168eb1 75676 168ed1 75671->75676 75674 168ec9 75677 168edb __EH_prolog 75676->75677 75685 169267 75677->75685 75681 168efd 75690 15e5f1 free ctype 75681->75690 75683 168eb9 75683->75674 75684 121e40 free 75683->75684 75684->75674 75686 169271 __EH_prolog 75685->75686 75691 121e40 free 75686->75691 75688 168ef1 75689 16922b free CloseHandle GetLastError ctype 75688->75689 75689->75681 75690->75683 75691->75688 75692 15993d 75776 15b5b1 75692->75776 75695 159963 75782 131f33 75695->75782 75698 159975 75699 1599ce 75698->75699 75700 1599b7 GetStdHandle GetConsoleScreenBufferInfo 75698->75700 75701 121e0c ctype 2 API calls 75699->75701 75700->75699 75702 1599dc 75701->75702 75903 147b48 75702->75903 75704 159a29 75932 15b96d _CxxThrowException 75704->75932 75706 159a30 75933 147018 8 API calls 2 library calls 75706->75933 75708 159a7c 75934 14ddb5 6 API calls 2 library calls 75708->75934 75709 159a66 _CxxThrowException 75709->75708 75711 159aa6 75713 159aaa _CxxThrowException 75711->75713 75721 159ac0 75711->75721 75712 159a37 75712->75708 75712->75709 75713->75721 75714 159b3a 75938 121fa0 fputc 75714->75938 75716 159bfa _CxxThrowException 75749 159be6 75716->75749 75718 159b63 fputs 75939 121fa0 fputc 75718->75939 75721->75714 75721->75716 75935 147dd7 7 API calls 2 library calls 75721->75935 75936 15c077 6 API calls 75721->75936 75937 121e40 free 75721->75937 75722 159b79 strlen strlen 75724 159e25 75722->75724 75725 159baa fputs fputc 75722->75725 75947 121fa0 fputc 75724->75947 75725->75749 75727 159e2c fputs 75948 121fa0 fputc 75727->75948 75729 159f0c 75953 121fa0 fputc 75729->75953 75732 159f13 fputs 75954 121fa0 fputc 75732->75954 75734 15b67d 12 API calls 75734->75749 75737 15ac3a 75960 15b96d _CxxThrowException 75737->75960 75738 122e04 2 API calls 75738->75749 75739 159e42 75739->75729 75770 159ee0 fputs 75739->75770 75949 15b650 fputc fputs fputs fputc 75739->75949 75950 1221d8 fputs 75739->75950 75951 15bde4 fputc fputs 75739->75951 75741 15ac35 75959 15b988 33 API calls __aulldiv 75741->75959 75749->75724 75749->75725 75749->75734 75749->75738 75752 159d2a fputs 75749->75752 75759 159d5f fputs 75749->75759 75760 1231e5 malloc _CxxThrowException free _CxxThrowException 75749->75760 75940 1221d8 fputs 75749->75940 75941 12315e malloc _CxxThrowException free _CxxThrowException 75749->75941 75942 123221 malloc _CxxThrowException free _CxxThrowException 75749->75942 75943 121089 malloc _CxxThrowException free _CxxThrowException 75749->75943 75945 121fa0 fputc 75749->75945 75946 121e40 free 75749->75946 75944 1221d8 fputs 75752->75944 75757 159f29 75764 159f77 fputs 75757->75764 75771 159f9f 75757->75771 75955 15b650 fputc fputs fputs fputc 75757->75955 75956 15b5e9 fputc fputs 75757->75956 75957 15bde4 fputc fputs 75757->75957 75759->75749 75760->75749 75958 121fa0 fputc 75764->75958 75952 121fa0 fputc 75770->75952 75771->75737 75771->75741 75777 15994a 75776->75777 75778 15b5bc fputs 75776->75778 75777->75695 75920 121fb3 75777->75920 75972 121fa0 fputc 75778->75972 75780 15b5d5 75780->75777 75781 15b5d9 fputs 75780->75781 75781->75777 75783 131f4f 75782->75783 75784 131f6c 75782->75784 76015 141d73 5 API calls __EH_prolog 75783->76015 75973 1329eb 75784->75973 75787 131f5e _CxxThrowException 75787->75784 75789 131fa3 75791 131fbc 75789->75791 75794 124fc0 5 API calls 75789->75794 75792 131fda 75791->75792 75795 122fec 3 API calls 75791->75795 75796 132022 wcscmp 75792->75796 75804 132036 75792->75804 75793 131f95 _CxxThrowException 75793->75789 75794->75791 75795->75792 75797 1320af 75796->75797 75796->75804 76017 141d73 5 API calls __EH_prolog 75797->76017 75799 1320a9 76018 13393c 6 API calls 2 library calls 75799->76018 75800 1320be _CxxThrowException 75800->75804 75802 1320f4 76019 13393c 6 API calls 2 library calls 75802->76019 75804->75799 75809 13219a 75804->75809 75805 132108 75806 132135 75805->75806 76020 132e04 62 API calls 2 library calls 75805->76020 75813 132159 75806->75813 76021 132e04 62 API calls 2 library calls 75806->76021 76022 141d73 5 API calls __EH_prolog 75809->76022 75811 1321a9 _CxxThrowException 75811->75813 75812 13227f 75978 132aa9 75812->75978 75813->75812 75815 132245 75813->75815 76023 141d73 5 API calls __EH_prolog 75813->76023 75818 122fec 3 API calls 75815->75818 75821 13225c 75818->75821 75819 1322d9 75823 132302 75819->75823 75824 122fec 3 API calls 75819->75824 75820 132237 _CxxThrowException 75820->75815 75821->75812 76024 141d73 5 API calls __EH_prolog 75821->76024 75822 122fec 3 API calls 75822->75819 75996 124fc0 75823->75996 75824->75823 75828 132271 _CxxThrowException 75828->75812 75830 132322 75833 1326c6 75830->75833 75841 1323a1 75830->75841 75831 1328ce 75832 13293a 75831->75832 75848 1328d5 75831->75848 75836 1329a5 75832->75836 75837 13293f 75832->75837 75833->75831 75834 132700 75833->75834 76037 141d73 5 API calls __EH_prolog 75833->76037 76038 1332ec 14 API calls 2 library calls 75834->76038 75842 1329ae _CxxThrowException 75836->75842 75895 13264d 75836->75895 76055 124eec 16 API calls 75837->76055 75839 132713 76039 133a29 75839->76039 75846 13247a wcscmp 75841->75846 75865 13248e 75841->75865 75843 1326f2 _CxxThrowException 75843->75834 75845 13294c 76056 124ea1 8 API calls 75845->76056 75850 1324cf wcscmp 75846->75850 75846->75865 75848->75895 76054 141d73 5 API calls __EH_prolog 75848->76054 75851 1324ef wcscmp 75850->75851 75850->75865 75855 13250f 75851->75855 75851->75865 75852 132953 75856 124fc0 5 API calls 75852->75856 76028 141d73 5 API calls __EH_prolog 75855->76028 75856->75895 75857 132920 _CxxThrowException 75857->75895 75860 13251e _CxxThrowException 75863 13252c 75860->75863 75861 1327cf 75862 132880 75861->75862 75868 13281f 75861->75868 76050 141d73 5 API calls __EH_prolog 75861->76050 75866 13289b 75862->75866 75873 122fec 3 API calls 75862->75873 75869 132569 75863->75869 76029 132e04 62 API calls 2 library calls 75863->76029 75864 122fec 3 API calls 75870 1327a9 75864->75870 75865->75863 76025 124eec 16 API calls 75865->76025 76026 124ea1 8 API calls 75865->76026 76027 141d73 5 API calls __EH_prolog 75865->76027 75866->75895 76053 141d73 5 API calls __EH_prolog 75866->76053 75868->75862 75878 132847 75868->75878 76051 141d73 5 API calls __EH_prolog 75868->76051 75875 13258c 75869->75875 76030 132e04 62 API calls 2 library calls 75869->76030 75870->75861 76049 123563 memmove 75870->76049 75871 1324c1 _CxxThrowException 75871->75850 75873->75866 75876 1325a4 75875->75876 76031 132a61 malloc _CxxThrowException free _CxxThrowException memcpy 75875->76031 76032 124eec 16 API calls 75876->76032 75877 132811 _CxxThrowException 75877->75868 75878->75862 76052 141d73 5 API calls __EH_prolog 75878->76052 75885 1325ad 76033 141b07 49 API calls 75885->76033 75886 1328c0 _CxxThrowException 75886->75831 75887 132839 _CxxThrowException 75887->75878 75890 132872 _CxxThrowException 75890->75862 75891 1325b4 76034 124ea1 8 API calls 75891->76034 75893 1325bb 75894 122fec 3 API calls 75893->75894 75897 1325d6 75893->75897 75894->75897 75895->75698 75896 13261f 75896->75895 75899 122fec 3 API calls 75896->75899 75897->75895 75897->75896 76035 141d73 5 API calls __EH_prolog 75897->76035 75901 13263f 75899->75901 75900 132611 _CxxThrowException 75900->75896 76036 12859e malloc _CxxThrowException free _CxxThrowException 75901->76036 75904 147b52 __EH_prolog 75903->75904 76075 147eec 75904->76075 75907 147ca4 75907->75704 75908 1230ea malloc _CxxThrowException free 75915 147b63 75908->75915 75909 122e04 malloc _CxxThrowException 75909->75915 75911 121e40 free ctype 75911->75915 75913 1312a5 5 API calls 75913->75915 75914 1604d2 5 API calls 75914->75915 75915->75907 75915->75908 75915->75909 75915->75911 75915->75913 75915->75914 75916 12429a 3 API calls 75915->75916 75918 147c61 memcpy 75915->75918 75919 147193 free 75915->75919 76080 1470ea 75915->76080 76083 147a40 75915->76083 76101 147cc3 6 API calls 75915->76101 76102 1474eb malloc _CxxThrowException memcpy __EH_prolog ctype 75915->76102 75916->75915 75918->75915 75919->75915 75921 121fbd __EH_prolog 75920->75921 75922 1226dd 2 API calls 75921->75922 75923 121fcb 75922->75923 75924 122e47 2 API calls 75923->75924 75925 121fda 75924->75925 76109 122010 75925->76109 75927 121fed 76112 121e40 free 75927->76112 75929 121ff5 76113 121e40 free 75929->76113 75931 121ffd 75931->75695 75932->75706 75933->75712 75934->75711 75935->75721 75936->75721 75937->75721 75938->75718 75939->75722 75940->75749 75941->75749 75942->75749 75943->75749 75944->75749 75945->75749 75946->75749 75947->75727 75948->75739 75949->75739 75950->75739 75951->75739 75952->75739 75953->75732 75954->75757 75955->75757 75956->75757 75957->75757 75958->75757 75959->75737 75972->75780 75974 122f1c 2 API calls 75973->75974 75977 1329fe 75974->75977 75976 131f7e 75976->75789 76016 141d73 5 API calls __EH_prolog 75976->76016 76057 121e40 free 75977->76057 75979 132ab3 __EH_prolog 75978->75979 75983 132b0f 75979->75983 76058 122e8a 75979->76058 75982 1322ad 75982->75819 75982->75822 75983->75982 75986 132bc6 75983->75986 75993 132b9f 75983->75993 76064 132cb4 48 API calls 2 library calls 75983->76064 76065 132bf5 8 API calls __EH_prolog 75983->76065 76066 132a61 malloc _CxxThrowException free _CxxThrowException memcpy 75983->76066 75985 132b04 76063 121e40 free 75985->76063 76068 141d73 5 API calls __EH_prolog 75986->76068 75989 132bd6 _CxxThrowException 75989->75982 75993->75982 76067 141d73 5 API calls __EH_prolog 75993->76067 75995 132bb8 _CxxThrowException 75995->75986 75997 124fd2 75996->75997 75998 124fce 75996->75998 75999 147ebb free 75997->75999 76006 13384c 75998->76006 76000 124fd9 75999->76000 76001 125006 76000->76001 76002 124fe9 _CxxThrowException 76000->76002 76003 124ffe 76000->76003 76001->75998 76070 121524 malloc _CxxThrowException __EH_prolog ctype 76001->76070 76002->76003 76069 160551 malloc _CxxThrowException free memcpy ctype 76003->76069 76013 133856 __EH_prolog 76006->76013 76007 133917 76007->75830 76008 122e04 malloc _CxxThrowException 76008->76013 76009 122fec 3 API calls 76009->76013 76010 122f88 3 API calls 76010->76013 76011 1604d2 5 API calls 76011->76013 76013->76007 76013->76008 76013->76009 76013->76010 76013->76011 76014 121e40 free ctype 76013->76014 76071 133b76 malloc _CxxThrowException __EH_prolog ctype 76013->76071 76014->76013 76015->75787 76016->75793 76017->75800 76018->75802 76019->75805 76020->75806 76021->75813 76022->75811 76023->75820 76024->75828 76025->75865 76026->75865 76027->75871 76028->75860 76029->75869 76030->75875 76031->75876 76032->75885 76033->75891 76034->75893 76035->75900 76036->75895 76037->75843 76038->75839 76040 132722 76039->76040 76041 133a3b 76039->76041 76040->75861 76040->75864 76072 133bd9 free ctype 76041->76072 76043 133a42 76044 133a52 _CxxThrowException 76043->76044 76045 133a67 76043->76045 76048 133a6f 76043->76048 76044->76045 76073 160551 malloc _CxxThrowException free memcpy ctype 76045->76073 76048->76040 76074 133b76 malloc _CxxThrowException __EH_prolog ctype 76048->76074 76049->75861 76050->75877 76051->75887 76052->75890 76053->75886 76054->75857 76055->75845 76056->75852 76057->75976 76059 122ea0 76058->76059 76059->76059 76060 122ba6 2 API calls 76059->76060 76061 122eaf 76060->76061 76062 132a61 malloc _CxxThrowException free _CxxThrowException memcpy 76061->76062 76062->75985 76063->75983 76064->75983 76065->75983 76066->75983 76067->75995 76068->75989 76069->76001 76070->76001 76071->76013 76072->76043 76073->76048 76074->76048 76076 147f14 76075->76076 76078 147ef7 76075->76078 76076->75915 76077 147193 free 76077->76078 76078->76076 76078->76077 76103 121e40 free 76078->76103 76081 122e04 2 API calls 76080->76081 76082 147103 76081->76082 76082->75915 76084 147a4a __EH_prolog 76083->76084 76104 12361b 6 API calls 2 library calls 76084->76104 76086 147a78 76105 12361b 6 API calls 2 library calls 76086->76105 76088 147b20 76107 152db9 free ctype 76088->76107 76090 147b2b 76108 152db9 free ctype 76090->76108 76091 122e04 malloc _CxxThrowException 76093 147a83 76091->76093 76093->76088 76093->76091 76095 122fec 3 API calls 76093->76095 76096 122fec 3 API calls 76093->76096 76097 1604d2 5 API calls 76093->76097 76100 121e40 free ctype 76093->76100 76106 147955 malloc _CxxThrowException __EH_prolog ctype 76093->76106 76094 147b37 76094->75915 76095->76093 76098 147aca wcscmp 76096->76098 76097->76093 76098->76093 76100->76093 76101->75915 76102->75915 76103->76078 76104->76086 76105->76093 76106->76093 76107->76090 76108->76094 76110 122033 10 API calls 76109->76110 76111 122022 fputs 76110->76111 76111->75927 76112->75929 76113->75931 76119 1bffb1 __setusermatherr 76120 1bffbd 76119->76120 76124 1c0068 _controlfp 76120->76124 76122 1bffc2 _initterm __getmainargs _initterm __p___initenv 76123 15c27c 76122->76123 76124->76122 76125 1a69f0 free 76126 14cefb 76127 14cf03 76126->76127 76157 14d0cc 76126->76157 76127->76157 76173 14cae9 VariantClear 76127->76173 76129 14cf59 76129->76157 76174 14cae9 VariantClear 76129->76174 76131 14cf71 76131->76157 76175 14cae9 VariantClear 76131->76175 76133 14cf87 76133->76157 76176 14cae9 VariantClear 76133->76176 76135 14cf9d 76135->76157 76177 14cae9 VariantClear 76135->76177 76137 14cfb3 76137->76157 76178 14cae9 VariantClear 76137->76178 76139 14cfc9 76139->76157 76179 124504 malloc _CxxThrowException 76139->76179 76141 14cfdc 76142 122e04 2 API calls 76141->76142 76144 14cfe7 76142->76144 76143 14d009 76145 14d07b 76143->76145 76147 14d080 76143->76147 76148 14d030 76143->76148 76144->76143 76146 122f88 3 API calls 76144->76146 76187 121e40 free 76145->76187 76146->76143 76184 147a0c CharUpperW 76147->76184 76151 122e04 2 API calls 76148->76151 76154 14d038 76151->76154 76152 14d0c4 76188 121e40 free 76152->76188 76153 14d08b 76185 13fdbc 4 API calls 2 library calls 76153->76185 76156 122e04 2 API calls 76154->76156 76159 14d046 76156->76159 76180 13fdbc 4 API calls 2 library calls 76159->76180 76160 14d0a7 76162 122fec 3 API calls 76160->76162 76164 14d0b3 76162->76164 76163 14d057 76165 122fec 3 API calls 76163->76165 76186 121e40 free 76164->76186 76167 14d063 76165->76167 76181 121e40 free 76167->76181 76169 14d06b 76182 121e40 free 76169->76182 76171 14d073 76183 121e40 free 76171->76183 76173->76129 76174->76131 76175->76133 76176->76135 76177->76137 76178->76139 76179->76141 76180->76163 76181->76169 76182->76171 76183->76145 76184->76153 76185->76160 76186->76145 76187->76152 76188->76157 76189 12c3bd 76190 12c3db 76189->76190 76191 12c3ca 76189->76191 76191->76190 76193 121e40 free 76191->76193 76193->76190 76194 16bf67 76195 16bf74 76194->76195 76199 16bf85 76194->76199 76195->76199 76200 16bf8c 76195->76200 76201 16bf96 __EH_prolog 76200->76201 76217 16d144 76201->76217 76205 16bfd0 76224 121e40 free 76205->76224 76207 16bfdb 76225 121e40 free 76207->76225 76209 16bfe6 76226 16c072 free ctype 76209->76226 76211 16bff4 76227 13aafa free VariantClear ctype 76211->76227 76213 16c023 76228 1473d2 free VariantClear __EH_prolog ctype 76213->76228 76215 16bf7f 76216 121e40 free 76215->76216 76216->76199 76218 16d14e __EH_prolog 76217->76218 76219 16d1b7 free 76218->76219 76220 16d180 76219->76220 76229 168e04 memset 76220->76229 76222 16bfc5 76223 121e40 free 76222->76223 76223->76205 76224->76207 76225->76209 76226->76211 76227->76213 76228->76215 76229->76222 76230 127b20 76233 127ab2 76230->76233 76234 127ac5 76233->76234 76235 12759a 12 API calls 76234->76235 76236 127ade 76235->76236 76237 127b03 76236->76237 76238 127aeb SetFileTime 76236->76238 76241 127919 76237->76241 76238->76237 76242 127aac 76241->76242 76243 12793c 76241->76243 76243->76242 76244 127945 DeviceIoControl 76243->76244 76245 1279e6 76244->76245 76246 127969 76244->76246 76247 1279ef DeviceIoControl 76245->76247 76250 127a14 76245->76250 76246->76245 76252 1279a7 76246->76252 76248 127a22 DeviceIoControl 76247->76248 76247->76250 76249 127a44 DeviceIoControl 76248->76249 76248->76250 76249->76250 76250->76242 76258 12780d 8 API calls ctype 76250->76258 76257 129252 GetModuleHandleW GetProcAddress GetDiskFreeSpaceW 76252->76257 76253 127aa5 76255 1277de 5 API calls 76253->76255 76255->76242 76256 1279d0 76256->76245 76257->76256 76258->76253 76259 15c2e6 76260 15c52f 76259->76260 76263 15544f SetConsoleCtrlHandler 76260->76263 76262 15c53b 76263->76262 76264 15a42c 76265 15a435 fputs 76264->76265 76266 15a449 76264->76266 76422 121fa0 fputc 76265->76422 76423 15545d 76266->76423 76270 122e04 2 API calls 76271 15a4a1 76270->76271 76427 141858 76271->76427 76273 15a4c9 76489 121e40 free 76273->76489 76275 15a4d8 76276 15a4ee 76275->76276 76278 15c7d7 ctype 6 API calls 76275->76278 76277 15a50e 76276->76277 76490 1557fb 76276->76490 76500 15c73e 76277->76500 76278->76276 76282 15aae5 76655 152db9 free ctype 76282->76655 76284 15ac17 76656 152db9 free ctype 76284->76656 76285 121e0c ctype 2 API calls 76287 15a53a 76285->76287 76289 15a54d 76287->76289 76626 15b0fa malloc _CxxThrowException __EH_prolog 76287->76626 76288 15ac23 76290 15ac3a 76288->76290 76292 15ac35 76288->76292 76296 122fec 3 API calls 76289->76296 76658 15b96d _CxxThrowException 76290->76658 76657 15b988 33 API calls __aulldiv 76292->76657 76295 15ac42 76659 121e40 free 76295->76659 76300 15a586 76296->76300 76298 15ac4d 76299 143247 free 76298->76299 76301 15ac5d 76299->76301 76518 15ad06 76300->76518 76660 121e40 free 76301->76660 76305 15ac7d 76661 1211c2 free __EH_prolog ctype 76305->76661 76309 15ac89 76662 15be0c free __EH_prolog ctype 76309->76662 76310 133a29 5 API calls 76312 15a62e 76310->76312 76314 122e04 2 API calls 76312->76314 76313 15ac98 76663 152db9 free ctype 76313->76663 76316 15a636 76314->76316 76526 144345 76316->76526 76317 15aca4 76422->76266 76424 155466 76423->76424 76425 155473 76423->76425 76664 12275e malloc _CxxThrowException free ctype 76424->76664 76425->76270 76428 141862 __EH_prolog 76427->76428 76665 14021a 76428->76665 76433 1418b9 76679 141aa5 free __EH_prolog ctype 76433->76679 76435 141935 76684 141aa5 free __EH_prolog ctype 76435->76684 76436 1418c7 76680 152db9 free ctype 76436->76680 76439 141944 76461 141966 76439->76461 76685 141d73 5 API calls __EH_prolog 76439->76685 76441 1418d3 76441->76273 76443 1604d2 5 API calls 76447 1418db 76443->76447 76444 141958 _CxxThrowException 76444->76461 76445 1419be 76688 14f1f1 malloc _CxxThrowException free _CxxThrowException 76445->76688 76447->76435 76447->76443 76681 140144 malloc _CxxThrowException free _CxxThrowException 76447->76681 76682 121524 malloc _CxxThrowException __EH_prolog ctype 76447->76682 76683 121e40 free 76447->76683 76449 122e04 2 API calls 76449->76461 76451 1419d6 76453 147ebb free 76451->76453 76452 12631f 9 API calls 76452->76461 76454 1419e1 76453->76454 76456 1312d4 4 API calls 76454->76456 76455 1604d2 5 API calls 76455->76461 76457 1419ea 76456->76457 76459 147ebb free 76457->76459 76460 1419f7 76459->76460 76462 1312d4 4 API calls 76460->76462 76461->76445 76461->76449 76461->76452 76461->76455 76686 121524 malloc _CxxThrowException __EH_prolog ctype 76461->76686 76687 121e40 free 76461->76687 76471 1419ff 76462->76471 76464 141a4f 76690 121e40 free 76464->76690 76465 121524 malloc _CxxThrowException 76465->76471 76467 141a57 76691 152db9 free ctype 76467->76691 76469 141a64 76692 152db9 free ctype 76469->76692 76471->76464 76471->76465 76473 141a83 76471->76473 76689 1242e3 CharUpperW 76471->76689 76693 141d73 5 API calls __EH_prolog 76473->76693 76475 141a97 _CxxThrowException 76476 141aa5 __EH_prolog 76475->76476 76694 121e40 free 76476->76694 76478 141ac8 76695 1402e8 free ctype 76478->76695 76480 141ad1 76696 141eab free __EH_prolog ctype 76480->76696 76482 141add 76697 121e40 free 76482->76697 76484 141ae5 76698 121e40 free 76484->76698 76486 141aed 76699 152db9 free ctype 76486->76699 76488 141afa 76488->76273 76489->76275 76491 155805 __EH_prolog 76490->76491 76492 1226dd 2 API calls 76491->76492 76499 155847 76491->76499 76493 155819 76492->76493 76827 155678 76493->76827 76497 15583f 76844 121e40 free 76497->76844 76499->76277 76501 15c748 __EH_prolog 76500->76501 76502 15c7d7 ctype 6 API calls 76501->76502 76503 15c75d 76502->76503 76861 121e40 free 76503->76861 76505 15c768 76506 142c0b ctype free 76505->76506 76507 15c775 76506->76507 76862 121e40 free 76507->76862 76509 15c77d 76863 121e40 free 76509->76863 76511 15c785 76864 121e40 free 76511->76864 76513 15c78d 76865 121e40 free 76513->76865 76515 15c795 76516 142c0b ctype free 76515->76516 76517 15a51d 76516->76517 76517->76282 76517->76285 76519 15ad29 2 API calls 76518->76519 76520 15a5d8 76519->76520 76521 15bf3e 76520->76521 76522 122fec 3 API calls 76521->76522 76523 15bf85 76522->76523 76524 122fec 3 API calls 76523->76524 76525 15a5ee 76524->76525 76525->76310 76527 14434f __EH_prolog 76526->76527 76528 122e04 2 API calls 76527->76528 76529 14436d 76528->76529 76626->76289 76655->76284 76656->76288 76657->76290 76658->76295 76659->76298 76660->76305 76661->76309 76662->76313 76663->76317 76664->76425 76666 140224 __EH_prolog 76665->76666 76700 133d66 76666->76700 76669 14062e 76675 140638 __EH_prolog 76669->76675 76670 1406de 76787 14019a malloc _CxxThrowException free memcpy 76670->76787 76672 1406e6 76788 141453 26 API calls 2 library calls 76672->76788 76673 1401bc malloc _CxxThrowException free _CxxThrowException memcpy 76673->76675 76675->76670 76675->76673 76678 1406ee 76675->76678 76716 140703 76675->76716 76786 152db9 free ctype 76675->76786 76678->76433 76678->76447 76679->76436 76680->76441 76681->76447 76682->76447 76683->76447 76684->76439 76685->76444 76686->76461 76687->76461 76688->76451 76689->76471 76690->76467 76691->76469 76692->76441 76693->76475 76694->76478 76695->76480 76696->76482 76697->76484 76698->76486 76699->76488 76711 1bfb10 76700->76711 76702 133d70 GetCurrentProcess 76712 133e04 76702->76712 76704 133d8d OpenProcessToken 76705 133de3 76704->76705 76706 133d9e LookupPrivilegeValueW 76704->76706 76708 133e04 CloseHandle 76705->76708 76706->76705 76707 133dc0 AdjustTokenPrivileges 76706->76707 76707->76705 76710 133dd5 GetLastError 76707->76710 76709 133def 76708->76709 76709->76669 76710->76705 76711->76702 76713 133e11 CloseHandle 76712->76713 76714 133e0d 76712->76714 76715 133e21 76713->76715 76714->76704 76715->76704 76785 14070d __EH_prolog 76716->76785 76717 140b40 76717->76675 76718 140e1d 76824 140416 18 API calls 2 library calls 76718->76824 76720 140ea6 76826 16ec78 free ctype 76720->76826 76721 140d11 76818 127496 7 API calls 2 library calls 76721->76818 76724 140c13 76815 121e40 free 76724->76815 76725 140c83 76725->76718 76725->76721 76727 122da9 2 API calls 76727->76785 76729 140de0 76820 152db9 free ctype 76729->76820 76730 122da9 2 API calls 76768 140ab5 76730->76768 76731 140e47 76731->76720 76825 14117d 68 API calls 2 library calls 76731->76825 76732 122f1c 2 API calls 76761 140d29 76732->76761 76735 140df8 76822 121e40 free 76735->76822 76736 122e04 2 API calls 76736->76785 76737 122e04 2 API calls 76737->76768 76740 140e02 76823 152db9 free ctype 76740->76823 76743 122e04 2 API calls 76743->76761 76744 122fec 3 API calls 76744->76785 76747 122fec 3 API calls 76747->76761 76749 122fec 3 API calls 76749->76768 76753 14050b 44 API calls 76753->76768 76755 140df3 76821 121e40 free 76755->76821 76756 140b26 76807 121e40 free 76756->76807 76757 121e40 free ctype 76757->76761 76760 1604d2 malloc _CxxThrowException free _CxxThrowException memcpy 76760->76785 76761->76729 76761->76732 76761->76735 76761->76743 76761->76747 76761->76755 76761->76757 76819 14117d 68 API calls 2 library calls 76761->76819 76763 140c79 76817 121e40 free 76763->76817 76764 140b30 76808 121e40 free 76764->76808 76768->76724 76768->76730 76768->76737 76768->76749 76768->76753 76768->76763 76771 121e40 free ctype 76768->76771 76806 122f4a malloc _CxxThrowException free ctype 76768->76806 76811 121089 malloc _CxxThrowException free _CxxThrowException 76768->76811 76812 1413eb 5 API calls 2 library calls 76768->76812 76813 140ef4 68 API calls 2 library calls 76768->76813 76814 152db9 free ctype 76768->76814 76816 140021 GetLastError 76768->76816 76769 140b38 76809 121e40 free 76769->76809 76771->76768 76773 152db9 free ctype 76773->76785 76780 140b48 76810 152db9 free ctype 76780->76810 76782 121e40 free ctype 76782->76785 76783 121524 malloc _CxxThrowException 76783->76785 76785->76717 76785->76725 76785->76727 76785->76736 76785->76744 76785->76756 76785->76760 76785->76768 76785->76773 76785->76780 76785->76782 76785->76783 76789 122f4a malloc _CxxThrowException free ctype 76785->76789 76790 121089 malloc _CxxThrowException free _CxxThrowException 76785->76790 76791 1413eb 5 API calls 2 library calls 76785->76791 76792 14050b 76785->76792 76797 140021 GetLastError 76785->76797 76798 1249bd 9 API calls 2 library calls 76785->76798 76799 140306 12 API calls 76785->76799 76800 13ff00 5 API calls 2 library calls 76785->76800 76801 14057d 16 API calls 2 library calls 76785->76801 76802 140f8e 24 API calls 2 library calls 76785->76802 76803 12472e CharUpperW 76785->76803 76804 138984 malloc _CxxThrowException free _CxxThrowException memcpy 76785->76804 76805 140ef4 68 API calls 2 library calls 76785->76805 76786->76675 76787->76672 76788->76678 76789->76785 76790->76785 76791->76785 76793 126c72 44 API calls 76792->76793 76795 14051e 76793->76795 76794 140575 76794->76785 76795->76794 76796 122f88 3 API calls 76795->76796 76796->76794 76797->76785 76798->76785 76799->76785 76800->76785 76801->76785 76802->76785 76803->76785 76804->76785 76805->76785 76806->76768 76807->76764 76808->76769 76809->76717 76810->76756 76811->76768 76812->76768 76813->76768 76814->76768 76815->76717 76816->76768 76817->76725 76818->76761 76819->76761 76820->76717 76821->76735 76822->76740 76823->76717 76824->76731 76825->76731 76826->76717 76828 1556b1 76827->76828 76829 155689 76827->76829 76845 155593 76828->76845 76830 155593 6 API calls 76829->76830 76832 1556a5 76830->76832 76834 1228a1 5 API calls 76832->76834 76834->76828 76837 15570e fputs 76843 121fa0 fputc 76837->76843 76839 1556ef 76840 155593 6 API calls 76839->76840 76841 155701 76840->76841 76842 155711 6 API calls 76841->76842 76842->76837 76843->76497 76844->76499 76846 1555ad 76845->76846 76847 1228a1 5 API calls 76846->76847 76848 1555b8 76847->76848 76849 12286d 5 API calls 76848->76849 76850 1555bf 76849->76850 76851 1228a1 5 API calls 76850->76851 76852 1555c7 76851->76852 76853 155711 76852->76853 76854 155721 76853->76854 76855 1556e0 76853->76855 76856 1228a1 5 API calls 76854->76856 76855->76837 76859 122881 malloc _CxxThrowException free memcpy _CxxThrowException 76855->76859 76857 15572b 76856->76857 76860 1555cd 6 API calls 76857->76860 76859->76839 76860->76855 76861->76505 76862->76509 76863->76511 76864->76513 76865->76515 77479 1a6ba3 VirtualFree 77480 131368 77481 13136d 77480->77481 77483 13138c 77481->77483 77486 1b7d80 WaitForSingleObject 77481->77486 77489 15f745 77481->77489 77493 1b7ea0 SetEvent GetLastError 77481->77493 77487 1b7d98 77486->77487 77488 1b7d8e GetLastError 77486->77488 77487->77481 77488->77487 77490 15f74f __EH_prolog 77489->77490 77494 15f784 77490->77494 77492 15f765 77492->77481 77493->77481 77495 15f78e __EH_prolog 77494->77495 77496 1312d4 4 API calls 77495->77496 77497 15f7c7 77496->77497 77498 1312d4 4 API calls 77497->77498 77499 15f7d4 77498->77499 77500 15f871 77499->77500 77503 12c4d6 77499->77503 77509 1a6b23 VirtualAlloc 77499->77509 77500->77492 77507 12c4e9 77503->77507 77504 12c6f3 77504->77500 77505 13111c 10 API calls 77505->77507 77506 1311b4 107 API calls 77506->77507 77507->77504 77507->77505 77507->77506 77508 12c695 memmove 77507->77508 77508->77507 77509->77500 77510 1b7da0 WaitForSingleObject 77511 1b7dbb GetLastError 77510->77511 77512 1b7dc1 77510->77512 77511->77512 77513 1b7dce CloseHandle 77512->77513 77514 1b7ddf 77512->77514 77513->77514 77515 1b7dd9 GetLastError 77513->77515 77515->77514

                                                  Executed Functions

                                                  Function 00129313 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 55COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1028 129313-129338 GetCurrentProcess OpenProcessToken 1029 129390 1028->1029 1030 12933a-12934a LookupPrivilegeValueW 1028->1030 1033 129393-129398 1029->1033 1031 129382 1030->1031 1032 12934c-129370 AdjustTokenPrivileges 1030->1032 1035 129385-12938e CloseHandle 1031->1035 1032->1031 1034 129372-129380 GetLastError 1032->1034 1034->1035 1035->1033
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(00000020,00131EC5,?,7597AB50,?,?,?,?,00131EC5,00131CEF), ref: 00129329
                                                  • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,00131EC5,00131CEF), ref: 00129330
                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,SeRestorePrivilege,?), ref: 00129342
                                                  • AdjustTokenPrivileges.KERNELBASE(00131EC5,00000000,?,00000000,00000000,00000000), ref: 00129368
                                                  • GetLastError.KERNEL32 ref: 00129372
                                                  • CloseHandle.KERNELBASE(00131EC5,?,?,?,?,00131EC5,00131CEF), ref: 00129388
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                                                  • String ID: SeRestorePrivilege
                                                  • API String ID: 3398352648-1684392131
                                                  • Opcode ID: 66a04501ee389231717defe0a465379013a3dad967d5b0bcfaf3903f13fd023e
                                                  • Instruction ID: 6f4eb93e215bb6e0bd393594a0a5ae931721b94d7769f76644a7c60e605879fa
                                                  • Opcode Fuzzy Hash: 66a04501ee389231717defe0a465379013a3dad967d5b0bcfaf3903f13fd023e
                                                  • Instruction Fuzzy Hash: 4E016D76A45228ABDB109BF5AC49FDE7F7CBF05240F040164F545E2190D7748A59DBE0
                                                  Function 00133D66 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 53COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1036 133d66-133d9c call 1bfb10 GetCurrentProcess call 133e04 OpenProcessToken 1041 133de3-133dfe call 133e04 1036->1041 1042 133d9e-133dbe LookupPrivilegeValueW 1036->1042 1042->1041 1043 133dc0-133dd3 AdjustTokenPrivileges 1042->1043 1043->1041 1046 133dd5-133de1 GetLastError 1043->1046 1046->1041
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00133D6B
                                                  • GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00133D7D
                                                  • OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00133D94
                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,SeSecurityPrivilege,?), ref: 00133DB6
                                                  • AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00133DCB
                                                  • GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00133DD5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: ProcessToken$AdjustCurrentErrorH_prologLastLookupOpenPrivilegePrivilegesValue
                                                  • String ID: SeSecurityPrivilege
                                                  • API String ID: 3475889169-2333288578
                                                  • Opcode ID: 7c8dfb3c22195f28a388614900c93290bbe4ade62dccf85a2379b95891a00982
                                                  • Instruction ID: 5432f6672671ce87f4c4ce53de2fbc9abfc24cc2175499d787627f4c1d8cf8fa
                                                  • Opcode Fuzzy Hash: 7c8dfb3c22195f28a388614900c93290bbe4ade62dccf85a2379b95891a00982
                                                  • Instruction Fuzzy Hash: 791127B5940219ABDB10AFE5DD89AFEFBB8FB04344F400529E426E2590D7308E498AA0
                                                  Function 001681EC Relevance: 8.0, APIs: 3, Strings: 1, Instructions: 995COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 001681F1
                                                    • Part of subcall function 0016F749: _CxxThrowException.MSVCRT(?,001D4A58), ref: 0016F792
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: ExceptionH_prologThrow
                                                  • String ID:
                                                  • API String ID: 461045715-3916222277
                                                  • Opcode ID: 87a875a82f28b0a317734990244a513338c85cfd1203ba3c6e915df1390216bb
                                                  • Instruction ID: 749961efe71c529ca0f6e0e2b1b1deb879f27e89a85cddcb21c2c9f1592bf459
                                                  • Opcode Fuzzy Hash: 87a875a82f28b0a317734990244a513338c85cfd1203ba3c6e915df1390216bb
                                                  • Instruction Fuzzy Hash: 9092BF31900259DFDF15DFA8CC84BAEBBB1BF18304F254299E805AB292CB30DE55CB61
                                                  Function 00126868 Relevance: 4.6, APIs: 3, Instructions: 60fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 0012686D
                                                    • Part of subcall function 00126848: FindClose.KERNELBASE(00000000,?,00126880), ref: 00126853
                                                  • FindFirstFileW.KERNELBASE(?,-00000268,?,00000000), ref: 001268A5
                                                  • FindFirstFileW.KERNELBASE(?,-00000268,00000000,?,00000000), ref: 001268DE
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: Find$FileFirst$CloseH_prolog
                                                  • String ID:
                                                  • API String ID: 3371352514-0
                                                  • Opcode ID: 86003b39715234ffc0c590efec4b70a3a4c691303bdc8d6f7ff41f017a2db913
                                                  • Instruction ID: 1326ab23b40f73973c6956ce93ddc0308cedb2b7bcc9b0aef4617ae22c8759ef
                                                  • Opcode Fuzzy Hash: 86003b39715234ffc0c590efec4b70a3a4c691303bdc8d6f7ff41f017a2db913
                                                  • Instruction Fuzzy Hash: 8E11BF31500229EFCF10EF68EC919EDB779EF60324F204669E9A1571D1DB318EA6DB80
                                                  Function 0015A013 Relevance: 56.7, APIs: 15, Strings: 17, Instructions: 690COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 0 15a013-15a01a 1 15a020-15a02d call 131ac8 0->1 2 15a37a-15a544 call 1604d2 call 121524 call 1604d2 call 121524 call 121e0c 0->2 7 15a033-15a03a 1->7 8 15a22e-15a235 1->8 61 15a546-15a54f call 15b0fa 2->61 62 15a551 2->62 12 15a054-15a089 call 1592d3 7->12 13 15a03c-15a042 7->13 10 15a367-15a375 call 15b55f 8->10 11 15a23b-15a24d call 15b4f6 8->11 27 15ac23-15ac2a 10->27 28 15a24f-15a253 11->28 29 15a259-15a2fb call 147ebb call 1227bb call 1226dd call 143d70 call 15ad99 call 1227bb 11->29 25 15a099 12->25 26 15a08b-15a091 12->26 13->12 18 15a044-15a04f call 1230ea 13->18 18->12 33 15a09d-15a0de call 122fec call 15b369 25->33 26->25 32 15a093-15a097 26->32 34 15ac2c-15ac33 27->34 35 15ac3a-15ac66 call 15b96d call 121e40 call 143247 27->35 28->29 94 15a303-15a362 call 15b6ab call 152db9 call 121e40 * 2 call 15bff8 29->94 95 15a2fd 29->95 32->33 57 15a0e0-15a0e4 33->57 58 15a0ea-15a0fa 33->58 34->35 39 15ac35 34->39 66 15ac6e-15acb5 call 121e40 call 1211c2 call 15be0c call 152db9 35->66 67 15ac68-15ac6a 35->67 44 15ac35 call 15b988 39->44 44->35 57->58 63 15a10d 58->63 64 15a0fc-15a102 58->64 70 15a553-15a55c 61->70 62->70 72 15a114-15a19e call 122fec call 147ebb call 15ad99 63->72 64->63 71 15a104-15a10b 64->71 67->66 77 15a564-15a5c1 call 122fec call 15b277 70->77 78 15a55e-15a560 70->78 71->72 102 15a1a2 call 14f8e0 72->102 96 15a5c3-15a5c7 77->96 97 15a5cd-15a652 call 15ad06 call 15bf3e call 133a29 call 122e04 call 144345 77->97 78->77 94->27 95->94 96->97 137 15a654-15a671 call 14375c call 15b96d 97->137 138 15a676-15a6c8 call 142096 97->138 106 15a1a7-15a1b1 102->106 110 15a1c0-15a1c9 106->110 111 15a1b3-15a1bb call 15c7d7 106->111 116 15a1d1-15a229 call 15b6ab call 152db9 call 121e40 call 15bfa4 call 15940b 110->116 117 15a1cb 110->117 111->110 116->27 117->116 137->138 143 15a6cd-15a6d6 138->143 146 15a6e2-15a6e5 143->146 147 15a6d8-15a6dd call 15c7d7 143->147 150 15a6e7-15a6ee 146->150 151 15a72e-15a73a 146->151 147->146 154 15a6f0-15a71d call 121fa0 fputs call 121fa0 call 121fb3 call 121fa0 150->154 155 15a722-15a725 150->155 152 15a73c-15a74a call 121fa0 151->152 153 15a79e-15a7aa 151->153 167 15a755-15a799 fputs call 122201 call 121fa0 fputs call 122201 call 121fa0 152->167 168 15a74c-15a753 152->168 156 15a7ac-15a7b2 153->156 157 15a7d9-15a7e5 153->157 154->155 155->151 158 15a727 155->158 156->157 161 15a7b4-15a7d4 fputs call 122201 call 121fa0 156->161 163 15a7e7-15a7ed 157->163 164 15a818-15a81a 157->164 158->151 161->157 169 15a7f3-15a813 fputs call 122201 call 121fa0 163->169 170 15a899-15a8a5 163->170 164->170 172 15a81c-15a82b 164->172 167->153 168->153 168->167 169->164 176 15a8a7-15a8ad 170->176 177 15a8e9-15a8ed 170->177 179 15a851-15a85d 172->179 180 15a82d-15a84c fputs call 122201 call 121fa0 172->180 183 15a8ef 176->183 187 15a8af-15a8c2 call 121fa0 176->187 182 15a8f6-15a8f8 177->182 177->183 179->170 181 15a85f-15a872 call 121fa0 179->181 180->179 181->170 206 15a874-15a894 fputs call 122201 call 121fa0 181->206 192 15aaaf-15aaeb call 1443b3 call 121e40 call 15c104 call 15ad82 182->192 193 15a8fe-15a90a 182->193 183->182 187->183 211 15a8c4-15a8e4 fputs call 122201 call 121fa0 187->211 248 15aaf1-15aaf7 192->248 249 15ac0b-15ac1e call 152db9 * 2 192->249 202 15a910-15a91f 193->202 203 15aa73-15aa89 call 121fa0 193->203 202->203 208 15a925-15a929 202->208 203->192 218 15aa8b-15aaaa fputs call 122201 call 121fa0 203->218 206->170 208->192 216 15a92f-15a93d 208->216 211->177 222 15a93f-15a964 fputs call 122201 call 121fa0 216->222 223 15a96a-15a971 216->223 218->192 222->223 225 15a973-15a97a 223->225 226 15a98f-15a9a8 fputs call 122201 223->226 225->226 232 15a97c-15a982 225->232 239 15a9ad-15a9bd call 121fa0 226->239 232->226 237 15a984-15a98d 232->237 237->226 242 15aa06-15aa1f fputs call 122201 237->242 239->242 252 15a9bf-15aa01 fputs call 122201 call 121fa0 fputs call 122201 call 121fa0 239->252 250 15aa24-15aa29 call 121fa0 242->250 248->249 249->27 257 15aa2e-15aa4b fputs call 122201 250->257 252->242 262 15aa50-15aa5b call 121fa0 257->262 262->192 268 15aa5d-15aa71 call 121fa0 call 15710e 262->268 268->192
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: fputs$ExceptionThrow
                                                  • String ID: 7zCon.sfx$Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Size: $Sub items Errors: $Warnings: $N
                                                  • API String ID: 3665150552-429544124
                                                  • Opcode ID: 276014b9600e7da17c27c42412e10c0b290114d293a8ece848061aabcabc5805
                                                  • Instruction ID: 4696acc8be9d2893ada146ebd913a4bad557ca9812a0a5b3f993daccd5442599
                                                  • Opcode Fuzzy Hash: 276014b9600e7da17c27c42412e10c0b290114d293a8ece848061aabcabc5805
                                                  • Instruction Fuzzy Hash: F852C131900268EFCF26DBA4DD91BEDBBB5BF64305F00419AE4596B291DB346E88CF11
                                                  Function 0015A42C Relevance: 56.5, APIs: 15, Strings: 17, Instructions: 503COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 274 15a42c-15a433 275 15a435-15a444 fputs call 121fa0 274->275 276 15a449-15a4df call 15545d call 122e04 call 141858 call 121e40 274->276 275->276 286 15a4e1-15a4e9 call 15c7d7 276->286 287 15a4ee-15a4f1 276->287 286->287 288 15a4f3-15a4fa 287->288 289 15a50e-15a520 call 15c73e 287->289 288->289 291 15a4fc-15a509 call 1557fb 288->291 295 15a526-15a544 call 121e0c 289->295 296 15ac0b-15ac2a call 152db9 * 2 289->296 291->289 304 15a546-15a54f call 15b0fa 295->304 305 15a551 295->305 306 15ac2c-15ac33 296->306 307 15ac3a-15ac66 call 15b96d call 121e40 call 143247 296->307 309 15a553-15a55c 304->309 305->309 306->307 310 15ac35 call 15b988 306->310 327 15ac6e-15acb5 call 121e40 call 1211c2 call 15be0c call 152db9 307->327 328 15ac68-15ac6a 307->328 313 15a564-15a5c1 call 122fec call 15b277 309->313 314 15a55e-15a560 309->314 310->307 324 15a5c3-15a5c7 313->324 325 15a5cd-15a652 call 15ad06 call 15bf3e call 133a29 call 122e04 call 144345 313->325 314->313 324->325 348 15a654-15a671 call 14375c call 15b96d 325->348 349 15a676-15a6d6 call 142096 325->349 328->327 348->349 355 15a6e2-15a6e5 349->355 356 15a6d8-15a6dd call 15c7d7 349->356 358 15a6e7-15a6ee 355->358 359 15a72e-15a73a 355->359 356->355 362 15a6f0-15a71d call 121fa0 fputs call 121fa0 call 121fb3 call 121fa0 358->362 363 15a722-15a725 358->363 360 15a73c-15a74a call 121fa0 359->360 361 15a79e-15a7aa 359->361 375 15a755-15a799 fputs call 122201 call 121fa0 fputs call 122201 call 121fa0 360->375 376 15a74c-15a753 360->376 364 15a7ac-15a7b2 361->364 365 15a7d9-15a7e5 361->365 362->363 363->359 366 15a727 363->366 364->365 369 15a7b4-15a7d4 fputs call 122201 call 121fa0 364->369 371 15a7e7-15a7ed 365->371 372 15a818-15a81a 365->372 366->359 369->365 377 15a7f3-15a813 fputs call 122201 call 121fa0 371->377 378 15a899-15a8a5 371->378 372->378 380 15a81c-15a82b 372->380 375->361 376->361 376->375 377->372 384 15a8a7-15a8ad 378->384 385 15a8e9-15a8ed 378->385 387 15a851-15a85d 380->387 388 15a82d-15a84c fputs call 122201 call 121fa0 380->388 391 15a8ef 384->391 395 15a8af-15a8c2 call 121fa0 384->395 390 15a8f6-15a8f8 385->390 385->391 387->378 389 15a85f-15a872 call 121fa0 387->389 388->387 389->378 414 15a874-15a894 fputs call 122201 call 121fa0 389->414 400 15aaaf-15aaeb call 1443b3 call 121e40 call 15c104 call 15ad82 390->400 401 15a8fe-15a90a 390->401 391->390 395->391 419 15a8c4-15a8e4 fputs call 122201 call 121fa0 395->419 400->296 456 15aaf1-15aaf7 400->456 410 15a910-15a91f 401->410 411 15aa73-15aa89 call 121fa0 401->411 410->411 416 15a925-15a929 410->416 411->400 426 15aa8b-15aaaa fputs call 122201 call 121fa0 411->426 414->378 416->400 424 15a92f-15a93d 416->424 419->385 430 15a93f-15a964 fputs call 122201 call 121fa0 424->430 431 15a96a-15a971 424->431 426->400 430->431 433 15a973-15a97a 431->433 434 15a98f-15a9a8 fputs call 122201 431->434 433->434 440 15a97c-15a982 433->440 447 15a9ad-15a9bd call 121fa0 434->447 440->434 445 15a984-15a98d 440->445 445->434 450 15aa06-15aa4b fputs call 122201 call 121fa0 fputs call 122201 445->450 447->450 458 15a9bf-15aa01 fputs call 122201 call 121fa0 fputs call 122201 call 121fa0 447->458 466 15aa50-15aa5b call 121fa0 450->466 456->296 458->450 466->400 472 15aa5d-15aa71 call 121fa0 call 15710e 466->472 472->400
                                                  APIs
                                                  • fputs.MSVCRT(Scanning the drive for archives:), ref: 0015A43E
                                                    • Part of subcall function 00121FA0: fputc.MSVCRT ref: 00121FA7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: fputcfputs
                                                  • String ID: Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Scanning the drive for archives:$Size: $Warnings: $!"$N
                                                  • API String ID: 269475090-3104439828
                                                  • Opcode ID: 594cb8239f7e285cf44d73f9f497baf3854c161f7541220033ac0abd86f824fc
                                                  • Instruction ID: c0d3834d2a6ecce725f1b7761c31c3362b7cc8d75e5601985ff924fba27f61b1
                                                  • Opcode Fuzzy Hash: 594cb8239f7e285cf44d73f9f497baf3854c161f7541220033ac0abd86f824fc
                                                  • Instruction Fuzzy Hash: 0B22B131900258EFDF26EBA4D885BDDFBB1BF64300F10419AE46967291DB356E98CF11
                                                  Function 0015993D Relevance: 44.3, APIs: 16, Strings: 9, Instructions: 569COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 478 15993d-159950 call 15b5b1 481 159963-15997e call 131f33 478->481 482 159952-15995e call 121fb3 478->482 486 159980-15998a 481->486 487 15998f-159998 481->487 482->481 486->487 488 1599a8 487->488 489 15999a-1599a6 487->489 490 1599ab-1599b5 488->490 489->488 489->490 491 1599d5-159a04 call 121e0c call 15acb6 490->491 492 1599b7-1599cc GetStdHandle GetConsoleScreenBufferInfo 490->492 500 159a06-159a08 491->500 501 159a0c-159a24 call 147b48 491->501 492->491 493 1599ce-1599d2 492->493 493->491 500->501 503 159a29-159a48 call 15b96d call 147018 call 131aa4 501->503 510 159a7c-159aa8 call 14ddb5 503->510 511 159a4a-159a4c 503->511 518 159ac0-159ade 510->518 519 159aaa-159abb _CxxThrowException 510->519 512 159a66-159a77 _CxxThrowException 511->512 513 159a4e-159a55 511->513 512->510 513->512 515 159a57-159a64 call 131ac8 513->515 515->510 515->512 521 159ae0-159b04 call 147dd7 518->521 522 159b3a-159b55 518->522 519->518 528 159bfa-159c0b _CxxThrowException 521->528 529 159b0a-159b0e 521->529 526 159b57 522->526 527 159b5c-159ba4 call 121fa0 fputs call 121fa0 strlen * 2 522->527 526->527 541 159e25-159e4d call 121fa0 fputs call 121fa0 527->541 542 159baa-159be4 fputs fputc 527->542 532 159c10 528->532 529->528 531 159b14-159b38 call 15c077 call 121e40 529->531 531->521 531->522 535 159c12-159c25 532->535 543 159c27-159c33 535->543 544 159be6-159bf0 535->544 554 159e53 541->554 555 159f0c-159f34 call 121fa0 fputs call 121fa0 541->555 542->543 542->544 552 159c35-159c3d 543->552 553 159c81-159cb1 call 15b67d call 122e04 543->553 544->532 547 159bf2-159bf8 544->547 547->535 556 159c3f-159c4a 552->556 557 159c6b-159c80 call 1221d8 552->557 595 159d10-159d28 call 15b67d 553->595 596 159cb3-159cb7 553->596 559 159e5a-159e6f call 15b650 554->559 577 15ac23-15ac2a 555->577 578 159f3a 555->578 561 159c54 556->561 562 159c4c-159c52 556->562 557->553 575 159e71-159e79 559->575 576 159e7b-159e7e call 1221d8 559->576 568 159c56-159c69 561->568 562->568 568->556 568->557 586 159e83-159f06 call 15bde4 fputs call 121fa0 575->586 576->586 582 15ac2c-15ac33 577->582 583 15ac3a-15ac66 call 15b96d call 121e40 call 143247 577->583 581 159f41-159f9d call 15b650 call 15b5e9 call 15bde4 fputs call 121fa0 578->581 657 159f9f 581->657 582->583 588 15ac35 call 15b988 582->588 616 15ac6e-15acb5 call 121e40 call 1211c2 call 15be0c call 152db9 583->616 617 15ac68-15ac6a 583->617 586->555 586->559 588->583 618 159d4b-159d53 595->618 619 159d2a-159d4a fputs call 1221d8 595->619 597 159cc1-159cdd call 1231e5 596->597 598 159cb9-159cbc call 12315e 596->598 611 159d05-159d0e 597->611 612 159cdf-159d00 call 123221 call 1231e5 call 121089 597->612 598->597 611->595 611->596 612->611 617->616 624 159dff-159e1f call 121fa0 call 121e40 618->624 625 159d59-159d5d 618->625 619->618 624->541 624->542 631 159d5f-159d6d fputs 625->631 632 159d6e-159d82 625->632 631->632 639 159d84-159d88 632->639 640 159df0-159df9 632->640 646 159d95-159d9f 639->646 647 159d8a-159d94 639->647 640->624 640->625 654 159da5-159db1 646->654 655 159da1-159da3 646->655 647->646 658 159db3-159db6 654->658 659 159db8 654->659 655->654 656 159dd8-159dee 655->656 656->639 656->640 657->577 663 159dbb-159dce 658->663 659->663 670 159dd5 663->670 671 159dd0-159dd3 663->671 670->656 671->656
                                                  APIs
                                                    • Part of subcall function 0015B5B1: fputs.MSVCRT ref: 0015B5CA
                                                    • Part of subcall function 0015B5B1: fputs.MSVCRT ref: 0015B5E1
                                                  • GetStdHandle.KERNEL32(000000F5,?,?,?,?,?,?,?), ref: 001599BD
                                                  • GetConsoleScreenBufferInfo.KERNELBASE(00000000,?,?,?,?,?,?), ref: 001599C4
                                                  • _CxxThrowException.MSVCRT(?,001D55B8), ref: 00159A77
                                                  • _CxxThrowException.MSVCRT(?,001D55B8), ref: 00159ABB
                                                    • Part of subcall function 00121FB3: __EH_prolog.LIBCMT ref: 00121FB8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: ExceptionThrowfputs$BufferConsoleH_prologHandleInfoScreen
                                                  • String ID: $ || $Codecs:$Formats:$Hashers:$KSNFMGOPBELHXCc+a+m+r+$P$offset=$N
                                                  • API String ID: 377453556-3661318601
                                                  • Opcode ID: cc348708f186924d293ebe48d4f985e9fc86b1290257dd2550d8418246480145
                                                  • Instruction ID: e2505a3ce2abb903e469fff78fda08ebeebc193418f7a75b09fe0d98d04314a8
                                                  • Opcode Fuzzy Hash: cc348708f186924d293ebe48d4f985e9fc86b1290257dd2550d8418246480145
                                                  • Instruction Fuzzy Hash: 20229231D00218DFDF15EFA4D985BEDBBB1EF58301F10005AE865AB292CB359A99CF61
                                                  Function 00131ADE Relevance: 40.5, APIs: 16, Strings: 7, Instructions: 288COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 672 131ade-131b14 call 1bfb10 call 1213f5 677 131b32-131b8b _fileno _isatty _fileno _isatty _fileno _isatty 672->677 678 131b16-131b2d call 141d73 _CxxThrowException 672->678 680 131b9d-131b9f 677->680 681 131b8d-131b91 677->681 678->677 684 131ba0-131bcd 680->684 681->680 683 131b93-131b97 681->683 683->680 687 131b99-131b9b 683->687 685 131bf9-131c12 684->685 686 131bcf-131bf8 call 131ea4 call 1227bb call 121e40 684->686 689 131c20 685->689 690 131c14-131c18 685->690 686->685 687->684 693 131c27-131c2b 689->693 690->689 692 131c1a-131c1e 690->692 692->689 692->693 695 131c34-131c3e 693->695 696 131c2d 693->696 698 131c40-131c43 695->698 699 131c49-131c53 695->699 696->695 698->699 700 131c55-131c58 699->700 701 131c5e-131c68 699->701 700->701 703 131c73-131c79 701->703 704 131c6a-131c6d 701->704 706 131c7b-131c87 703->706 707 131cc9-131cd2 703->707 704->703 708 131c95-131ca1 call 131ed1 706->708 709 131c89-131c93 706->709 710 131cd4-131ce6 707->710 711 131cea call 131eb9 707->711 718 131ca3-131cbb call 141d73 _CxxThrowException 708->718 719 131cc0-131cc3 708->719 709->707 710->711 714 131cef-131cf8 711->714 716 131d37-131d40 714->716 717 131cfa-131d0a 714->717 723 131e93-131ea1 716->723 724 131d46-131d52 716->724 720 131dc2-131dd4 wcscmp 717->720 721 131d10 717->721 718->719 719->707 725 131d17-131d1f call 129399 720->725 727 131dda-131de6 call 131ed1 720->727 721->725 724->723 728 131d58-131d93 call 1226dd call 12280c call 123221 call 123bbf 724->728 725->716 737 131d21-131d32 call 1a6a60 call 129313 725->737 727->725 735 131dec-131e04 call 141d73 _CxxThrowException 727->735 756 131d95-131d9c 728->756 757 131d9f-131da3 728->757 744 131e09-131e0c 735->744 737->716 747 131e31-131e4a call 131f0c GetCurrentProcess SetProcessAffinityMask 744->747 748 131e0e 744->748 761 131e83-131e92 call 123172 call 121e40 747->761 762 131e4c-131e82 GetLastError call 123221 call 1258a9 call 1231e5 call 121e40 747->762 751 131e10-131e12 748->751 752 131e14-131e2c call 141d73 _CxxThrowException 748->752 751->747 751->752 752->747 756->757 757->744 760 131da5-131dbd call 141d73 _CxxThrowException 757->760 760->720 761->723 762->761
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00131AE3
                                                    • Part of subcall function 001213F5: __EH_prolog.LIBCMT ref: 001213FA
                                                  • _CxxThrowException.MSVCRT(?,001D6010), ref: 00131B2D
                                                  • _fileno.MSVCRT ref: 00131B3E
                                                  • _isatty.MSVCRT ref: 00131B47
                                                  • _fileno.MSVCRT ref: 00131B5D
                                                  • _isatty.MSVCRT ref: 00131B60
                                                  • _fileno.MSVCRT ref: 00131B73
                                                  • _CxxThrowException.MSVCRT(?,001D6010), ref: 00131CBB
                                                  • _CxxThrowException.MSVCRT(?,001D6010), ref: 00131DBD
                                                  • wcscmp.MSVCRT ref: 00131DCA
                                                  • _CxxThrowException.MSVCRT(?,001D6010), ref: 00131E04
                                                  • _isatty.MSVCRT ref: 00131B76
                                                    • Part of subcall function 00141D73: __EH_prolog.LIBCMT ref: 00141D78
                                                  • _CxxThrowException.MSVCRT(?,001D6010), ref: 00131E2C
                                                  • GetCurrentProcess.KERNEL32(00000000,00000000,?,Set process affinity mask: ,?), ref: 00131E3B
                                                  • SetProcessAffinityMask.KERNEL32(00000000), ref: 00131E42
                                                  • GetLastError.KERNEL32(?,Set process affinity mask: ,?), ref: 00131E4C
                                                  Strings
                                                  • unsupported value -stm, xrefs: 00131E19
                                                  • Unsupported switch postfix -stm, xrefs: 00131DAA
                                                  • Set process affinity mask: , xrefs: 00131D74
                                                  • SeLockMemoryPrivilege, xrefs: 00131D28
                                                  • Unsupported switch postfix for -slp, xrefs: 00131DF1
                                                  • : ERROR : , xrefs: 00131E52
                                                  • Unsupported switch postfix -bb, xrefs: 00131CA8
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: ExceptionThrow$H_prolog_fileno_isatty$Process$AffinityCurrentErrorLastMaskwcscmp
                                                  • String ID: : ERROR : $SeLockMemoryPrivilege$Set process affinity mask: $Unsupported switch postfix -bb$Unsupported switch postfix -stm$Unsupported switch postfix for -slp$unsupported value -stm
                                                  • API String ID: 1826148334-1115009270
                                                  • Opcode ID: 7bea310a123760f467e34357e803553ae9980405137829613be5d52aff164555
                                                  • Instruction ID: 03f9447d388fe02072465b183e469943ed424f1afa9f7cddbc7ec4467e066da5
                                                  • Opcode Fuzzy Hash: 7bea310a123760f467e34357e803553ae9980405137829613be5d52aff164555
                                                  • Instruction Fuzzy Hash: 64C1AF31900245EFDB12DFB8C889BDDBBF5AF29310F048469E499972A2C774ED94CB50
                                                  Function 00158012 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 240COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 777 158012-158032 call 1bfb10 780 158285 777->780 781 158038-15806c fputs call 158341 777->781 783 158287-158295 780->783 785 15806e-158071 781->785 786 1580c8-1580cd 781->786 789 158073-158089 fputs call 121fa0 785->789 790 15808b-15808d 785->790 787 1580d6-1580df 786->787 788 1580cf-1580d4 786->788 791 1580e2-158110 call 158341 call 158622 787->791 788->791 789->786 793 158096-15809f 790->793 794 15808f-158094 790->794 804 158112-158119 call 15831f 791->804 805 15811e-15812f call 158565 791->805 797 1580a2-1580c7 call 122e47 call 1585c6 call 121e40 793->797 794->797 797->786 804->805 805->783 812 158135-15813f 805->812 813 158141-158148 call 1582bb 812->813 814 15814d-15815b 812->814 813->814 814->783 817 158161-158164 814->817 818 1581b6-1581c0 817->818 819 158166-158186 817->819 820 158276-15827f 818->820 821 1581c6-1581e1 fputs 818->821 823 15818c-158196 call 158565 819->823 824 158298-15829d 819->824 820->780 820->781 821->820 828 1581e7-1581fb 821->828 831 15819b-15819d 823->831 826 1582b1-1582b9 SysFreeString 824->826 826->783 829 158273 828->829 830 1581fd-15821f 828->830 829->820 834 158221-158245 830->834 835 15829f-1582a1 830->835 831->824 832 1581a3-1581b4 SysFreeString 831->832 832->818 832->819 838 158247-158271 call 1584a7 call 12965d SysFreeString 834->838 839 1582a3-1582ab call 12965d 834->839 836 1582ae 835->836 836->826 838->829 838->830 839->836
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00158017
                                                  • fputs.MSVCRT ref: 0015804D
                                                    • Part of subcall function 00158341: __EH_prolog.LIBCMT ref: 00158346
                                                    • Part of subcall function 00158341: fputs.MSVCRT ref: 0015835B
                                                    • Part of subcall function 00158341: fputs.MSVCRT ref: 00158364
                                                  • fputs.MSVCRT ref: 0015807A
                                                    • Part of subcall function 00121FA0: fputc.MSVCRT ref: 00121FA7
                                                    • Part of subcall function 0012965D: VariantClear.OLEAUT32(?), ref: 0012967F
                                                  • SysFreeString.OLEAUT32(00000000), ref: 001581AA
                                                  • fputs.MSVCRT ref: 001581CD
                                                  • SysFreeString.OLEAUT32(00000000), ref: 00158267
                                                  • SysFreeString.OLEAUT32(00000000), ref: 001582B1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: fputs$FreeString$H_prolog$ClearVariantfputc
                                                  • String ID: --$----$Path$Type$Warning: The archive is open with offset
                                                  • API String ID: 2889736305-3797937567
                                                  • Opcode ID: bdb6207de803e0f6f42ab92600910836582a2b1c475070e26bde7fd943c81d50
                                                  • Instruction ID: 8a693545e68818bef82b46caccaf91f6a8b992770f624d49d421e4bac34728a0
                                                  • Opcode Fuzzy Hash: bdb6207de803e0f6f42ab92600910836582a2b1c475070e26bde7fd943c81d50
                                                  • Instruction Fuzzy Hash: EC914B31A00605EFDB14DFA4D985EAEB7B5FF58311F10412DE822BB291DB70AD49CB60
                                                  Function 00156766 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 135COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 846 156766-156792 call 1bfb10 EnterCriticalSection 849 156794-156799 call 15c7d7 846->849 850 1567af-1567b7 846->850 854 15679e-1567ac 849->854 852 1567be-1567c3 850->852 853 1567b9 call 121f91 850->853 856 156892-1568a8 852->856 857 1567c9-1567d5 852->857 853->852 854->850 858 156941 856->858 859 1568ae-1568b4 856->859 860 156817-15682f 857->860 861 1567d7-1567dd 857->861 866 156943-15695a 858->866 859->858 863 1568ba-1568c2 859->863 864 156831-156842 call 121fa0 860->864 865 156873-15687b 860->865 861->860 862 1567df-1567eb 861->862 867 1567f3-156801 862->867 868 1567ed 862->868 869 1568c4-1568e6 call 121fa0 fputs 863->869 870 156933-15693f call 15c5cd 863->870 864->865 883 156844-15686c fputs call 122201 864->883 865->870 872 156881-156887 865->872 867->865 873 156803-156815 fputs 867->873 868->867 885 1568e8-1568f9 fputs 869->885 886 1568fb-156917 call 134f2a call 121fb3 call 121e40 869->886 870->866 872->870 878 15688d 872->878 880 15686e call 121fa0 873->880 879 15692e call 121f91 878->879 879->870 880->865 883->880 889 15691c-156928 call 121fa0 885->889 886->889 889->879
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 0015676B
                                                  • EnterCriticalSection.KERNEL32(001E2938), ref: 00156781
                                                  • fputs.MSVCRT ref: 0015680B
                                                  • LeaveCriticalSection.KERNEL32(001E2938), ref: 00156944
                                                    • Part of subcall function 0015C7D7: fputs.MSVCRT ref: 0015C840
                                                  • fputs.MSVCRT ref: 00156851
                                                    • Part of subcall function 00122201: fputs.MSVCRT ref: 0012221E
                                                  • fputs.MSVCRT ref: 001568D9
                                                  • fputs.MSVCRT ref: 001568F6
                                                    • Part of subcall function 00121FA0: fputc.MSVCRT ref: 00121FA7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: fputs$CriticalSection$EnterH_prologLeavefputc
                                                  • String ID: v$Sub items Errors:
                                                  • API String ID: 2670240366-2468115448
                                                  • Opcode ID: c2477f59217f90fa78bd44d1bc0a485466910347ef6fd02b8ac76db26d8a4a71
                                                  • Instruction ID: b91f645940248e46230324ba8e53a7790dc027b246082419d0dfe8dc7af0ed9f
                                                  • Opcode Fuzzy Hash: c2477f59217f90fa78bd44d1bc0a485466910347ef6fd02b8ac76db26d8a4a71
                                                  • Instruction Fuzzy Hash: 7F51B031500700DFC724DF64D995AAAB7E2FF54315F94442EE5AA8B661CB31AC58CB80
                                                  Function 00156359 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 252COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 898 156359-156373 call 1bfb10 901 156375-156385 call 15c7d7 898->901 902 15639e-1563af call 155a4d 898->902 901->902 907 156387-15639b 901->907 908 1563b5-1563cd 902->908 909 1565ee-1565f1 902->909 907->902 912 1563d2-1563d4 908->912 913 1563cf 908->913 910 156624-15663c 909->910 911 1565f3-1565fb 909->911 916 156643-15664b 910->916 917 15663e call 121f91 910->917 914 156601-156607 call 158012 911->914 915 1566ea call 15c5cd 911->915 918 1563d6-1563d9 912->918 919 1563df-1563e7 912->919 913->912 928 15660c-15660e 914->928 927 1566ef-1566fd 915->927 916->915 924 156651-15668f fputs call 12211a call 121fa0 call 158685 916->924 917->916 918->919 923 1564b1-1564bc call 156700 918->923 925 156411-156413 919->925 926 1563e9-1563f2 call 121fa0 919->926 947 1564c7-1564cf 923->947 948 1564be-1564c1 923->948 924->927 983 156691-156697 924->983 929 156415-15641d 925->929 930 156442-156446 925->930 926->925 943 1563f4-15640c call 12210c call 121fa0 926->943 928->927 936 156614-15661f call 121fa0 928->936 937 15641f-156425 call 156134 929->937 938 15642a-15643b 929->938 940 156497-15649f 930->940 941 156448-156450 930->941 936->915 937->938 938->930 940->923 944 1564a1-1564ac call 121fa0 call 121f91 940->944 949 156452-15647a fputs call 121fa0 call 121fb3 call 121fa0 941->949 950 15647f-156490 941->950 943->925 944->923 956 1564d1-1564da call 121fa0 947->956 957 1564f9-1564fb 947->957 948->947 955 1565a2-1565a6 948->955 949->950 950->940 964 1565a8-1565b6 955->964 965 1565da-1565e6 955->965 956->957 980 1564dc-1564f4 call 12210c call 121fa0 956->980 961 1564fd-156505 957->961 962 15652a-15652e 957->962 971 156507-15650d call 156134 961->971 972 156512-156523 961->972 974 156530-156538 962->974 975 15657f-156587 962->975 976 1565d3 964->976 977 1565b8-1565ca call 156244 964->977 965->908 968 1565ec 965->968 968->909 971->972 972->962 985 156567-156578 974->985 986 15653a-156562 fputs call 121fa0 call 121fb3 call 121fa0 974->986 975->955 982 156589-156595 call 121fa0 975->982 976->965 977->976 1001 1565cc-1565ce call 121f91 977->1001 980->957 982->955 1003 156597-15659d call 121f91 982->1003 991 1566df-1566e5 call 121f91 983->991 992 156699-15669f 983->992 985->975 986->985 991->915 998 1566a1-1566b1 fputs 992->998 999 1566b3-1566ce call 134f2a call 121fb3 call 121e40 992->999 1004 1566d3-1566da call 121fa0 998->1004 999->1004 1001->976 1003->955 1004->991
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 0015635E
                                                  • fputs.MSVCRT ref: 0015645F
                                                    • Part of subcall function 0015C7D7: fputs.MSVCRT ref: 0015C840
                                                  • fputs.MSVCRT ref: 00156547
                                                  • fputs.MSVCRT ref: 0015665F
                                                  • fputs.MSVCRT ref: 001566AE
                                                    • Part of subcall function 00121F91: fflush.MSVCRT ref: 00121F93
                                                    • Part of subcall function 00121FB3: __EH_prolog.LIBCMT ref: 00121FB8
                                                    • Part of subcall function 00121E40: free.MSVCRT ref: 00121E44
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: fputs$H_prolog$fflushfree
                                                  • String ID: Can't allocate required memory$ERRORS:$WARNINGS:
                                                  • API String ID: 1750297421-1898165966
                                                  • Opcode ID: d2a4feb43ed5235df4609b1f785867388833e7bcd41deae52c1cde5a8c9a45c9
                                                  • Instruction ID: 2ad56c003680d8ca6ef4c0be8be456a4a2ba6050fd88d29795528303dfdbc14d
                                                  • Opcode Fuzzy Hash: d2a4feb43ed5235df4609b1f785867388833e7bcd41deae52c1cde5a8c9a45c9
                                                  • Instruction Fuzzy Hash: 1CB18B30601701DFDB24EF60D9A1BAAB7F2BF64305F44452DE96A4B692DB30AD58CF90
                                                  Function 00129C8F Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 47libraryloaderCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1016 129c8f-129cc2 GetModuleHandleA GetProcAddress 1017 129cc4-129ccc GlobalMemoryStatusEx 1016->1017 1018 129cef-129d06 GlobalMemoryStatus 1016->1018 1017->1018 1021 129cce-129cd7 1017->1021 1019 129d0b-129d0d 1018->1019 1020 129d08 1018->1020 1024 129d11-129d15 1019->1024 1020->1019 1022 129ce5 1021->1022 1023 129cd9 1021->1023 1027 129ce8-129ced 1022->1027 1025 129ce0-129ce3 1023->1025 1026 129cdb-129cde 1023->1026 1025->1027 1026->1022 1026->1025 1027->1024
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 00129CB3
                                                  • GetProcAddress.KERNEL32(00000000), ref: 00129CBA
                                                  • GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 00129CC8
                                                  • GlobalMemoryStatus.KERNEL32(?), ref: 00129CFA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: GlobalMemoryStatus$AddressHandleModuleProc
                                                  • String ID: $@$GlobalMemoryStatusEx$kernel32.dll
                                                  • API String ID: 180289352-802862622
                                                  • Opcode ID: ffe02eb1cbdba4ace05521f53f9744f1a87974d5745997fb0c7741c37311cc4e
                                                  • Instruction ID: 96123c1112b7fa6d12d7e7cc70395be787f6c34b5ad594ebc8208b774ec2b7fc
                                                  • Opcode Fuzzy Hash: ffe02eb1cbdba4ace05521f53f9744f1a87974d5745997fb0c7741c37311cc4e
                                                  • Instruction Fuzzy Hash: 98115770A00319DBCF24DFA8E899BADBBF5BB14305F10441CE486A7640E778E8A0CB94
                                                  Function 001BFF3A Relevance: 10.6, APIs: 7, Instructions: 57COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: _initterm$__getmainargs__p___initenv__p__commode__p__fmode__set_app_type
                                                  • String ID:
                                                  • API String ID: 4012487245-0
                                                  • Opcode ID: e815e1b49f38d4b43b20bd95e520a2324238b5f095017c1dbd9a5168bdcae25f
                                                  • Instruction ID: db8b56f690a39220f7c2506f2e3d261226d0f47f7671ea7368840fec1518ede5
                                                  • Opcode Fuzzy Hash: e815e1b49f38d4b43b20bd95e520a2324238b5f095017c1dbd9a5168bdcae25f
                                                  • Instruction Fuzzy Hash: 5A212771900688EFCB119FE5DC85EEEBBB9FB0D720F140219F525A6AE1C7749880CB60
                                                  Function 001BFFB1 Relevance: 10.5, APIs: 7, Instructions: 43COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: _initterm$FilterXcpt__getmainargs__p___initenv__setusermatherr_controlfpexit
                                                  • String ID:
                                                  • API String ID: 279829931-0
                                                  • Opcode ID: 392a614e8cd2731fa4c72cf2984482b2ca889009751eea650d416cc3650393ae
                                                  • Instruction ID: 77d5f7ebda35fc97525c37a489d9d10e405028cf3b2d41a7a8a9297b0476e136
                                                  • Opcode Fuzzy Hash: 392a614e8cd2731fa4c72cf2984482b2ca889009751eea650d416cc3650393ae
                                                  • Instruction Fuzzy Hash: 440108B2900648EFDB05AFE0DC56DEEBB79FB1C310B14001AFA05B66A1DB75D990CB60
                                                  Function 00141858 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 213COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 0014185D
                                                    • Part of subcall function 0014021A: __EH_prolog.LIBCMT ref: 0014021F
                                                    • Part of subcall function 0014062E: __EH_prolog.LIBCMT ref: 00140633
                                                  • _CxxThrowException.MSVCRT(?,001D6010), ref: 00141961
                                                    • Part of subcall function 00141AA5: __EH_prolog.LIBCMT ref: 00141AAA
                                                  Strings
                                                  • Duplicate archive path:, xrefs: 00141A8D
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog$ExceptionThrow
                                                  • String ID: Duplicate archive path:
                                                  • API String ID: 2366012087-4000988232
                                                  • Opcode ID: 7b9ab18bc560c735d4aa1496b98975c4c0218ea1c742f94bc29443292bd28174
                                                  • Instruction ID: 14e4af89d2856a3bed4878cb5fc8b5af418d95e32b64f00c8c80e6016ae95043
                                                  • Opcode Fuzzy Hash: 7b9ab18bc560c735d4aa1496b98975c4c0218ea1c742f94bc29443292bd28174
                                                  • Instruction Fuzzy Hash: AD818C31D00158EFCF15EFA4D991ADDBBB5EF29310F2040A9E512772A2DB30AE45CB60
                                                  Function 0016F1B2 Relevance: 7.7, APIs: 5, Instructions: 168COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1518 16f1b2-16f1ce call 1bfb10 call 131168 1522 16f1d3-16f1d5 1518->1522 1523 16f36a-16f378 1522->1523 1524 16f1db-16f1e4 call 16f3e4 1522->1524 1527 16f1e6-16f1e8 1524->1527 1528 16f1ed-16f1f2 1524->1528 1527->1523 1529 16f1f4-16f1f9 1528->1529 1530 16f203-16f21a 1528->1530 1529->1530 1531 16f1fb-16f1fe 1529->1531 1533 16f231-16f248 memcpy 1530->1533 1534 16f21c-16f22c _CxxThrowException 1530->1534 1531->1523 1535 16f24c-16f257 1533->1535 1534->1533 1536 16f25c-16f25e 1535->1536 1537 16f259 1535->1537 1538 16f260-16f26f 1536->1538 1539 16f281-16f299 1536->1539 1537->1536 1540 16f271 1538->1540 1541 16f279-16f27b 1538->1541 1547 16f311-16f313 1539->1547 1548 16f29b-16f2a0 1539->1548 1543 16f277 1540->1543 1544 16f273-16f275 1540->1544 1541->1539 1545 16f315-16f318 1541->1545 1543->1541 1544->1541 1544->1543 1546 16f357-16f368 1545->1546 1546->1523 1547->1546 1548->1545 1549 16f2a2-16f2b5 call 16f37b 1548->1549 1553 16f2b7-16f2cf call 1be1a0 1549->1553 1554 16f2f0-16f30c memmove 1549->1554 1557 16f2d1-16f2eb call 16f37b 1553->1557 1558 16f31a-16f355 memcpy 1553->1558 1554->1535 1557->1553 1562 16f2ed 1557->1562 1558->1546 1562->1554
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID:
                                                  • API String ID: 3519838083-0
                                                  • Opcode ID: ede0431139ccf62a2cd394ae0b2e1b9365d3eeb504a6e4da7925d55f97dc8e26
                                                  • Instruction ID: 7b0386b70312c771223e58d71a2f570979853d4f57232c3a714d3159378432c9
                                                  • Opcode Fuzzy Hash: ede0431139ccf62a2cd394ae0b2e1b9365d3eeb504a6e4da7925d55f97dc8e26
                                                  • Instruction Fuzzy Hash: 1A519C76A00219AFDB14DFA4DC94BBEB3B5FB98354F14842DE901AB341D770E916CBA0
                                                  Function 00126C72 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 398COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1563 126c72-126c8e call 1bfb10 1566 126c90-126c94 1563->1566 1567 126c96-126c9e 1563->1567 1566->1567 1568 126cd3-126cdc call 128664 1566->1568 1569 126ca0-126ca4 1567->1569 1570 126ca6-126cae 1567->1570 1575 126ce2-126d02 call 1267f0 call 122f88 call 1287df 1568->1575 1576 126d87-126d92 call 1288c6 1568->1576 1569->1568 1569->1570 1570->1568 1572 126cb0-126cb5 1570->1572 1572->1568 1574 126cb7-126cce call 1267f0 call 122f88 1572->1574 1588 12715d-12715f 1574->1588 1602 126d04-126d09 1575->1602 1603 126d4a-126d61 call 127b41 1575->1603 1586 126d98-126d9e 1576->1586 1587 126f4c-126f62 call 1287fa 1576->1587 1586->1587 1591 126da4-126dc7 call 122e47 * 2 1586->1591 1597 126f67-126f74 call 1285e2 1587->1597 1598 126f64-126f66 1587->1598 1594 127118-127126 1588->1594 1609 126dd4-126dda 1591->1609 1610 126dc9-126dcf 1591->1610 1611 126fd1-126fd8 1597->1611 1612 126f76-126f7c 1597->1612 1598->1597 1602->1603 1607 126d0b-126d38 call 129252 1602->1607 1614 126d63-126d65 1603->1614 1615 126d67-126d6b 1603->1615 1607->1603 1631 126d3a-126d45 1607->1631 1616 126df1-126df9 call 123221 1609->1616 1617 126ddc-126def call 122407 1609->1617 1610->1609 1618 126fe4-126feb 1611->1618 1619 126fda-126fde 1611->1619 1612->1611 1620 126f7e-126f8a call 126bf5 1612->1620 1622 126d7a-126d82 call 12764c 1614->1622 1623 126d78 1615->1623 1624 126d6d-126d75 1615->1624 1636 126dfe-126e0b call 1287df 1616->1636 1617->1616 1617->1636 1628 12701d-127024 call 128782 1618->1628 1629 126fed-126ff7 call 126bf5 1618->1629 1619->1618 1627 1270e5-1270ea call 126868 1619->1627 1620->1627 1644 126f90-126f93 1620->1644 1648 127116 1622->1648 1623->1622 1624->1623 1640 1270ef-1270f3 1627->1640 1628->1627 1645 12702a-127035 1628->1645 1629->1627 1650 126ffd-127000 1629->1650 1631->1588 1655 126e43-126e50 call 126c72 1636->1655 1656 126e0d-126e10 1636->1656 1646 1270f5-1270f7 1640->1646 1647 12710c 1640->1647 1644->1627 1651 126f99-126fb6 call 1267f0 call 122f88 1644->1651 1645->1627 1652 12703b-127044 call 128578 1645->1652 1646->1647 1653 1270f9-127102 1646->1653 1654 12710e-127111 call 126848 1647->1654 1648->1594 1650->1627 1657 127006-12701b call 1267f0 1650->1657 1680 126fc2-126fc5 call 12717b 1651->1680 1681 126fb8-126fbd 1651->1681 1652->1627 1677 12704a-127054 call 12717b 1652->1677 1653->1647 1661 127104-127107 call 12717b 1653->1661 1654->1648 1678 126e56 1655->1678 1679 126f3a-126f4b call 121e40 * 2 1655->1679 1664 126e12-126e15 1656->1664 1665 126e1e-126e36 call 1267f0 1656->1665 1674 126fca-126fcc 1657->1674 1661->1647 1664->1655 1673 126e17-126e1c 1664->1673 1682 126e58-126e7e call 122f1c call 122e04 1665->1682 1683 126e38-126e41 call 122fec 1665->1683 1673->1655 1673->1665 1674->1654 1693 127056-12705f call 122f88 1677->1693 1694 127064-127097 call 122e47 call 121089 * 2 call 126868 1677->1694 1678->1682 1679->1587 1680->1674 1681->1680 1702 126e83-126e99 call 126bb5 1682->1702 1683->1682 1704 127155-127158 call 126848 1693->1704 1725 127099-1270af wcscmp 1694->1725 1726 1270bf-1270cc call 126bf5 1694->1726 1709 126e9b-126e9f 1702->1709 1710 126ecf-126ed1 1702->1710 1704->1588 1712 126ea1-126eae call 1222bf 1709->1712 1713 126ec7-126ec9 SetLastError 1709->1713 1715 126f09-126f35 call 121e40 * 2 call 126848 call 121e40 * 2 1710->1715 1722 126ed3-126ed9 1712->1722 1723 126eb0-126ec5 call 121e40 call 122e04 1712->1723 1713->1710 1715->1648 1732 126edb-126ee0 1722->1732 1733 126eec-126f07 call 1231e5 1722->1733 1723->1702 1729 1270b1-1270b6 1725->1729 1730 1270bb 1725->1730 1744 127129-127133 call 1267f0 1726->1744 1745 1270ce-1270d1 1726->1745 1737 127147-127154 call 122f88 call 121e40 1729->1737 1730->1726 1732->1733 1739 126ee2-126ee8 1732->1739 1733->1715 1737->1704 1739->1733 1757 127135-127138 1744->1757 1758 12713a 1744->1758 1749 1270d3-1270d6 1745->1749 1750 1270d8-1270e4 call 121e40 1745->1750 1749->1744 1749->1750 1750->1627 1761 127141-127144 1757->1761 1758->1761 1761->1737
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00126C77
                                                  • SetLastError.KERNEL32(00000002,-00000050,0000000F,-00000038,:$DATA,?,00000000,?), ref: 00126EC9
                                                    • Part of subcall function 00126C72: wcscmp.MSVCRT ref: 001270A5
                                                    • Part of subcall function 00126BF5: __EH_prolog.LIBCMT ref: 00126BFA
                                                    • Part of subcall function 00126BF5: GetFileAttributesW.KERNEL32(?,?,?,00000000,?), ref: 00126C1A
                                                    • Part of subcall function 00126BF5: GetFileAttributesW.KERNEL32(?,00000000,?,?,00000000,?), ref: 00126C49
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: AttributesFileH_prolog$ErrorLastwcscmp
                                                  • String ID: :$DATA
                                                  • API String ID: 3316598575-2587938151
                                                  • Opcode ID: cd5b2c5f3c4a5cc594ddb4c86da41d2f93a9158244b28467d5f4d7423ae90a9b
                                                  • Instruction ID: 4066b01870c179d5213e780eff725ff557f67eb93ecec6db38e555cd42ade6c9
                                                  • Opcode Fuzzy Hash: cd5b2c5f3c4a5cc594ddb4c86da41d2f93a9158244b28467d5f4d7423ae90a9b
                                                  • Instruction Fuzzy Hash: DDE112309002299BCF25EFA4F891BEEB7B1EF25314F10451DE886672D2DB70A979CB51
                                                  Function 00136FC5 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00136FCA
                                                    • Part of subcall function 00136E71: __EH_prolog.LIBCMT ref: 00136E76
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: Incorrect reparse stream$Unknown reparse stream$can't delete file
                                                  • API String ID: 3519838083-394804653
                                                  • Opcode ID: 526270766d2cd31a2da70dc2c88ee2f53a0f31094dcff58c74216af6a239a754
                                                  • Instruction ID: 61be6466363830a7a066e54a3f8f47f473ea1c4f1e1ce0ea31a97c93ad858c58
                                                  • Opcode Fuzzy Hash: 526270766d2cd31a2da70dc2c88ee2f53a0f31094dcff58c74216af6a239a754
                                                  • Instruction Fuzzy Hash: 4741A9B2905684ABCF35DFA4C490AEEFBF5AF59340F54446EE086A3241C7306E45C761
                                                  Function 001584A7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: fputs$H_prolog
                                                  • String ID: =
                                                  • API String ID: 2614055831-2525689732
                                                  • Opcode ID: 2e3b5a345ede8e854f881f481739ee7a681cd3a9ad2737560abff2626fbce6cd
                                                  • Instruction ID: dab945b9b887f92b587af4ebff79670e595d7315b824ac7527a742cb0bc19513
                                                  • Opcode Fuzzy Hash: 2e3b5a345ede8e854f881f481739ee7a681cd3a9ad2737560abff2626fbce6cd
                                                  • Instruction Fuzzy Hash: 5E217232914118EBCF0AEB94ED52BEDBBB5EF68310F20002AF801761A1EF715E55DB91
                                                  Function 00158341 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00158346
                                                  • fputs.MSVCRT ref: 0015835B
                                                  • fputs.MSVCRT ref: 00158364
                                                    • Part of subcall function 001583BF: __EH_prolog.LIBCMT ref: 001583C4
                                                    • Part of subcall function 001583BF: fputs.MSVCRT ref: 00158401
                                                    • Part of subcall function 001583BF: fputs.MSVCRT ref: 00158437
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: fputs$H_prolog
                                                  • String ID: =
                                                  • API String ID: 2614055831-2525689732
                                                  • Opcode ID: 2bedba061a8e0d1548b4b14f703e312fd8ad396f4804a8f7868840cedb1792c8
                                                  • Instruction ID: fa40149cec2b1aad3c41a78b5b4c90ba83d7423125e4b9f26bfd69b7f8c6687d
                                                  • Opcode Fuzzy Hash: 2bedba061a8e0d1548b4b14f703e312fd8ad396f4804a8f7868840cedb1792c8
                                                  • Instruction Fuzzy Hash: 87016231A00014EBCB16BBA5D912AEEBB75EFA4750F00401AF811A61A1CF748A69DBD1
                                                  Function 001B7DA0 Relevance: 6.0, APIs: 4, Instructions: 38synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,?,00000000,0013AB57), ref: 001B7DAA
                                                  • GetLastError.KERNEL32(?,00000000,0013AB57), ref: 001B7DBB
                                                  • CloseHandle.KERNELBASE(00000000,?,00000000,0013AB57), ref: 001B7DCF
                                                  • GetLastError.KERNEL32(?,00000000,0013AB57), ref: 001B7DD9
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$CloseHandleObjectSingleWait
                                                  • String ID:
                                                  • API String ID: 1796208289-0
                                                  • Opcode ID: b99b5e0ee892aa0f3cc72bf57eff61f5f00628a740360a4d7be56706e13ed69a
                                                  • Instruction ID: bb600440015d009ac479ae4a044c0dc07d5b949b02e2d18ad60717628721ebba
                                                  • Opcode Fuzzy Hash: b99b5e0ee892aa0f3cc72bf57eff61f5f00628a740360a4d7be56706e13ed69a
                                                  • Instruction Fuzzy Hash: 84F0127130C2029BEB206AFD9C84FB66AD8AF913F4B250B29F565D31D0DB60CC418660
                                                  Function 00142096 Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 722COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 0014209B
                                                    • Part of subcall function 0012757D: GetLastError.KERNEL32(0012D14C), ref: 0012757D
                                                    • Part of subcall function 00142C6C: __EH_prolog.LIBCMT ref: 00142C71
                                                    • Part of subcall function 00121E40: free.MSVCRT ref: 00121E44
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog$ErrorLastfree
                                                  • String ID: Cannot find archive file$The item is a directory
                                                  • API String ID: 683690243-1569138187
                                                  • Opcode ID: 26c02b92b0c6908cb79baee148c9f3bd7f4ef03301e22b4b691a25758746124b
                                                  • Instruction ID: f0330b1d5ebcc9160e24a0af5ba078ab81607281cdafa7573e2d024e571be0ed
                                                  • Opcode Fuzzy Hash: 26c02b92b0c6908cb79baee148c9f3bd7f4ef03301e22b4b691a25758746124b
                                                  • Instruction Fuzzy Hash: 8C724770D00258DFCB25DFA8C984BDDBBB1BF69304F65409AE859A7262C770AE81CF51
                                                  Function 0015C911 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: CountTickfputs
                                                  • String ID: .
                                                  • API String ID: 290905099-4150638102
                                                  • Opcode ID: 2ff3ba9371f6fa1b12bb0bea1247d4856406f1ef97a7821008288b03d6b5d2a8
                                                  • Instruction ID: 264cc73e8449e6b3e4481788f7e6cf873552e07761362d596ef20d81fbf501e2
                                                  • Opcode Fuzzy Hash: 2ff3ba9371f6fa1b12bb0bea1247d4856406f1ef97a7821008288b03d6b5d2a8
                                                  • Instruction Fuzzy Hash: 7A715B30600B04DFCB21EF69C991AAEB7F6AF91705F00481DE8A79BA41DB70F949CB51
                                                  Function 001608B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00129C8F: GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 00129CB3
                                                    • Part of subcall function 00129C8F: GetProcAddress.KERNEL32(00000000), ref: 00129CBA
                                                    • Part of subcall function 00129C8F: GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 00129CC8
                                                  • __aulldiv.LIBCMT ref: 0016093F
                                                  • __aulldiv.LIBCMT ref: 0016094B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: __aulldiv$AddressGlobalHandleMemoryModuleProcStatus
                                                  • String ID: 3333
                                                  • API String ID: 3520896023-2924271548
                                                  • Opcode ID: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                                                  • Instruction ID: 1fe0ee3e09f8afd3ba7d31a82ca6659389d2eaddfb5ab6145bfa1d4faf2cf48a
                                                  • Opcode Fuzzy Hash: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                                                  • Instruction Fuzzy Hash: 7321BAB09007046FE730DF6A8C81A9BBAF9EB98714F00892EF189D3241D770E9508765
                                                  Function 0014A7C5 Relevance: 5.1, APIs: 2, Strings: 1, Instructions: 606COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00121E40: free.MSVCRT ref: 00121E44
                                                  • memset.MSVCRT ref: 0014AEBA
                                                  • memset.MSVCRT ref: 0014AECD
                                                    • Part of subcall function 001604D2: _CxxThrowException.MSVCRT(?,001D4A58), ref: 001604F8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: memset$ExceptionThrowfree
                                                  • String ID: Split
                                                  • API String ID: 1404239998-1882502421
                                                  • Opcode ID: 0fb4f85cc4ed7631761167063ba21298874cfdedf9871a2d1f02cd448ecd2bf1
                                                  • Instruction ID: edbd522ba2a40518ae80dcbbfa8cfb541973df2b8f50b93c1615fa1adb898ba8
                                                  • Opcode Fuzzy Hash: 0fb4f85cc4ed7631761167063ba21298874cfdedf9871a2d1f02cd448ecd2bf1
                                                  • Instruction Fuzzy Hash: 99426930A40259DFDF25DBA4C984BEDBBB2FF15304F5540A9E449A7262CB31AE81CF12
                                                  Function 0012759A Relevance: 4.6, APIs: 3, Instructions: 64fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 0012759F
                                                    • Part of subcall function 0012764C: CloseHandle.KERNELBASE(00000000,?,001275AF,00000002,?,00000000,00000000), ref: 00127657
                                                  • CreateFileW.KERNELBASE(00000000,00000000,?,00000000,00000002,00000000,00000000,?,00000000,00000002,?,00000000,00000000), ref: 001275E5
                                                  • CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,00000000,?,00000000,00000002), ref: 00127626
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: CreateFile$CloseH_prologHandle
                                                  • String ID:
                                                  • API String ID: 449569272-0
                                                  • Opcode ID: eee2bc739adcf16198dd47fcfb75052fdbd0ed9aee12f2737380cbcf3bde2661
                                                  • Instruction ID: dcda2bd30f71560eaead82191026907bc2c13d8b225d5ffe720c13ed36401f08
                                                  • Opcode Fuzzy Hash: eee2bc739adcf16198dd47fcfb75052fdbd0ed9aee12f2737380cbcf3bde2661
                                                  • Instruction Fuzzy Hash: 8011B47280011AEFCF119FA8EC418EFBB7AFF54354B048529F860621A1C7318D71DB50
                                                  Function 001583BF Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • fputs.MSVCRT ref: 00158437
                                                  • fputs.MSVCRT ref: 00158401
                                                    • Part of subcall function 00121FB3: __EH_prolog.LIBCMT ref: 00121FB8
                                                  • __EH_prolog.LIBCMT ref: 001583C4
                                                    • Part of subcall function 00121FA0: fputc.MSVCRT ref: 00121FA7
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prologfputs$fputc
                                                  • String ID:
                                                  • API String ID: 678540050-0
                                                  • Opcode ID: 5b321422da7c97857f4331dccc92f521795a4f30939c97e4f6daf127ad9b58cb
                                                  • Instruction ID: f5f1cb8ff745d719f6ee436f8c4a31310cd17b077a180fc0134f262c3e5bbd28
                                                  • Opcode Fuzzy Hash: 5b321422da7c97857f4331dccc92f521795a4f30939c97e4f6daf127ad9b58cb
                                                  • Instruction Fuzzy Hash: 13110632B04124ABCF09B7A0FD13AAEBB76EFB4750F00002DF501A2691DF255929CAD4
                                                  Function 00127731 Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetFilePointer.KERNELBASE(00000002,?,00000000,?,00000002,00000002,?,00000002,?,001277DB,?,?,00000000,?,00127832,?), ref: 00127773
                                                  • GetLastError.KERNEL32(?,001277DB,?,?,00000000,?,00127832,?,?,?,?,00000000), ref: 00127780
                                                  • SetLastError.KERNEL32(00000000,?,?,001277DB,?,?,00000000,?,00127832,?,?,?,?,00000000), ref: 00127797
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$FilePointer
                                                  • String ID:
                                                  • API String ID: 1156039329-0
                                                  • Opcode ID: 9a26a4a739d4b5eeca10e735ed1f83682d79d31d265a6854f8414f6d6014b8f8
                                                  • Instruction ID: 0fbc2c51511434222afd32b5f53d7e709e4dfd3d0cf7d036dd18f18b210e4f4c
                                                  • Opcode Fuzzy Hash: 9a26a4a739d4b5eeca10e735ed1f83682d79d31d265a6854f8414f6d6014b8f8
                                                  • Instruction Fuzzy Hash: B5119D75604305AFEF158F68EC49BAB3BE5AB04320F148429F85697291D7B0DD609B50
                                                  Function 00125A8C Relevance: 4.6, APIs: 3, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00125A91
                                                  • SetFileAttributesW.KERNELBASE(?,?,?,?,00000000), ref: 00125AB7
                                                  • SetFileAttributesW.KERNEL32(?,?,00000000,?,?,00000000), ref: 00125AEC
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: AttributesFile$H_prolog
                                                  • String ID:
                                                  • API String ID: 3790360811-0
                                                  • Opcode ID: 38667ac90e3e687d0addf401618e472d795da0d285c376cb898477427e620606
                                                  • Instruction ID: b88f37995a35ac75d2d668a5b3060f88265548edee0705deaec2cd7143c44f60
                                                  • Opcode Fuzzy Hash: 38667ac90e3e687d0addf401618e472d795da0d285c376cb898477427e620606
                                                  • Instruction Fuzzy Hash: 0C01B532E00235ABCF15ABA4BCD1AFEB777EF65350F15442AEC1163151DB358D21E650
                                                  Function 00155883 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • EnterCriticalSection.KERNEL32(001E2938), ref: 0015588B
                                                  • LeaveCriticalSection.KERNEL32(001E2938), ref: 001558BC
                                                    • Part of subcall function 0015C911: GetTickCount.KERNEL32 ref: 0015C926
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: CriticalSection$CountEnterLeaveTick
                                                  • String ID: v
                                                  • API String ID: 1056156058-3261393531
                                                  • Opcode ID: 5668940ee4193603f71b19b3e485b69f564ee88aa8caf362aeeaa3728c5f8290
                                                  • Instruction ID: 61fac79641d70bc215818dcd5e23afb88dd5fb279096a852e539cd3ab0b62332
                                                  • Opcode Fuzzy Hash: 5668940ee4193603f71b19b3e485b69f564ee88aa8caf362aeeaa3728c5f8290
                                                  • Instruction Fuzzy Hash: CDE0ED79605210DFC304DF19D919E9A7BA5AFD8312F05056DF4199B362C734DC49CAA1
                                                  Function 00135BEA Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 481COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00135BEF
                                                    • Part of subcall function 001354C0: __EH_prolog.LIBCMT ref: 001354C5
                                                    • Part of subcall function 00135630: __EH_prolog.LIBCMT ref: 00135635
                                                    • Part of subcall function 001436EA: __EH_prolog.LIBCMT ref: 001436EF
                                                    • Part of subcall function 001357C1: __EH_prolog.LIBCMT ref: 001357C6
                                                    • Part of subcall function 001358BE: __EH_prolog.LIBCMT ref: 001358C3
                                                  Strings
                                                  • Cannot seek to begin of file, xrefs: 0013610F
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: Cannot seek to begin of file
                                                  • API String ID: 3519838083-2298593816
                                                  • Opcode ID: a01fb98fca100ea5909a4d58fa374da67cd676d915915a5ee5a67e3ff9600efe
                                                  • Instruction ID: 8221c539b618e23208903fcfe7b5277e237b8e44ce037aaab7eb05e28b1fef25
                                                  • Opcode Fuzzy Hash: a01fb98fca100ea5909a4d58fa374da67cd676d915915a5ee5a67e3ff9600efe
                                                  • Instruction Fuzzy Hash: 4E123471904749AFDF26DFB4C884BEEBBF6AF64304F14406DE44667292CB70AA48CB51
                                                  Function 00164E8A Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 468COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00164E8F
                                                    • Part of subcall function 0012965D: VariantClear.OLEAUT32(?), ref: 0012967F
                                                    • Part of subcall function 00121E40: free.MSVCRT ref: 00121E44
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: ClearH_prologVariantfree
                                                  • String ID: file
                                                  • API String ID: 904627215-2359244304
                                                  • Opcode ID: c4e9690e62f27ad77155b81dca3b2e270aaf3a54263ad25f6a8e27855e88f9e1
                                                  • Instruction ID: d8be2fefc9d864e6211c063fd23a60a01ca3779df39e18ef751fa16571c45194
                                                  • Opcode Fuzzy Hash: c4e9690e62f27ad77155b81dca3b2e270aaf3a54263ad25f6a8e27855e88f9e1
                                                  • Instruction Fuzzy Hash: 4E127030900219EFCF16EFA4DD91AEDBBB6FF64344F204068E405AB252DB31AE65CB50
                                                  Function 00142CDB Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 388COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00142CE0
                                                    • Part of subcall function 00125E10: __EH_prolog.LIBCMT ref: 00125E15
                                                    • Part of subcall function 001341EC: _CxxThrowException.MSVCRT(?,001D4A58), ref: 0013421A
                                                    • Part of subcall function 0012965D: VariantClear.OLEAUT32(?), ref: 0012967F
                                                  Strings
                                                  • Cannot create output directory, xrefs: 00143070
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog$ClearExceptionThrowVariant
                                                  • String ID: Cannot create output directory
                                                  • API String ID: 814188403-1181934277
                                                  • Opcode ID: dcb80487a5165735b18d371eb7f5211cae72281d4306d48b081b4754cc8a1709
                                                  • Instruction ID: 3ba001a2b583ba88ca8447057e8776e250dc96ed4d150f1c650176f35177b0bf
                                                  • Opcode Fuzzy Hash: dcb80487a5165735b18d371eb7f5211cae72281d4306d48b081b4754cc8a1709
                                                  • Instruction Fuzzy Hash: 8EF1C570900289EFCF25EFA4C890AEDBBB5BF29300F5440ADF44567261DB30AE89CB51
                                                  Function 0015C7D7 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • fputs.MSVCRT ref: 0015C840
                                                    • Part of subcall function 001225CB: _CxxThrowException.MSVCRT(?,001D4A58), ref: 001225ED
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: ExceptionThrowfputs
                                                  • String ID:
                                                  • API String ID: 1334390793-399585960
                                                  • Opcode ID: a87e62804de4540184204783fdd5e84a11e18b36e5498da7837e3713a3f147b4
                                                  • Instruction ID: e1f525b9fc711c6046f459400aeebfe04a2a2a3bc8e0d6e01e015f9f06df842a
                                                  • Opcode Fuzzy Hash: a87e62804de4540184204783fdd5e84a11e18b36e5498da7837e3713a3f147b4
                                                  • Instruction Fuzzy Hash: E9110171604700AFDB25CF59C8C1BAAFBE6EF59304F04446EE5968B240C7B1BC08CBA0
                                                  Function 00156086 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: fputs
                                                  • String ID: Open
                                                  • API String ID: 1795875747-71445658
                                                  • Opcode ID: d8f9a411b4e0e079136ef37743a4b754b540f4378e78528dddc07120c0347ae5
                                                  • Instruction ID: 46f3e965ac367146fc80853c11ff2a2124d484555933d46c03f302485326ee5a
                                                  • Opcode Fuzzy Hash: d8f9a411b4e0e079136ef37743a4b754b540f4378e78528dddc07120c0347ae5
                                                  • Instruction Fuzzy Hash: 5611A072105B04DFC720EF74ED91ADABBA1EF64310F50852EE5AA87252DB31A858CF90
                                                  Function 001358BE Relevance: 3.3, APIs: 2, Instructions: 253COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 001358C3
                                                    • Part of subcall function 00126C72: __EH_prolog.LIBCMT ref: 00126C77
                                                    • Part of subcall function 00121E40: free.MSVCRT ref: 00121E44
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog$free
                                                  • String ID:
                                                  • API String ID: 2654054672-0
                                                  • Opcode ID: 450ece74ef70db73893a77f28405aa19214a55262db97bbdc7bbbc14aa503246
                                                  • Instruction ID: 730e536a6b61172abce7bb645edc831682e845d7854e3045fa645ff71df00fc0
                                                  • Opcode Fuzzy Hash: 450ece74ef70db73893a77f28405aa19214a55262db97bbdc7bbbc14aa503246
                                                  • Instruction Fuzzy Hash: DE911631900515EFCF25EFA4D881AEEFBB3EF64744F214068E542A7251DB309D54DB60
                                                  Function 001706AE Relevance: 3.2, APIs: 2, Instructions: 206COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 001706B3
                                                  • _CxxThrowException.MSVCRT(?,001DD480), ref: 001708F2
                                                    • Part of subcall function 00121E0C: malloc.MSVCRT ref: 00121E1F
                                                    • Part of subcall function 00121E0C: _CxxThrowException.MSVCRT(?,001D4B28), ref: 00121E39
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: ExceptionThrow$H_prologmalloc
                                                  • String ID:
                                                  • API String ID: 3044594480-0
                                                  • Opcode ID: c27bfc4316a96386b6c73514d755c143c605b6674b01be420e18e5df80b1f3cf
                                                  • Instruction ID: 3c9ab3217dd58bcde6ffd3f89c503e419e824063d6767fcbeabd669e164bf903
                                                  • Opcode Fuzzy Hash: c27bfc4316a96386b6c73514d755c143c605b6674b01be420e18e5df80b1f3cf
                                                  • Instruction Fuzzy Hash: 11915D71D00259DFCF22DFA8C891AEEBBB5BF19304F148199E449A7252C730AE54CF61
                                                  Function 00137190 Relevance: 3.1, APIs: 2, Instructions: 138COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID:
                                                  • API String ID: 3519838083-0
                                                  • Opcode ID: 4445672405e6c2817b944c5764a01a2bfa520ce7ac6f591eec367f60e3631caf
                                                  • Instruction ID: 4c4a855283d4af3ed1d1b91eb49ac40b86c0b7767f4655c60525b2719fb46c8d
                                                  • Opcode Fuzzy Hash: 4445672405e6c2817b944c5764a01a2bfa520ce7ac6f591eec367f60e3631caf
                                                  • Instruction Fuzzy Hash: 46517DB5508B80AFDB35DF64C490AEBBBF1BF55300F18885DE4DA5B282C730A984DB50
                                                  Function 00147B48 Relevance: 3.1, APIs: 2, Instructions: 122COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00147B4D
                                                  • memcpy.MSVCRT(00000000,001E27DC,00000000,00000000,?,?,00000000,00000000,00000000,00000002), ref: 00147C65
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prologmemcpy
                                                  • String ID:
                                                  • API String ID: 2991061955-0
                                                  • Opcode ID: 77edc33ad69dc2e5d2a79a7b9126654cea610de8e57c18c34f23a5b5fe94aa9b
                                                  • Instruction ID: df170b322ee4222c12669ec0fc1719cb8ef35f0bd399c32f23214e645539ca4d
                                                  • Opcode Fuzzy Hash: 77edc33ad69dc2e5d2a79a7b9126654cea610de8e57c18c34f23a5b5fe94aa9b
                                                  • Instruction Fuzzy Hash: A1416A719042199BCF21EFA4D991EEEB7F4FF24300F104429E456A72A2DB35AE09CB61
                                                  Function 00171511 Relevance: 3.0, APIs: 2, Instructions: 39COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00171516
                                                    • Part of subcall function 001710D3: __EH_prolog.LIBCMT ref: 001710D8
                                                  • _CxxThrowException.MSVCRT(?,001DD480), ref: 00171561
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog$ExceptionThrow
                                                  • String ID:
                                                  • API String ID: 2366012087-0
                                                  • Opcode ID: 329c5cdb7c102bafbc3d05dda4bb4ccfb6301a1ddadb88ef3035b652dd90b715
                                                  • Instruction ID: 4edc33acd14da53d693246d4982b6d7a173293e4db2e91a7c47083336cb029b4
                                                  • Opcode Fuzzy Hash: 329c5cdb7c102bafbc3d05dda4bb4ccfb6301a1ddadb88ef3035b652dd90b715
                                                  • Instruction Fuzzy Hash: 2D01A232540248BEDF158F98C855BEE7FB8EF95354F04805EF8495A211C3B5E951C7A1
                                                  Function 001557FB Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00155800
                                                  • fputs.MSVCRT ref: 00155830
                                                    • Part of subcall function 00121FA0: fputc.MSVCRT ref: 00121FA7
                                                    • Part of subcall function 00121E40: free.MSVCRT ref: 00121E44
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prologfputcfputsfree
                                                  • String ID:
                                                  • API String ID: 195749403-0
                                                  • Opcode ID: 4695b34f5c34434863e5f0b9218ae93669787e3fd1146ea0210a2d4a7dafcba6
                                                  • Instruction ID: 1314adaffb58c5bbb2bfb7e4283ea777a91dd7310d9763b9b6d824ea13db3ea6
                                                  • Opcode Fuzzy Hash: 4695b34f5c34434863e5f0b9218ae93669787e3fd1146ea0210a2d4a7dafcba6
                                                  • Instruction Fuzzy Hash: ACF05E32910514DBCB16EB94E916BDEBBB1EF24350F00442EE811A6591CB746D95CB84
                                                  Function 0012950D Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SysAllocStringLen.OLEAUT32(?,?), ref: 0012952C
                                                  • _CxxThrowException.MSVCRT(?,001D55B8), ref: 0012954A
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: AllocExceptionStringThrow
                                                  • String ID:
                                                  • API String ID: 3773818493-0
                                                  • Opcode ID: d81f698e8a79d6410f65e5d2005a285c8d2a78d909cc75c7d47e4df7d7cc631c
                                                  • Instruction ID: 6c05353c999c9cdee3e4ce0b38bdfeb679d55ccc06e4332f4c15b41f94c657c7
                                                  • Opcode Fuzzy Hash: d81f698e8a79d6410f65e5d2005a285c8d2a78d909cc75c7d47e4df7d7cc631c
                                                  • Instruction Fuzzy Hash: 33F0ED72750314AFC710EFA8E985D867BEDEF15790B40846AF949CB610E775E8508BD0
                                                  Function 0015B5B1 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: fputs$fputc
                                                  • String ID:
                                                  • API String ID: 1185151155-0
                                                  • Opcode ID: fc8fdbc53213c1b5f3e9ea0b4786a472b6d12e1db295833141e0f052fc383e5f
                                                  • Instruction ID: 94ebd0d9c1c1a9d5da417934289654b4330e2efe998e85b406718580657ccf5c
                                                  • Opcode Fuzzy Hash: fc8fdbc53213c1b5f3e9ea0b4786a472b6d12e1db295833141e0f052fc383e5f
                                                  • Instruction Fuzzy Hash: D0E0C23720A120AF971B2B49BC45E5437D5DBCD362329002FEA40D7A60BF133C595AA4
                                                  Function 001B7E00 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast_beginthreadex
                                                  • String ID:
                                                  • API String ID: 4034172046-0
                                                  • Opcode ID: 5434890bb3358253dc8e0c592f525f46c766a6f297dca3a50159e5040e36495d
                                                  • Instruction ID: 070ba4d89f2319e0b608bc00f5054282813527b19a8de269de0e211d7fadf862
                                                  • Opcode Fuzzy Hash: 5434890bb3358253dc8e0c592f525f46c766a6f297dca3a50159e5040e36495d
                                                  • Instruction Fuzzy Hash: 00E08CB62082026AE3109B608C02FB77698ABA0B40F40846DFA45D61C0E760CD00C7A1
                                                  Function 00129C4D Relevance: 3.0, APIs: 2, Instructions: 7COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(?,?,00129C6E), ref: 00129C52
                                                  • GetProcessAffinityMask.KERNEL32(00000000), ref: 00129C59
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: Process$AffinityCurrentMask
                                                  • String ID:
                                                  • API String ID: 1231390398-0
                                                  • Opcode ID: c73579c6d4fcc204a7e2432c8b011e48c9fa7d683291aafd33317358fccd57e8
                                                  • Instruction ID: c94274036904f44a8dd69cccc8306e99113523a9202b7223f8b03cf6b67a0853
                                                  • Opcode Fuzzy Hash: c73579c6d4fcc204a7e2432c8b011e48c9fa7d683291aafd33317358fccd57e8
                                                  • Instruction Fuzzy Hash: 94B092BA400200EBCE009BA09D0CC1A3F2CBB042013004644F10DC2410C636C8958BA1
                                                  Function 0012B668 Relevance: 2.7, APIs: 2, Instructions: 222COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memcpy.MSVCRT(?,00000000,00000000,00000000,00040000,?), ref: 0012B843
                                                  • GetLastError.KERNEL32 ref: 0012B8AA
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastmemcpy
                                                  • String ID:
                                                  • API String ID: 2523627151-0
                                                  • Opcode ID: 98f51fc08e9ed5461dd48e95738d23d04975e176c9369de9f328d1517812607c
                                                  • Instruction ID: 1816e064ce718829ed00791ef140fab00554bf61eed9cf8af3eb7cf2ca654f83
                                                  • Opcode Fuzzy Hash: 98f51fc08e9ed5461dd48e95738d23d04975e176c9369de9f328d1517812607c
                                                  • Instruction Fuzzy Hash: A1815B31A047259FDB64CF25E9C0A6AB7F6FF84314F14492EE88A87A40E734F861CB50
                                                  Function 00121E0C Relevance: 2.5, APIs: 2, Instructions: 18COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: ExceptionThrowmalloc
                                                  • String ID:
                                                  • API String ID: 2436765578-0
                                                  • Opcode ID: 18b3f94735b044afd0ced275a77c749aa9931341c61ed3b6c4c97ece92023f1a
                                                  • Instruction ID: aaef2f55689fd46bd0a63abcd41829f370c779d7f5ce5961c378fc9e43de082a
                                                  • Opcode Fuzzy Hash: 18b3f94735b044afd0ced275a77c749aa9931341c61ed3b6c4c97ece92023f1a
                                                  • Instruction Fuzzy Hash: BFE08C3000024CBACF11AFA0E884BDC3F689B20395F009016FC0C8E201C370CAE18740
                                                  Function 0016B05D Relevance: 2.2, APIs: 1, Instructions: 653COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID:
                                                  • API String ID: 3519838083-0
                                                  • Opcode ID: 7e7b5034dca94e9b65c6d82b49d84720bf2a2f8f6dd095368e5382a925c6c191
                                                  • Instruction ID: 067bc96e76e650cf871a329401f92447c4a130ef23d3307a2c1c47b48a01a07e
                                                  • Opcode Fuzzy Hash: 7e7b5034dca94e9b65c6d82b49d84720bf2a2f8f6dd095368e5382a925c6c191
                                                  • Instruction Fuzzy Hash: 5252AF30908249DFDF15CFA8C9D4BADBBB5AF59304F284099E805EB281DB75DE91CB20
                                                  Function 00136305 Relevance: 1.9, APIs: 1, Instructions: 377COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID:
                                                  • API String ID: 3519838083-0
                                                  • Opcode ID: 5724c518f2b01a518019a8f40f7710a23ed22e19f000f8e6f778f705eaa0bd70
                                                  • Instruction ID: a90f2c7b145fdb9c0499653fca1597a023cfb4390c5d9b616adf288ad4af9dbd
                                                  • Opcode Fuzzy Hash: 5724c518f2b01a518019a8f40f7710a23ed22e19f000f8e6f778f705eaa0bd70
                                                  • Instruction Fuzzy Hash: 53F1CEB1904785EFCF25CF64C590AEABBF1BF29304F54886EE49A9B211D730AD44CB51
                                                  Function 001710D3 Relevance: 1.8, APIs: 1, Instructions: 336COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID:
                                                  • API String ID: 3519838083-0
                                                  • Opcode ID: 9f9657cb15cd723154103bc42d726f937771cfb43841f31233906ab79c3fee60
                                                  • Instruction ID: d1277203e74a9818d788c7e556693427c6467a281d5e9c116ca26db2dede4275
                                                  • Opcode Fuzzy Hash: 9f9657cb15cd723154103bc42d726f937771cfb43841f31233906ab79c3fee60
                                                  • Instruction Fuzzy Hash: ADD18B70A00745AFDF29CFA8C880BEEBBF1BF58314F20852DE959A7651D775A844CB90
                                                  Function 0016CF91 Relevance: 1.6, APIs: 1, Instructions: 139COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 0016CF96
                                                    • Part of subcall function 00171511: __EH_prolog.LIBCMT ref: 00171516
                                                    • Part of subcall function 00171511: _CxxThrowException.MSVCRT(?,001DD480), ref: 00171561
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog$ExceptionThrow
                                                  • String ID:
                                                  • API String ID: 2366012087-0
                                                  • Opcode ID: 694409ed7aa61d6c82621c6186641f84e27e9063da257ffe97aa1f8230a69130
                                                  • Instruction ID: 4f19f69e497c20a4d490fbd8c084d2a06c8a0207c16b35783a2ffd7027b6eb88
                                                  • Opcode Fuzzy Hash: 694409ed7aa61d6c82621c6186641f84e27e9063da257ffe97aa1f8230a69130
                                                  • Instruction Fuzzy Hash: 34517F71A00289DFCB11CFA8D8C8BAEBBB4AF49304F1444AEF45AD7242C7759E55DB21
                                                  Function 0015F784 Relevance: 1.6, APIs: 1, Instructions: 129COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID:
                                                  • API String ID: 3519838083-0
                                                  • Opcode ID: a4b7fa8dc107d182d2422403d1748719ed2ebc82b7250a6ea48800ec0bf8b2cd
                                                  • Instruction ID: f3892b5d991c5bcbc7ed5fe257414cd16e1ff6ab262754719595474c2d56975a
                                                  • Opcode Fuzzy Hash: a4b7fa8dc107d182d2422403d1748719ed2ebc82b7250a6ea48800ec0bf8b2cd
                                                  • Instruction Fuzzy Hash: 1A514B74A00606DFCB14CFA4C4909BAFBB2FF49345B14496DE9A2AB751D731A90ACF90
                                                  Function 0016AD3A Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID:
                                                  • API String ID: 3519838083-0
                                                  • Opcode ID: a363ae759ed57e65ddcdd11d38c6154a29181038ef98ebb9e0dee48bd65aed54
                                                  • Instruction ID: 911d7ed6533ad5ad76f0770d22bd32fa93f9c657d7866cfe7683beaac5b4f27d
                                                  • Opcode Fuzzy Hash: a363ae759ed57e65ddcdd11d38c6154a29181038ef98ebb9e0dee48bd65aed54
                                                  • Instruction Fuzzy Hash: 0B41AF70A00686EFDB24CFA4C884B6ABBA0FF44310F548A6DD856A7691C371ED91CF81
                                                  Function 00134250 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00134255
                                                    • Part of subcall function 0013440B: __EH_prolog.LIBCMT ref: 00134410
                                                    • Part of subcall function 00121E0C: malloc.MSVCRT ref: 00121E1F
                                                    • Part of subcall function 00121E0C: _CxxThrowException.MSVCRT(?,001D4B28), ref: 00121E39
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog$ExceptionThrowmalloc
                                                  • String ID:
                                                  • API String ID: 3744649731-0
                                                  • Opcode ID: 82a85244b180af3b709659358da6609373ca344942688bfe48c9a60ff8850cfd
                                                  • Instruction ID: 19d2aa15cade9ef6e6d636abf03d8bd418109315981a18d75eb70ebcf2ca3ca4
                                                  • Opcode Fuzzy Hash: 82a85244b180af3b709659358da6609373ca344942688bfe48c9a60ff8850cfd
                                                  • Instruction Fuzzy Hash: CB51E6B0801754CFC725DF69D284A8AFBF0BF29304F5588AEC49A97752D7B4A608CB61
                                                  Function 0014D0E1 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 0014D0E6
                                                    • Part of subcall function 00121E0C: malloc.MSVCRT ref: 00121E1F
                                                    • Part of subcall function 00121E0C: _CxxThrowException.MSVCRT(?,001D4B28), ref: 00121E39
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: ExceptionH_prologThrowmalloc
                                                  • String ID:
                                                  • API String ID: 3978722251-0
                                                  • Opcode ID: 6efc8385d3e7512da942f344f192ae9fb3220ad2f2c143cc9a34ce2dfedfd0b4
                                                  • Instruction ID: a54af304d9cb1a661e0b7de55cda41e37eb97189d23669c988b5193b82868757
                                                  • Opcode Fuzzy Hash: 6efc8385d3e7512da942f344f192ae9fb3220ad2f2c143cc9a34ce2dfedfd0b4
                                                  • Instruction Fuzzy Hash: AE41F571A002149FCF15DFA8D984BAEBBF4BF64B10F244499E842E7292CB70DE00CB90
                                                  Function 00137FC5 Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00137FCA
                                                    • Part of subcall function 0012950D: SysAllocStringLen.OLEAUT32(?,?), ref: 0012952C
                                                    • Part of subcall function 0012950D: _CxxThrowException.MSVCRT(?,001D55B8), ref: 0012954A
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: AllocExceptionH_prologStringThrow
                                                  • String ID:
                                                  • API String ID: 1940201546-0
                                                  • Opcode ID: 6a1e5831fd31da4dd7667c679db3fb010884f7555ac21bc5bcb240f950ee3422
                                                  • Instruction ID: bb43a66936e398566fdac53d25d84d30c9423df66371094b84aed901c1ffa951
                                                  • Opcode Fuzzy Hash: 6a1e5831fd31da4dd7667c679db3fb010884f7555ac21bc5bcb240f950ee3422
                                                  • Instruction Fuzzy Hash: C1318F72820219DADF1CAFA8D9519FEB7B0FF24314F41412AF012B7162DF359A18CB51
                                                  Function 0015ADB7 Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 0015ADBC
                                                    • Part of subcall function 0015AD29: __EH_prolog.LIBCMT ref: 0015AD2E
                                                    • Part of subcall function 0015AF2D: __EH_prolog.LIBCMT ref: 0015AF32
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID:
                                                  • API String ID: 3519838083-0
                                                  • Opcode ID: 9dcabf175c3ea5583123a25f6c7aaf419eb3da3712687f921550018f6db23c62
                                                  • Instruction ID: 434103a8b4021cc903233279e0edcf3add59c34cf5f9e40b6619dc20195a1878
                                                  • Opcode Fuzzy Hash: 9dcabf175c3ea5583123a25f6c7aaf419eb3da3712687f921550018f6db23c62
                                                  • Instruction Fuzzy Hash: 7041B97148ABC0DEC326DF7881656CAFFE06F35200F94899EC4EA53652D774A60CC766
                                                  Function 0014062E Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID:
                                                  • API String ID: 3519838083-0
                                                  • Opcode ID: ee1dfcecd846569ed29c445cfbf8bf48620809d201255a0c13a1d808c8613b92
                                                  • Instruction ID: 4b2a5c3a77032f03b04dd2c73a95d4b3c5200375fc78b1005da0b384d021252f
                                                  • Opcode Fuzzy Hash: ee1dfcecd846569ed29c445cfbf8bf48620809d201255a0c13a1d808c8613b92
                                                  • Instruction Fuzzy Hash: DF314FB1D00209DFCB15DF96C9918EEBBB5FF98360B11811DE52667261C7309E41CBA0
                                                  Function 001498F2 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 001498F7
                                                    • Part of subcall function 00149987: __EH_prolog.LIBCMT ref: 0014998C
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID:
                                                  • API String ID: 3519838083-0
                                                  • Opcode ID: 34890c02fa8084cdbfdafabf6c003621a73edd317cc3fc65f4f37ed550e7d3da
                                                  • Instruction ID: d5882ac684fc428197cd4a8c68147f4cbf0f01d6590e1495aca617b7b84878f5
                                                  • Opcode Fuzzy Hash: 34890c02fa8084cdbfdafabf6c003621a73edd317cc3fc65f4f37ed550e7d3da
                                                  • Instruction Fuzzy Hash: A7113435600205DFDB14CF69C884BABB3A9FF99358F14895CE856DB2A1CB31ED01CB60
                                                  Function 0014021A Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 0014021F
                                                    • Part of subcall function 00133D66: __EH_prolog.LIBCMT ref: 00133D6B
                                                    • Part of subcall function 00133D66: GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00133D7D
                                                    • Part of subcall function 00133D66: OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00133D94
                                                    • Part of subcall function 00133D66: LookupPrivilegeValueW.ADVAPI32(00000000,SeSecurityPrivilege,?), ref: 00133DB6
                                                    • Part of subcall function 00133D66: AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00133DCB
                                                    • Part of subcall function 00133D66: GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00133DD5
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prologProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                  • String ID:
                                                  • API String ID: 1532160333-0
                                                  • Opcode ID: c7d6e282c8cb92611765ce0e7c2102aa80df44cd82a369d31c96f75d9fe9bf60
                                                  • Instruction ID: dbef3f45092954267e2ddf522cfd83128d24c004ce37ea7c9199dff233cbb8be
                                                  • Opcode Fuzzy Hash: c7d6e282c8cb92611765ce0e7c2102aa80df44cd82a369d31c96f75d9fe9bf60
                                                  • Instruction Fuzzy Hash: CF2139B1846B90CFC321CF6B86D1686FFF4BB29600B94996EC0DA83B12C370A548CF55
                                                  Function 00141C6F Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00141C74
                                                    • Part of subcall function 00126C72: __EH_prolog.LIBCMT ref: 00126C77
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID:
                                                  • API String ID: 3519838083-0
                                                  • Opcode ID: 109402193d0cff941938d858a0f6dda8d23b7b7a90fc43c6d36aef1ea52462a5
                                                  • Instruction ID: 1f51ee9d7f747ab6236a98ebb5508a1e8989a57816185dce89a0600a547cd6c3
                                                  • Opcode Fuzzy Hash: 109402193d0cff941938d858a0f6dda8d23b7b7a90fc43c6d36aef1ea52462a5
                                                  • Instruction Fuzzy Hash: 9B118071900224ABCF19FBE4ED92BEDBB79AF24354F000068E842731E2DF755D96C694
                                                  Function 00137E5A Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00137E5F
                                                    • Part of subcall function 00126C72: __EH_prolog.LIBCMT ref: 00126C77
                                                    • Part of subcall function 00121E40: free.MSVCRT ref: 00121E44
                                                    • Part of subcall function 0012757D: GetLastError.KERNEL32(0012D14C), ref: 0012757D
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog$ErrorLastfree
                                                  • String ID:
                                                  • API String ID: 683690243-0
                                                  • Opcode ID: a6dc40d1dbc48f4c6710d1468b98559b74cf79278cb60220c84a7c73a02c07f5
                                                  • Instruction ID: 07852796c344642c3e045d494de98f898494e501676f374f508e2a6b2771402c
                                                  • Opcode Fuzzy Hash: a6dc40d1dbc48f4c6710d1468b98559b74cf79278cb60220c84a7c73a02c07f5
                                                  • Instruction Fuzzy Hash: 1001DB716447509FC725EF79D8929DFBBB1EF65310F00462EE443535D1CB346919CA50
                                                  Function 0016BF8C Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 0016BF91
                                                    • Part of subcall function 0016D144: __EH_prolog.LIBCMT ref: 0016D149
                                                    • Part of subcall function 00121E40: free.MSVCRT ref: 00121E44
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog$free
                                                  • String ID:
                                                  • API String ID: 2654054672-0
                                                  • Opcode ID: c2d760f62811714efd92a8636590e3c4bf2c58776b840f7f9ae8b2a00eaf5f51
                                                  • Instruction ID: 57c8b018a9e6160e6974b068061c1a96b47d4330b2613dd2ffc915cc4917e667
                                                  • Opcode Fuzzy Hash: c2d760f62811714efd92a8636590e3c4bf2c58776b840f7f9ae8b2a00eaf5f51
                                                  • Instruction Fuzzy Hash: CF115E71900714EBC725EF64DE05BDABBF4FF21344F00491DE4A6A3692D7B0AA18CB80
                                                  Function 0016BDB5 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 0016BDBA
                                                    • Part of subcall function 0016BE69: __EH_prolog.LIBCMT ref: 0016BE6E
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID:
                                                  • API String ID: 3519838083-0
                                                  • Opcode ID: e7e6d51d51b002e43a76bced22252096ea14c708ef1d84934d5dbf3933694f8f
                                                  • Instruction ID: 7ea1286c76ae5fdc65ace3f94b345f474cba9e5d0e97eb3973565551f7d8642d
                                                  • Opcode Fuzzy Hash: e7e6d51d51b002e43a76bced22252096ea14c708ef1d84934d5dbf3933694f8f
                                                  • Instruction Fuzzy Hash: DE11E6B1501744DFC720DF99C688A86FBE4FF29304F54C86ED0AAA7712D7B0A948CB50
                                                  Function 00127AB2 Relevance: 1.5, APIs: 1, Instructions: 40timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetFileTime.KERNEL32(00000002,00000000,000000FF,00000000,00000000,80000000,00000000,?,00121AD1,00000000,00000002,00000002,?,00127B3E,?,00000000), ref: 00127AFD
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: FileTime
                                                  • String ID:
                                                  • API String ID: 1425588814-0
                                                  • Opcode ID: b07717b27f57a0832861a2d1a54adf5e3c70e06f0f39abd7816f5e9191b2c963
                                                  • Instruction ID: 57bebfaaf655b08ae94e17a1478ecbc5cb368ac606ddf6b0550f9c820d0950a7
                                                  • Opcode Fuzzy Hash: b07717b27f57a0832861a2d1a54adf5e3c70e06f0f39abd7816f5e9191b2c963
                                                  • Instruction Fuzzy Hash: AC01AD30108258BFDF268F54DC09BEF7FA99B15320F14814DB8A6532E2C7709E60D754
                                                  Function 0015ACF8 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 0015C0B8
                                                    • Part of subcall function 00147193: __EH_prolog.LIBCMT ref: 00147198
                                                    • Part of subcall function 00121E40: free.MSVCRT ref: 00121E44
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog$free
                                                  • String ID:
                                                  • API String ID: 2654054672-0
                                                  • Opcode ID: 226f3d68bb1559474679b216c08f0852928fd27fa3c2d505b510440f2a82b7a7
                                                  • Instruction ID: 227eb9ba170f36386c82dfc7107e34eab514337bb92a5e696bbac14b2bc7cc7c
                                                  • Opcode Fuzzy Hash: 226f3d68bb1559474679b216c08f0852928fd27fa3c2d505b510440f2a82b7a7
                                                  • Instruction Fuzzy Hash: DFF0BB76900321EFDB159F59D94179EF3A9EF64750F11002FF811AB651CBB1DC148AD0
                                                  Function 0016035F Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00160364
                                                    • Part of subcall function 001601C4: __EH_prolog.LIBCMT ref: 001601C9
                                                    • Part of subcall function 00160143: __EH_prolog.LIBCMT ref: 00160148
                                                    • Part of subcall function 00121E40: free.MSVCRT ref: 00121E44
                                                    • Part of subcall function 001603D8: __EH_prolog.LIBCMT ref: 001603DD
                                                    • Part of subcall function 0016004A: __EH_prolog.LIBCMT ref: 0016004F
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog$free
                                                  • String ID:
                                                  • API String ID: 2654054672-0
                                                  • Opcode ID: bc357b4f13951325f5fe0cecb2841ac52e9107cc5512d3fcd7b5365e424c8337
                                                  • Instruction ID: af11f116bde1b32126e50a0f74ea862118fb3376635c0bdaa7fc39057555648b
                                                  • Opcode Fuzzy Hash: bc357b4f13951325f5fe0cecb2841ac52e9107cc5512d3fcd7b5365e424c8337
                                                  • Instruction Fuzzy Hash: A2F0F431915A50EFCB1AEB68DC2279EBBE5EF24314F10465DE052632D2CBB89B148744
                                                  Function 00158565 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID:
                                                  • API String ID: 3519838083-0
                                                  • Opcode ID: 42355dfb3f16d69c26652d05925b09ee0395039fabc9ff2b0dfaf470b84f9dd3
                                                  • Instruction ID: f9784311d747ceafc1209237bd0003104b2553ae118967d9c9e3e3eb8d309725
                                                  • Opcode Fuzzy Hash: 42355dfb3f16d69c26652d05925b09ee0395039fabc9ff2b0dfaf470b84f9dd3
                                                  • Instruction Fuzzy Hash: 6AF0AF32E1011AEBCB04DF98D8409EFBB75FF54790B00805AF825E7250DB348A05CB90
                                                  Function 00165505 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 0016550A
                                                    • Part of subcall function 00164E8A: __EH_prolog.LIBCMT ref: 00164E8F
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID:
                                                  • API String ID: 3519838083-0
                                                  • Opcode ID: 6daaac3ada549abdad6659eae0a71677c6a021a736cbf1b60fdf3f50fddf2f90
                                                  • Instruction ID: 6609a46ea048f61e29b1356418430a4ecbefb451a28c09c6e27b27b36847f62f
                                                  • Opcode Fuzzy Hash: 6daaac3ada549abdad6659eae0a71677c6a021a736cbf1b60fdf3f50fddf2f90
                                                  • Instruction Fuzzy Hash: 8CF06D76600914EFCB059F48DD15BDE7BBAFF84360F11442AF402A7241DB76DD118BA0
                                                  Function 00149987 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID:
                                                  • API String ID: 3519838083-0
                                                  • Opcode ID: e990d537d75e3c539ce2620f7dd7faa8d23cc2b44d9ce6e9563664367fe8ff49
                                                  • Instruction ID: 71f8d2aef234afa3c75bcce91d87c97f5381f71be10dde9d8adea13cea64f5aa
                                                  • Opcode Fuzzy Hash: e990d537d75e3c539ce2620f7dd7faa8d23cc2b44d9ce6e9563664367fe8ff49
                                                  • Instruction Fuzzy Hash: 49E06D72600108AFCB04EF98D855F9AB7A8EB58354F10841EF00A97201C7349A00CA60
                                                  Function 00165E2B Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00165E30
                                                    • Part of subcall function 001608B6: __aulldiv.LIBCMT ref: 0016093F
                                                    • Part of subcall function 0013DFC9: __EH_prolog.LIBCMT ref: 0013DFCE
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog$__aulldiv
                                                  • String ID:
                                                  • API String ID: 604474441-0
                                                  • Opcode ID: 873367c4005c9e44dba56a80b4650ed62c2e97af4e068ebe821f128ec87b762c
                                                  • Instruction ID: 9ccece8c4c105e9ddc7bc1820998ccd547df24f23d80f2e79577b29a1d8af8d1
                                                  • Opcode Fuzzy Hash: 873367c4005c9e44dba56a80b4650ed62c2e97af4e068ebe821f128ec87b762c
                                                  • Instruction Fuzzy Hash: E2E03070E107509FCB55DB68955168EB7E4BB18700F00486EA042D3B41DBB4A5008B80
                                                  Function 00168ED1 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00168ED6
                                                    • Part of subcall function 00169267: __EH_prolog.LIBCMT ref: 0016926C
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID:
                                                  • API String ID: 3519838083-0
                                                  • Opcode ID: 7a854f090700163436e330ffdb0f44bc0823c324d948a9cd77a3f30180fa6753
                                                  • Instruction ID: a5e8c59743a988015cbff4dbd764ce887d388f0d0a8e862940fb23b4b70273c1
                                                  • Opcode Fuzzy Hash: 7a854f090700163436e330ffdb0f44bc0823c324d948a9cd77a3f30180fa6753
                                                  • Instruction Fuzzy Hash: 40E09271920520DBCB0DEB64DA22BDDB7A8EF24704F00065DA413A2582DBB46704C781
                                                  Function 00127C68 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00127C8B
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: FileWrite
                                                  • String ID:
                                                  • API String ID: 3934441357-0
                                                  • Opcode ID: 429e112e139c39ec755db6c9d9f70f4833ead08cfaf2e6448b68ec660dcdec4e
                                                  • Instruction ID: 4522ec315a6d23bfab0ea66d1589f718c8ddb6d49ebb599f7b9481815181aa29
                                                  • Opcode Fuzzy Hash: 429e112e139c39ec755db6c9d9f70f4833ead08cfaf2e6448b68ec660dcdec4e
                                                  • Instruction Fuzzy Hash: 77E01A75600209FBCF15CFA5D801F8E7BB9EB09754F20C06AF9199A2A0D739DA60DF54
                                                  Function 0016BE69 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 0016BE6E
                                                    • Part of subcall function 00165E2B: __EH_prolog.LIBCMT ref: 00165E30
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID:
                                                  • API String ID: 3519838083-0
                                                  • Opcode ID: 8cb8dba38770bcd9d978b52f3a0c3cda93902540d5727750d1c7f830d715a081
                                                  • Instruction ID: 18999fcf0933106c84cdc5cae63354180e7a9c8a226108d2dec7847616ab5d25
                                                  • Opcode Fuzzy Hash: 8cb8dba38770bcd9d978b52f3a0c3cda93902540d5727750d1c7f830d715a081
                                                  • Instruction Fuzzy Hash: 7CE09271A24A608BD715EB28C811BDDB7E8BB20304F00855EE0A6D32C2CFB46A14C7A1
                                                  Function 00122201 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: fputs
                                                  • String ID:
                                                  • API String ID: 1795875747-0
                                                  • Opcode ID: e8804611e749ba5378b0fadebfb96fa0f31613045b0eb2628a45c3deb67f2470
                                                  • Instruction ID: 655014d680df47e356a86f9ca2f4d324a947bb8c62bf30f997e48881515d7959
                                                  • Opcode Fuzzy Hash: e8804611e749ba5378b0fadebfb96fa0f31613045b0eb2628a45c3deb67f2470
                                                  • Instruction Fuzzy Hash: 7ED01232504129ABCF156B95EC45CDD7BBCEF18214704441AF545E2150EA75E914CB94
                                                  Function 0015F745 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 0015F74A
                                                    • Part of subcall function 0015F784: __EH_prolog.LIBCMT ref: 0015F789
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID:
                                                  • API String ID: 3519838083-0
                                                  • Opcode ID: aa75a948a58b8e51f165947429dcdc8b35f9f13fa71586681693d80158dbd65c
                                                  • Instruction ID: 8acae8b916e707dc85fb4d9822dc6b4c543a00bff3cc43a11e6241f62cd1257a
                                                  • Opcode Fuzzy Hash: aa75a948a58b8e51f165947429dcdc8b35f9f13fa71586681693d80158dbd65c
                                                  • Instruction Fuzzy Hash: 36D01271A10204BFDB149B89DD13BEEB778EB54755F10052EF00175141C3B59A008AA5
                                                  Function 00127B4F Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ReadFile.KERNELBASE(00000002,?,?,00000000,00000000,00000002,?,0012785F,00000000,00004000,00000000,00000002,?,?,?), ref: 00127B65
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: FileRead
                                                  • String ID:
                                                  • API String ID: 2738559852-0
                                                  • Opcode ID: 8f178c589adb23f9d2178663bac1d23143561052bde105aa169811bfb51c6377
                                                  • Instruction ID: e793c970a7ff7923d89b8d2a8ae6e2aacace90be5aff0f4b53f99b337b0d1864
                                                  • Opcode Fuzzy Hash: 8f178c589adb23f9d2178663bac1d23143561052bde105aa169811bfb51c6377
                                                  • Instruction Fuzzy Hash: 5EE0EC75200208FBDF01CF91CC01F8E7BB9EB49754F208058E90596160C375EA54EB50
                                                  Function 001780AA Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 001780AF
                                                    • Part of subcall function 00121E0C: malloc.MSVCRT ref: 00121E1F
                                                    • Part of subcall function 00121E0C: _CxxThrowException.MSVCRT(?,001D4B28), ref: 00121E39
                                                    • Part of subcall function 0016BDB5: __EH_prolog.LIBCMT ref: 0016BDBA
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog$ExceptionThrowmalloc
                                                  • String ID:
                                                  • API String ID: 3744649731-0
                                                  • Opcode ID: 10fc6d74981b5efdabc92892ed8a97d6efa9513d67906f67c8827a901756bb5c
                                                  • Instruction ID: 3871b2310b7314755612afb2636ae6404b5aacf6aef1a7b1b3f0334b81385a23
                                                  • Opcode Fuzzy Hash: 10fc6d74981b5efdabc92892ed8a97d6efa9513d67906f67c8827a901756bb5c
                                                  • Instruction Fuzzy Hash: 72D05E71B05105AFCF0CEFB8A926B6E72E0AB64304F10457DB016E7781EF708A408620
                                                  Function 00126848 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindClose.KERNELBASE(00000000,?,00126880), ref: 00126853
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: CloseFind
                                                  • String ID:
                                                  • API String ID: 1863332320-0
                                                  • Opcode ID: 1a770516be6a0b837b9a8911c825cc8a7dce45e87a389ec9a9cb0d4173ab8549
                                                  • Instruction ID: 8b74f18e445efbd94ad4c8c8df32ac7af02671f078928375d7b1f5ff13fd2c4d
                                                  • Opcode Fuzzy Hash: 1a770516be6a0b837b9a8911c825cc8a7dce45e87a389ec9a9cb0d4173ab8549
                                                  • Instruction Fuzzy Hash: CDD012315043328A8A64AE3EB8489D677D86F063343250B9AF0B4C31E6E760CCD39A90
                                                  Function 00122010 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: fputs
                                                  • String ID:
                                                  • API String ID: 1795875747-0
                                                  • Opcode ID: 1ceb2e3a55d5244f523c877b5d32a9723d4e93cfbed8da47d17fee28af28edf6
                                                  • Instruction ID: d52f3be747f02c117a8e0ca5b3e0035ff85f6a73d95b4d57e3432df658ae3de2
                                                  • Opcode Fuzzy Hash: 1ceb2e3a55d5244f523c877b5d32a9723d4e93cfbed8da47d17fee28af28edf6
                                                  • Instruction Fuzzy Hash: AAD0C936008251AF96256F06FC09C8BBFA5FFE5320725082FF480921609B626C65DAA4
                                                  Function 00121FA0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: fputc
                                                  • String ID:
                                                  • API String ID: 1992160199-0
                                                  • Opcode ID: 0d3462e986ae9000c42ec7759d1b2366026a55b0ab8fd0c882ad2ba2b38153a6
                                                  • Instruction ID: 7b4b046dcaa2a1109a5c769e3396630c4cfaa9f6fc012d607e7f4d0ca85d3e59
                                                  • Opcode Fuzzy Hash: 0d3462e986ae9000c42ec7759d1b2366026a55b0ab8fd0c882ad2ba2b38153a6
                                                  • Instruction Fuzzy Hash: 5AB092323082209BE6181A9CBC0AAC06B94DB09732B25005FF548C21909A915C818AD5
                                                  Function 00127C3B Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetFileTime.KERNELBASE(?,?,?,?,00127C65,00000000,00000000,?,0012F238,?,?,?,?), ref: 00127C49
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: FileTime
                                                  • String ID:
                                                  • API String ID: 1425588814-0
                                                  • Opcode ID: c9fbfa2bc41f783395fb681d65d9fe155af8ad0b728a7a783dfdffe6c373fe6d
                                                  • Instruction ID: 7a1bf02d3db49ba9195fa3377a6962083f2ca9399f43466e574152b24606cd33
                                                  • Opcode Fuzzy Hash: c9fbfa2bc41f783395fb681d65d9fe155af8ad0b728a7a783dfdffe6c373fe6d
                                                  • Instruction Fuzzy Hash: 14C04C36258105FF8F020F71CC04C1ABFA2ABA5711F10C918F159C4470C7328424EB02
                                                  Function 00127D3C Relevance: 1.5, APIs: 1, Instructions: 6fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetEndOfFile.KERNELBASE(?,00127D81,?,?,?), ref: 00127D3E
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: File
                                                  • String ID:
                                                  • API String ID: 749574446-0
                                                  • Opcode ID: 9fc459847f18a2eed1e70c011c07672104271f548c1529fb1bcc8821321cb4ff
                                                  • Instruction ID: 3ee1c4bd42ba4f62b78d2a26c8db8df36fb70843cf8b75f3efdc95d709de411d
                                                  • Opcode Fuzzy Hash: 9fc459847f18a2eed1e70c011c07672104271f548c1529fb1bcc8821321cb4ff
                                                  • Instruction Fuzzy Hash: 47A001702A511A8E8E111B35D8098243AA1AB5260676426A4A006CA8B5DA22885AAA41
                                                  Function 0012C4D6 Relevance: 1.5, APIs: 1, Instructions: 205COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: memmove
                                                  • String ID:
                                                  • API String ID: 2162964266-0
                                                  • Opcode ID: ab9016d9cd586092e3227759c0834973361202c3c7c5c389d9b9cd4ad613a81c
                                                  • Instruction ID: d9abaec2eaaed53f4975d0b96c5f8d48e3efdf8145deccb89afcee0bbe2782e2
                                                  • Opcode Fuzzy Hash: ab9016d9cd586092e3227759c0834973361202c3c7c5c389d9b9cd4ad613a81c
                                                  • Instruction Fuzzy Hash: 59814D75E042699FCF24CFA8D484AAEBBB1AF48304F148469D616A7341D775EA90CF90
                                                  Function 00133E04 Relevance: 1.3, APIs: 1, Instructions: 17COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CloseHandle.KERNELBASE(00000000,00000000,00133D8D,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00133E12
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: CloseHandle
                                                  • String ID:
                                                  • API String ID: 2962429428-0
                                                  • Opcode ID: 746ee36966e01bdb1c0890bfaf5cf8340da400aa529b59c5776a3243385bf27e
                                                  • Instruction ID: 08537c41926f43df3f3e98ee33034e963dab3dfd27c07d473876a7cd7326b653
                                                  • Opcode Fuzzy Hash: 746ee36966e01bdb1c0890bfaf5cf8340da400aa529b59c5776a3243385bf27e
                                                  • Instruction Fuzzy Hash: 0CD012326142118BDB705E2DF8047D163DD6F10321F154469F890CB140E764CCC35A94
                                                  Function 001A6BC6 Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: malloc
                                                  • String ID:
                                                  • API String ID: 2803490479-0
                                                  • Opcode ID: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                                                  • Instruction ID: 31e2730cc063a5575601cdb0040529908db28f79b51b1ff7db6e85bea3b28e64
                                                  • Opcode Fuzzy Hash: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                                                  • Instruction Fuzzy Hash: 7ED022B830320102CF484A304C0AB7B30846F5530AF2C88BCE813CB289FB18C2298268
                                                  Function 0012764C Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CloseHandle.KERNELBASE(00000000,?,001275AF,00000002,?,00000000,00000000), ref: 00127657
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: CloseHandle
                                                  • String ID:
                                                  • API String ID: 2962429428-0
                                                  • Opcode ID: ea354106ca8feb0d23df93f8e7e12a418cbadecabe4d12668ee347b5039b514f
                                                  • Instruction ID: 50ef72aaad557ecc40fc663d4df444f14eb03719ca5c5a45ab274e8d45e58e91
                                                  • Opcode Fuzzy Hash: ea354106ca8feb0d23df93f8e7e12a418cbadecabe4d12668ee347b5039b514f
                                                  • Instruction Fuzzy Hash: 3BD012311086324A9A641E3C7845DC337D85B123343650759F0B4C32E1D364CCD34A90
                                                  Function 001A6B23 Relevance: 1.3, APIs: 1, Instructions: 9memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualAlloc.KERNELBASE(00000000), ref: 001A6B31
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID:
                                                  • API String ID: 4275171209-0
                                                  • Opcode ID: 513b87416727ee86f22cbf7daeb830494e5b88e1904cdfe48bc32f0f5475d1f5
                                                  • Instruction ID: f322b557f82ba847e9e2f0a2580764676d5455c46086499f15f31876964cbd2d
                                                  • Opcode Fuzzy Hash: 513b87416727ee86f22cbf7daeb830494e5b88e1904cdfe48bc32f0f5475d1f5
                                                  • Instruction Fuzzy Hash: 22C08CE1A4D280DFDF0213108C40B603F208B93300F0A00C1E4085B492C2041C18C762
                                                  Function 001A69D0 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: malloc
                                                  • String ID:
                                                  • API String ID: 2803490479-0
                                                  • Opcode ID: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                                                  • Instruction ID: 29fe21b0faf8dbdd30fad559cf81ffc36697b712380b01cd8b1941cf13500112
                                                  • Opcode Fuzzy Hash: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                                                  • Instruction Fuzzy Hash: F2A022CEA2208002EE2E32383C028AB200023B030FBC80CFCF802C0202FB2AC20C200A
                                                  Function 001A6AF0 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: malloc
                                                  • String ID:
                                                  • API String ID: 2803490479-0
                                                  • Opcode ID: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                                                  • Instruction ID: 3d81dd63b8ea90d10af08b562690997f702ddac768860e943953f0181a692c23
                                                  • Opcode Fuzzy Hash: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                                                  • Instruction Fuzzy Hash: A4A011CCE0000002AE0A20383C028A3202222F0A0ABE8C8B8A8008220AFB2AC0082002
                                                  Function 001A6BA3 Relevance: 1.3, APIs: 1, Instructions: 6COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 001A6BAC
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: FreeVirtual
                                                  • String ID:
                                                  • API String ID: 1263568516-0
                                                  • Opcode ID: 7637d99e9766d78a3aeb353b7745f12f4457e020a9dd49dd94b92b6acb95f671
                                                  • Instruction ID: 342ecf0ae7f9e616c9be758a79e7d960392613a766f35d7ba76068e9260c4341
                                                  • Opcode Fuzzy Hash: 7637d99e9766d78a3aeb353b7745f12f4457e020a9dd49dd94b92b6acb95f671
                                                  • Instruction Fuzzy Hash: C6A0027C680700B7ED6067306D4FF593B247790F05F308544B246694D05AE4B4959A9C
                                                  Function 001A69F0 Relevance: 1.3, APIs: 1, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: free
                                                  • String ID:
                                                  • API String ID: 1294909896-0
                                                  • Opcode ID: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                                                  • Instruction ID: eebac80faf03209174aaf45ec611e5cf6964a7552fc497b064da080274403a8d
                                                  • Opcode Fuzzy Hash: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                                                  • Instruction Fuzzy Hash:
                                                  Function 001A6B10 Relevance: 1.3, APIs: 1, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: free
                                                  • String ID:
                                                  • API String ID: 1294909896-0
                                                  • Opcode ID: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                                                  • Instruction ID: 0289a84c286d6a774ef29cf4f4542dafd75104551f3c7a37e175a8adf0179ffb
                                                  • Opcode Fuzzy Hash: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                                                  • Instruction Fuzzy Hash:
                                                  Function 00121E40 Relevance: 1.3, APIs: 1, Instructions: 4COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: free
                                                  • String ID:
                                                  • API String ID: 1294909896-0
                                                  • Opcode ID: d82665b4576b983330778f943b8ce599b517f7574cf6ba6468ba2a1b4276025f
                                                  • Instruction ID: 80deac1a2cb48cdad9ad96bdd0c121b00369f7158885b38fabcb6996f982901a
                                                  • Opcode Fuzzy Hash: d82665b4576b983330778f943b8ce599b517f7574cf6ba6468ba2a1b4276025f
                                                  • Instruction Fuzzy Hash: 21A00271405102DBDA051B11ED0988D7F61EB95627B254459F05B508718B318CA0BA41

                                                  Non-executed Functions

                                                  Function 001C0090 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: Version
                                                  • String ID:
                                                  • API String ID: 1889659487-0
                                                  • Opcode ID: 7594e8172fa4f043c102e99b213717bba79b3856255aabaeb00c202dd65345a6
                                                  • Instruction ID: ad4947e04c7abd0fbb847846eff03f90a3fedb26050d3d478bca27e1404a41ad
                                                  • Opcode Fuzzy Hash: 7594e8172fa4f043c102e99b213717bba79b3856255aabaeb00c202dd65345a6
                                                  • Instruction Fuzzy Hash: 41D01272911505CBD701B62CC806B597761F774340FC90958E865C1153FB6DCAA5C2D3
                                                  Function 0012C085 Relevance: 21.5, APIs: 17, Instructions: 290COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memcmp.MSVCRT(?,001D48A0,00000010), ref: 0012C09E
                                                  • memcmp.MSVCRT(?,001D0258,00000010), ref: 0012C0BB
                                                  • memcmp.MSVCRT(?,001D0348,00000010), ref: 0012C0CE
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: memcmp
                                                  • String ID:
                                                  • API String ID: 1475443563-0
                                                  • Opcode ID: ba94ec45aea4516b537c67b0879a77880fcc300eba5fff590f149d05057dd6cf
                                                  • Instruction ID: 1e1c0727cde0b063e77b1387c77723d61a2b66125a19138d3b033b7460ef8f8c
                                                  • Opcode Fuzzy Hash: ba94ec45aea4516b537c67b0879a77880fcc300eba5fff590f149d05057dd6cf
                                                  • Instruction Fuzzy Hash: 59917071640620EBD7659A25EC41FAF77A8FF69750F008429FE4AE7241FB20AE54CBD0
                                                  Function 0018447A Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 291COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: $16-bit overflow for number of files in headers$32-bit overflow in headers$Central$Local$Minor_Extra_ERROR$Missing volume : $Unsorted_CD$Zip64$apk
                                                  • API String ID: 3519838083-1909666238
                                                  • Opcode ID: efd76e86f30e5afe9a9aae878d8383612158cf09a3d5f0a73e04d0d674086922
                                                  • Instruction ID: 0c8ca018a3c2a06c9e9a9a54830ac39e1a0ac29ce65c07a266d89099b929c661
                                                  • Opcode Fuzzy Hash: efd76e86f30e5afe9a9aae878d8383612158cf09a3d5f0a73e04d0d674086922
                                                  • Instruction Fuzzy Hash: B9C19131904287AFDB19EFA4D455ABD7BB1EF12300F5A80A9E0596B262DF309F45DF40
                                                  Function 001264F3 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 116threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 001264F8
                                                  • GetCurrentThreadId.KERNEL32 ref: 00126508
                                                  • GetTickCount.KERNEL32 ref: 00126513
                                                  • GetCurrentProcessId.KERNEL32(?,?,00000000), ref: 0012651E
                                                  • GetTickCount.KERNEL32 ref: 00126578
                                                  • SetLastError.KERNEL32(000000B7,?,?,?,?,00000000), ref: 001265C5
                                                  • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 001265EC
                                                    • Part of subcall function 00125D7A: __EH_prolog.LIBCMT ref: 00125D7F
                                                    • Part of subcall function 00125D7A: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,00000001,?,?,00000000), ref: 00125DA1
                                                    • Part of subcall function 00121E40: free.MSVCRT ref: 00121E44
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: CountCurrentErrorH_prologLastTick$CreateDirectoryProcessThreadfree
                                                  • String ID: .tmp$d
                                                  • API String ID: 1989517917-2797371523
                                                  • Opcode ID: 39c1976ca7f7a80ad55dd78a15a10f17157eed3a4bb37ce4727fe0e4d38e108a
                                                  • Instruction ID: 98bc4007766ac9a36e746bdac9747944fcab06cf635bb80f61313a0ba2b8e0e5
                                                  • Opcode Fuzzy Hash: 39c1976ca7f7a80ad55dd78a15a10f17157eed3a4bb37ce4727fe0e4d38e108a
                                                  • Instruction Fuzzy Hash: 0241BE32910134EBDF19ABA4FC55BED7BB1FF25394F144129E806A66E1CB388D60CB91
                                                  Function 00156244 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 71COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prologfputs
                                                  • String ID: Cannot open the file$The archive is open with offset$The file is open$WARNING:
                                                  • API String ID: 1798449854-1259944392
                                                  • Opcode ID: 067a1980aa0945f707a9e2add484550219bb88f667571809bab49a9a8d8e66d6
                                                  • Instruction ID: 5adaa42f389e5d8157c60a1dbd3248a514ae8488b8f4833fb92a022e2c38209d
                                                  • Opcode Fuzzy Hash: 067a1980aa0945f707a9e2add484550219bb88f667571809bab49a9a8d8e66d6
                                                  • Instruction Fuzzy Hash: BD216231A00524DFCB05EB94D942EAEB7B5EF74310F40002DE51697691DB74ED1ACB80
                                                  Function 0012A08C Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 143COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 0012A091
                                                    • Part of subcall function 00129BAA: RegCloseKey.ADVAPI32(?,?,00129BA0), ref: 00129BB6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: CloseH_prolog
                                                  • String ID: HARDWARE\DESCRIPTION\System\CentralProcessor\0$Previous Update Revision$Update Revision$x86
                                                  • API String ID: 1579395594-270022386
                                                  • Opcode ID: 733d9c22078b88b6f3b93657bfa820c71da32970e63228cd101a19baa581311f
                                                  • Instruction ID: 32b768efd4ef948dddae91b121dbe0729d0e6225f3e285e547d9ff611fa2121d
                                                  • Opcode Fuzzy Hash: 733d9c22078b88b6f3b93657bfa820c71da32970e63228cd101a19baa581311f
                                                  • Instruction Fuzzy Hash: 6E51B171A00229DFCF14EF98E992EAEB7B4FF68310F40442DE556A7251DB30AD15CB91
                                                  Function 001803D6 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 212COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 001803F5
                                                  • memcpy.MSVCRT(?,?,00000008,00000064,?,?,?,?,00000064), ref: 00180490
                                                  • memset.MSVCRT ref: 00180618
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: memset$memcpy
                                                  • String ID: $@
                                                  • API String ID: 368790112-1077428164
                                                  • Opcode ID: b087934bbc7c95f7ee7647cfdf8c5fba5a54d9d4edf4d7707c4dc34027eb37c2
                                                  • Instruction ID: 5f0fcd726e99050f7bddad578560fe0ce2f9a14c53a942fd05ef93736a73aa77
                                                  • Opcode Fuzzy Hash: b087934bbc7c95f7ee7647cfdf8c5fba5a54d9d4edf4d7707c4dc34027eb37c2
                                                  • Instruction Fuzzy Hash: 6091F43190070CAFDBA2EF24C851BDAB7B1AF68314F108459E59A57192E770BB9DCF90
                                                  Function 0012613C Relevance: 7.6, APIs: 5, Instructions: 150COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00126141
                                                    • Part of subcall function 00126C72: __EH_prolog.LIBCMT ref: 00126C77
                                                  • SetLastError.KERNEL32(0000010B,00000000,00000000), ref: 00126197
                                                  • GetLastError.KERNEL32(?,?,?,0000005C,?,00000000,00000000), ref: 0012626E
                                                  • SetLastError.KERNEL32(?,?,?,?,?,0000005C,?,00000000,00000000), ref: 001262A9
                                                    • Part of subcall function 00126096: __EH_prolog.LIBCMT ref: 0012609B
                                                    • Part of subcall function 00126096: DeleteFileW.KERNEL32(?,?,?,00000000), ref: 001260DF
                                                  • GetLastError.KERNEL32(?,?,?,0000005C,?,00000000,00000000), ref: 00126285
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$H_prolog$DeleteFile
                                                  • String ID:
                                                  • API String ID: 3586524497-0
                                                  • Opcode ID: 7721eede75ac361972c718a2593e1af08e2ba562f1a72883663ae2bc61bf91a1
                                                  • Instruction ID: 8b82935c9ad12496050d7979dfb54defa0bd30cd8a3bd2ddf1c329976011174a
                                                  • Opcode Fuzzy Hash: 7721eede75ac361972c718a2593e1af08e2ba562f1a72883663ae2bc61bf91a1
                                                  • Instruction Fuzzy Hash: 18519A31C04238EADF1AEBE4F891BEDBB75AF25350F104059E841731D2CB356A2ACB60
                                                  Function 001344C2 Relevance: 7.6, APIs: 6, Instructions: 84COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memcmp.MSVCRT(?,001D48A0,00000010), ref: 001344DB
                                                  • memcmp.MSVCRT(?,001D0128,00000010), ref: 001344EE
                                                  • memcmp.MSVCRT(?,001D0228,00000010), ref: 0013450B
                                                  • memcmp.MSVCRT(?,001D0248,00000010), ref: 00134528
                                                  • memcmp.MSVCRT(?,001D01C8,00000010), ref: 00134545
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: memcmp
                                                  • String ID:
                                                  • API String ID: 1475443563-0
                                                  • Opcode ID: 56cd6a1df67be814585d1f41dec749ce21a9217c640e517a0553e9e43d0f3268
                                                  • Instruction ID: f15d92a0678d8ac0d510f466a900f2384cc7732bedbb3d32856dbbdf105625e8
                                                  • Opcode Fuzzy Hash: 56cd6a1df67be814585d1f41dec749ce21a9217c640e517a0553e9e43d0f3268
                                                  • Instruction Fuzzy Hash: B921A472B402086BE7058E24DC82FBE3BACDB647A4F058139FD069B285F764ED418790
                                                  Function 0016C414 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 181COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: !$LZMA2:$LZMA:
                                                  • API String ID: 3519838083-3332058968
                                                  • Opcode ID: 5139654d8cfedb1cc40a68a398fbdbefa922e22d6cc935ae53ca2957881b56e2
                                                  • Instruction ID: ebe83484d4025cbeae10ab58cc00f61df719cffb8a53690ef0e20b4c4e16b39d
                                                  • Opcode Fuzzy Hash: 5139654d8cfedb1cc40a68a398fbdbefa922e22d6cc935ae53ca2957881b56e2
                                                  • Instruction Fuzzy Hash: A961F430A00146AEDB19CF68CD59FFD7BF1AF25344F1540A9E48667262DB70AEA0CBD4
                                                  Function 0012A384 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 88COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 0012A389
                                                    • Part of subcall function 0012A4C5: GetModuleHandleW.KERNEL32(ntdll.dll,?,0012A3C1,00000001), ref: 0012A4CD
                                                    • Part of subcall function 0012A4C5: GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0012A4DD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: AddressH_prologHandleModuleProc
                                                  • String ID: : $ SP:$Windows
                                                  • API String ID: 786088110-3655538264
                                                  • Opcode ID: d0be3153fc2b042022d3e72e0387b78c8f4efda5c15863d0d7a8853b77b47939
                                                  • Instruction ID: 47245e7e8dd5a364588c8cb61bcd2d14c9ab86293d75d2807b8224d023d93c9d
                                                  • Opcode Fuzzy Hash: d0be3153fc2b042022d3e72e0387b78c8f4efda5c15863d0d7a8853b77b47939
                                                  • Instruction Fuzzy Hash: 3731EE31900229ABCF15FBA5E9639FDBBB5BF24300F804069E50672191DB719AA5CB91
                                                  Function 00156025 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 0015602A
                                                  • EnterCriticalSection.KERNEL32(001E2938), ref: 00156044
                                                  • LeaveCriticalSection.KERNEL32(001E2938), ref: 00156060
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: CriticalSection$EnterH_prologLeave
                                                  • String ID: v
                                                  • API String ID: 367238759-3261393531
                                                  • Opcode ID: f5f17a0bc3f2431de7f77e2074d9024f0b8b8279b5a3edbf894a54b2b18c2d29
                                                  • Instruction ID: 2ae9fe16afba17fc136f9939cf361b5a3220313be45637d32d40fd64c0007c4e
                                                  • Opcode Fuzzy Hash: f5f17a0bc3f2431de7f77e2074d9024f0b8b8279b5a3edbf894a54b2b18c2d29
                                                  • Instruction Fuzzy Hash: 58F06736900114EFC700CF88C90AEDEBBB8FF45350F10816AF405A7211C7B8DA008BA0
                                                  Function 0012A4C5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,?,0012A3C1,00000001), ref: 0012A4CD
                                                  • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0012A4DD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: AddressHandleModuleProc
                                                  • String ID: RtlGetVersion$ntdll.dll
                                                  • API String ID: 1646373207-1489217083
                                                  • Opcode ID: 7a15191e7bbbca1768da401191aec47a618ab078ea64081bea081f8cdc58bd9f
                                                  • Instruction ID: ec3679b267b404002e2131df9bb33ab33761b87fe7c5cab3fd14fbc9de96e1c0
                                                  • Opcode Fuzzy Hash: 7a15191e7bbbca1768da401191aec47a618ab078ea64081bea081f8cdc58bd9f
                                                  • Instruction Fuzzy Hash: D5D0C7713582205BF66076F57D0EFE6168C8F90B517094556F905D1440E7D4DDC345E5
                                                  Function 00140306 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFileSecurityW.ADVAPI32(?,00000007,?,?,00000000,?,?,00000000,?), ref: 00140359
                                                  • GetLastError.KERNEL32(?,?,00000000,?), ref: 00140382
                                                  • GetFileSecurityW.ADVAPI32(?,00000007,?,?,00000000,?,?,?,00000000,?), ref: 001403DA
                                                  • GetLastError.KERNEL32(?,?,00000000,?,?,?,00000000,?), ref: 001403F0
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: ErrorFileLastSecurity
                                                  • String ID:
                                                  • API String ID: 555121230-0
                                                  • Opcode ID: a96b43fb5e6d218c650dcb4ce836f4c6f25330bcf7d0cd668df6b01fe9ebb520
                                                  • Instruction ID: f30de61eb81925540c1480cbc817c0e689240ad95011ce3f191ca5040b9da79e
                                                  • Opcode Fuzzy Hash: a96b43fb5e6d218c650dcb4ce836f4c6f25330bcf7d0cd668df6b01fe9ebb520
                                                  • Instruction Fuzzy Hash: 93318F74900209EFDB11DFA5C880BAEBBB5FF48344F108959E596D7261D770AE81DFA0
                                                  Function 001282FB Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00128300
                                                  • GetFileInformationByHandle.KERNEL32(000000FF,?,?,00000000,00000001,00000003,02200000,?,?,?), ref: 0012834F
                                                  • DeviceIoControl.KERNEL32(000000FF,000900A8,00000000,00000000,00000000,00004000,?,00000000), ref: 0012837C
                                                  • memcpy.MSVCRT(?,?,?,?,?,00000000,00000001,00000003,02200000,?,?,?), ref: 0012839B
                                                    • Part of subcall function 00121E40: free.MSVCRT ref: 00121E44
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: ControlDeviceFileH_prologHandleInformationfreememcpy
                                                  • String ID:
                                                  • API String ID: 1689166341-0
                                                  • Opcode ID: dbd394f78b6dcc8414d5b3f6f30ee763746ed5ae4f3dc59883046e3e1ef12db5
                                                  • Instruction ID: b7700da560223b1062e9f3004418bbc11170e17e6b3b9fd910adbf3c320ee9d8
                                                  • Opcode Fuzzy Hash: dbd394f78b6dcc8414d5b3f6f30ee763746ed5ae4f3dc59883046e3e1ef12db5
                                                  • Instruction Fuzzy Hash: 3D21B372901114BFDF21DF95EC81EEEBBB9EF65750F14002DF945A6291CB318E54C660
                                                  Function 001660D2 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 157COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: BlockPackSize$BlockUnpackSize
                                                  • API String ID: 3519838083-5494122
                                                  • Opcode ID: 4855a621f504a8c4d58d80f8a6a05aa93f90223aa86a45d57a4ff362be47ee1e
                                                  • Instruction ID: e231ef4933a60277825bf8ec6e3d56e7d721240874336a16fd02a705b7144d2a
                                                  • Opcode Fuzzy Hash: 4855a621f504a8c4d58d80f8a6a05aa93f90223aa86a45d57a4ff362be47ee1e
                                                  • Instruction Fuzzy Hash: 1A51B3718002859EDF3ACBA49CB1AFEBBB1AF66300F18845ED096671A6D7315DBCD701
                                                  Function 0012A4F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 0012A4F8
                                                    • Part of subcall function 0012A384: __EH_prolog.LIBCMT ref: 0012A389
                                                    • Part of subcall function 00129E14: GetSystemInfo.KERNEL32(?), ref: 00129E36
                                                    • Part of subcall function 00129E14: GetModuleHandleA.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 00129E50
                                                    • Part of subcall function 00129E14: GetProcAddress.KERNEL32(00000000), ref: 00129E57
                                                  • strcmp.MSVCRT ref: 0012A564
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog$AddressHandleInfoModuleProcSystemstrcmp
                                                  • String ID: -
                                                  • API String ID: 2798778560-3695764949
                                                  • Opcode ID: 23e4f84c93eb7f9228531a9fe5f1176d7c448c9707cf66d85e427cc5b6e19a35
                                                  • Instruction ID: 6f6e672028d69d97052b7bea8a6867de0c73d3a714abc338bf4d62b567b316c3
                                                  • Opcode Fuzzy Hash: 23e4f84c93eb7f9228531a9fe5f1176d7c448c9707cf66d85e427cc5b6e19a35
                                                  • Instruction Fuzzy Hash: 36315C32D00229ABCF15FBE4F8529EDB7B5EF64710F50402AF401721A1DB749A65CAA2
                                                  Function 00156184 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: 0$x
                                                  • API String ID: 3519838083-1948001322
                                                  • Opcode ID: 6323e39899f775398826e7b1c5e1f0e92db11386bac8ea91fc586bdf92b623d9
                                                  • Instruction ID: 31199042cb0502fccb4193aafe688737607b95ee8d06fbfb435861a5cf29c661
                                                  • Opcode Fuzzy Hash: 6323e39899f775398826e7b1c5e1f0e92db11386bac8ea91fc586bdf92b623d9
                                                  • Instruction Fuzzy Hash: 6A216F36D0112DEBCF04EB98E992AEDB7B5FF68305F10002AE81177251DB759E14CBA1
                                                  Function 001582DD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: fputs
                                                  • String ID: =
                                                  • API String ID: 1795875747-2525689732
                                                  • Opcode ID: c4a41fae2e790cb67982e2f0ad84d530d618add3429c25682fdd3d8ea1417d3c
                                                  • Instruction ID: 98ce75406ba63a9b4e5075aa00ac05f7f80227c6c237f43ee0ea5fc4ed76de9c
                                                  • Opcode Fuzzy Hash: c4a41fae2e790cb67982e2f0ad84d530d618add3429c25682fdd3d8ea1417d3c
                                                  • Instruction Fuzzy Hash: 40E0D831A00114D7CB00E7E99C55CBE7F69FB80314704082AE820DB200FB70D925CBD0
                                                  Function 001841C0 Relevance: 5.1, APIs: 4, Instructions: 57COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memcmp.MSVCRT(?,001D48A0,00000010), ref: 001841D6
                                                  • memcmp.MSVCRT(?,001D0168,00000010), ref: 001841F1
                                                  • memcmp.MSVCRT(?,001D01E8,00000010), ref: 00184205
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1715678935.0000000000121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00120000, based on PE: true
                                                  • Associated: 00000009.00000002.1715658106.0000000000120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715812063.00000000001CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715839121.00000000001E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000009.00000002.1715900712.00000000001EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_120000_7zr.jbxd
                                                  Similarity
                                                  • API ID: memcmp
                                                  • String ID:
                                                  • API String ID: 1475443563-0
                                                  • Opcode ID: 72f908a591a7d521f96780d38ec026780e63a13d2ffba7d0a6827e829fbeeda8
                                                  • Instruction ID: ceb87aa995bcca5fbee3db564b1daebe6fb9845d0a21f32bb4b9db80bc124986
                                                  • Opcode Fuzzy Hash: 72f908a591a7d521f96780d38ec026780e63a13d2ffba7d0a6827e829fbeeda8
                                                  • Instruction Fuzzy Hash: 9701263638030667D7146A10DC42FBE77A89B78750F04443DFE45DB281FBB4EA819B40