Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe

Overview

General Information

Sample name:#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe
renamed because original name is a hash value
Original sample name:_2.1.0.exe
Analysis ID:1580582
MD5:600e95b436735aec1a9e8667c9e07396
SHA1:f170160f0b04e668baddd8ba0346bb527db91dd5
SHA256:817888612efe9489ead214871176b5cd4b0b147001bb82bd738572d6338d5c24
Tags:exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe (PID: 2844 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe" MD5: 600E95B436735AEC1A9E8667C9E07396)
    • #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp (PID: 5324 cmdline: "C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp" /SL5="$20428,6465800,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe" MD5: 22F03937DBEFC57A5B60577F7577D53A)
      • powershell.exe (PID: 2640 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 5264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 6748 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe (PID: 6896 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe" /VERYSILENT MD5: 600E95B436735AEC1A9E8667C9E07396)
        • #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp (PID: 1544 cmdline: "C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp" /SL5="$50160,6465800,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe" /VERYSILENT MD5: 22F03937DBEFC57A5B60577F7577D53A)
          • 7zr.exe (PID: 5324 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
          • 7zr.exe (PID: 7208 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 7216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • conhost.exe (PID: 6968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6968 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6844 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7288 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7304 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7320 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7340 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7424 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7436 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7484 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7500 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7552 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7568 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7620 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7636 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7688 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7704 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7756 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7772 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7828 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7848 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7892 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7908 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7960 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7976 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8032 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8048 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8100 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8112 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8176 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2084 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7196 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7172 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7276 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7260 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7296 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7316 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7304 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7356 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7444 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2588 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2676 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5828 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4828 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3004 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7456 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7524 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7584 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7592 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7652 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7640 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7720 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7748 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7788 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7776 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7852 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7872 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3340 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7944 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7992 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7980 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8060 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1352 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8072 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8056 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8188 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp" /SL5="$20428,6465800,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, ParentProcessId: 5324, ParentProcessName: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 2640, ProcessName: powershell.exe
Sigma detected: New Kernel Driver Via SC.EXE
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6968, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 6844, ProcessName: sc.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp" /SL5="$20428,6465800,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, ParentProcessId: 5324, ParentProcessName: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 2640, ProcessName: powershell.exe
Sigma detected: New Service Creation Using Sc.EXE
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6968, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 6844, ProcessName: sc.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp" /SL5="$20428,6465800,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, ParentProcessId: 5324, ParentProcessName: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 2640, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Windows NT\hrsw.vbcReversingLabs: Detection: 26%
Source: C:\Program Files (x86)\Windows NT\hrsw.vbcVirustotal: Detection: 48%Perma Link
Source: C:\Users\user\AppData\Local\Temp\is-SIRUE.tmp\update.vbcReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Temp\is-SSCD5.tmp\update.vbcReversingLabs: Detection: 26%
Multi AV Scanner detection for submitted file
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeReversingLabs: Detection: 13%
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeVirustotal: Detection: 13%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 83.5% probability
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.1832376131.0000000003890000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.1832563713.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BE8E090 FindFirstFileA,FindClose,FindClose,6_2_6BE8E090
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00426868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_00426868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00427496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_00427496
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000003.1801001032.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000003.1801001032.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000003.1801001032.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000003.1801001032.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000003.1801001032.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000003.1801001032.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000003.1801001032.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000003.1801001032.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000003.1801001032.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000003.1801001032.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000003.1801001032.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000003.1801001032.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000003.1801001032.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000003.1801001032.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000003.1801001032.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000003.1801001032.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000003.1801001032.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://ocsp.digicert.com0X
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000003.1801001032.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000003.1801001032.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe, 00000000.00000003.1709632961.0000000003630000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe, 00000000.00000003.1710021774.000000007FB0B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000000.1712114359.0000000000D61000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000006.00000000.1804609980.0000000000D0D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp.5.dr, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp.0.drString found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe, 00000000.00000003.1709632961.0000000003630000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe, 00000000.00000003.1710021774.000000007FB0B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000000.1712114359.0000000000D61000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000006.00000000.1804609980.0000000000D0D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp.5.dr, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp.0.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess information set: 01 00 00 00 Jump to behavior

System Summary

barindex
PE file contains section with special chars
Source: update.vbc.1.drStatic PE information: section name: .aQ#
Source: update.vbc.6.drStatic PE information: section name: .aQ#
Source: hrsw.vbc.6.drStatic PE information: section name: .aQ#
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BD13886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6BD13886
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BE98810 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,6_2_6BE98810
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BD13A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6BD13A6A
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BD139CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6BD139CF
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BD13D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6BD13D62
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BD13D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6BD13D18
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BD13C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6BD13C62
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BE99450 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6BE99450
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BD11950: CreateFileA,DeviceIoControl,CloseHandle,6_2_6BD11950
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BD14754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,6_2_6BD14754
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BD147546_2_6BD14754
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6C078D126_2_6C078D12
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BFA7A466_2_6BFA7A46
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BE9A1336_2_6BE9A133
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BE948606_2_6BE94860
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6C06B06F6_2_6C06B06F
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6C0038816_2_6C003881
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BFE4F0A6_2_6BFE4F0A
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6C01CB306_2_6C01CB30
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BED3BCA6_2_6BED3BCA
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BEE3B666_2_6BEE3B66
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BF40AD06_2_6BF40AD0
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BF44AA06_2_6BF44AA0
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BF57AA06_2_6BF57AA0
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BF42A506_2_6BF42A50
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BF4C9F06_2_6BF4C9F0
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BECB9726_2_6BECB972
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BF5D9306_2_6BF5D930
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BF418106_2_6BF41810
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BEE5EC96_2_6BEE5EC9
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BECBEA16_2_6BECBEA1
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BF4CE806_2_6BF4CE80
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BF46D506_2_6BF46D50
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BEF9CE06_2_6BEF9CE0
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BF430206_2_6BF43020
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BECF7CF6_2_6BECF7CF
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BF6C7006_2_6BF6C700
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BF4C6E06_2_6BF4C6E0
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BF525C06_2_6BF525C0
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BF455806_2_6BF45580
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BEE840A6_2_6BEE840A
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BF567506_2_6BF56750
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004681EC10_2_004681EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0043E00A10_2_0043E00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004A81C010_2_004A81C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004B824010_2_004B8240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004A22E010_2_004A22E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004C230010_2_004C2300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004BC3C010_2_004BC3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004B04C810_2_004B04C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0048E49F10_2_0048E49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004A25F010_2_004A25F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0049865010_2_00498650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004966D010_2_004966D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0049A6A010_2_0049A6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0047094310_2_00470943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0049C95010_2_0049C950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004BE99010_2_004BE990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004A2A8010_2_004A2A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0047AB1110_2_0047AB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00498C2010_2_00498C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004A6CE010_2_004A6CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004B0E0010_2_004B0E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004B4EA010_2_004B4EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004AD08910_2_004AD089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004810AC10_2_004810AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0048B12110_2_0048B121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004B112010_2_004B1120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004B91C010_2_004B91C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0049D1D010_2_0049D1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0049B18010_2_0049B180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004A518010_2_004A5180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004B720010_2_004B7200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004BD2C010_2_004BD2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004BF3C010_2_004BF3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004253CF10_2_004253CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0044B3E410_2_0044B3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004853F310_2_004853F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004AF3A010_2_004AF3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004BD47010_2_004BD470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0049741010_2_00497410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004AF42010_2_004AF420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004B54D010_2_004B54D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0046D49610_2_0046D496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004B155010_2_004B1550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0042157210_2_00421572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0049F50010_2_0049F500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004C351A10_2_004C351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004B353010_2_004B3530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004BF59910_2_004BF599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0047965210_2_00479652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004C360110_2_004C3601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004AD6A010_2_004AD6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0043976610_2_00439766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004297CA10_2_004297CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004B77C010_2_004B77C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0044F8E010_2_0044F8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0049F91010_2_0049F910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004BD9E010_2_004BD9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0043BAC910_2_0043BAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00473AEF10_2_00473AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004A7AF010_2_004A7AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00421AA110_2_00421AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004A7C5010_2_004A7C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0043BC9210_2_0043BC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0049FDF010_2_0049FDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004A5E8010_2_004A5E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004A5F8010_2_004A5F80
Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\Windows NT\hrsw.vbc 34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: String function: 6BECC240 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: String function: 6BF69F10 appears 415 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 004228E3 appears 34 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 004BFB10 appears 720 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00421E40 appears 84 times
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp.5.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp.5.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe, 00000000.00000000.1707515897.0000000000F59000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameDHCHEkp1qRkkZ9.exe vs #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe, 00000000.00000003.1710021774.000000007FE0A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameDHCHEkp1qRkkZ9.exe vs #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe, 00000000.00000003.1709632961.000000000374E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameDHCHEkp1qRkkZ9.exe vs #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeBinary or memory string: OriginalFileNameDHCHEkp1qRkkZ9.exe vs #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.12.drBinary string: \Device\TfSysMon
Source: tProtect.dll.12.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal96.evad.winEXE@148/31@0/0
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BE99450 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6BE99450
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00429313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,10_2_00429313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00433D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,10_2_00433D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00429252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,10_2_00429252
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BE98930 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,Process32NextW,6_2_6BE98930
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpFile created: C:\Program Files (x86)\Windows NT\is-G1N6L.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7772:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7512:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5840:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7880:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7252:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7728:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7324:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7420:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:928:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7976:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5264:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8172:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7856:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7500:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7568:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7448:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5232:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7780:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8056:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8124:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6968:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7372:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2148:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7312:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7668:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2844:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7176:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7060:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7644:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7712:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7576:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7960:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7916:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7984:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7216:120:WilError_03
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeFile created: C:\Users\user\AppData\Local\Temp\is-H84TN.tmpJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeReversingLabs: Detection: 13%
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeVirustotal: Detection: 13%
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeFile read: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeProcess created: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp "C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp" /SL5="$20428,6465800,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe"
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeProcess created: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp "C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp" /SL5="$50160,6465800,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeProcess created: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp "C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp" /SL5="$20428,6465800,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeProcess created: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp "C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp" /SL5="$50160,6465800,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeStatic file information: File size 7420234 > 1048576
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.1832376131.0000000003890000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.1832563713.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004A57D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_004A57D0
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x343aef
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp.5.drStatic PE information: real checksum: 0x0 should be: 0x343aef
Source: update.vbc.6.drStatic PE information: real checksum: 0x0 should be: 0x3789ec
Source: update.vbc.1.drStatic PE information: real checksum: 0x0 should be: 0x3789ec
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeStatic PE information: real checksum: 0x0 should be: 0x715482
Source: hrsw.vbc.6.drStatic PE information: real checksum: 0x0 should be: 0x3789ec
Source: tProtect.dll.12.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeStatic PE information: section name: .didata
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp.0.drStatic PE information: section name: .didata
Source: update.vbc.1.drStatic PE information: section name: .00cfg
Source: update.vbc.1.drStatic PE information: section name: .voltbl
Source: update.vbc.1.drStatic PE information: section name: .aQ#
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp.5.drStatic PE information: section name: .didata
Source: 7zr.exe.6.drStatic PE information: section name: .sxdata
Source: update.vbc.6.drStatic PE information: section name: .00cfg
Source: update.vbc.6.drStatic PE information: section name: .voltbl
Source: update.vbc.6.drStatic PE information: section name: .aQ#
Source: hrsw.vbc.6.drStatic PE information: section name: .00cfg
Source: hrsw.vbc.6.drStatic PE information: section name: .voltbl
Source: hrsw.vbc.6.drStatic PE information: section name: .aQ#
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BD40F00 push ss; retn 0001h6_2_6BD40F0A
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BE9BDDB push ecx; ret 6_2_6BE9BDEE
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BECE9F4 push 004AC35Ch; ret 6_2_6BECEA0E
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BF69F10 push eax; ret 6_2_6BF69F2E
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BF6A290 push eax; ret 6_2_6BF6A2BE
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004245F4 push 004CC35Ch; ret 10_2_0042460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004BFB10 push eax; ret 10_2_004BFB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004BFE90 push eax; ret 10_2_004BFEBE
Source: update.vbc.1.drStatic PE information: section name: .aQ# entropy: 7.189081398239323
Source: update.vbc.6.drStatic PE information: section name: .aQ# entropy: 7.189081398239323
Source: hrsw.vbc.6.drStatic PE information: section name: .aQ# entropy: 7.189081398239323
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-SSCD5.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-SIRUE.tmp\update.vbcJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeFile created: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeFile created: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-SIRUE.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-SSCD5.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-SIRUE.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-SSCD5.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6545Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3256Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpWindow / User API: threadDelayed 549Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpWindow / User API: threadDelayed 581Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SSCD5.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SIRUE.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SSCD5.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SIRUE.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.4 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4828Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BE8E090 FindFirstFileA,FindClose,FindClose,6_2_6BE8E090
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00426868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_00426868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00427496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_00427496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00429C60 GetSystemInfo,10_2_00429C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000002.1816727798.00000000015AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000002.1816727798.00000000015AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BD13886 NtSetInformationThread 00000000,00000011,00000000,000000006_2_6BD13886
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BEA3871 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6BEA3871
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004A57D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_004A57D0
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BEA286D mov eax, dword ptr fs:[00000030h]6_2_6BEA286D
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BEAD456 mov eax, dword ptr fs:[00000030h]6_2_6BEAD456
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BEAD425 mov eax, dword ptr fs:[00000030h]6_2_6BEAD425
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BE9C3AD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_6BE9C3AD
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BEA3871 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6BEA3871

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Found driver which could be used to inject code into processes
Source: tProtect.dll.12.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmpCode function: 6_2_6BF6A720 cpuid 6_2_6BF6A720
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0042AB2A GetSystemTimeAsFileTime,10_2_0042AB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004C0090 GetVersion,10_2_004C0090

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
Windows Service		1
Access Token Manipulation		11
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Service Execution		1
DLL Side-Loading		1
Windows Service		1
Disable or Modify Tools		LSASS Memory421
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Native API		Logon Script (Windows)111
Process Injection		231
Virtualization/Sandbox Evasion		Security Account Manager231
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		1
Access Token Manipulation		NTDS2
Process Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information		Cached Domain Credentials2
System Owner/User Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information		DCSync3
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing		Proc Filesystem25
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1580582 Sample: #U5b89#U88c5#U7a0b#U5e8f_2.... Startdate: 25/12/2024 Architecture: WINDOWS Score: 96 88 Multi AV Scanner detection for dropped file 2->88 90 Multi AV Scanner detection for submitted file 2->90 92 Found driver which could be used to inject code into processes 2->92 94 3 other signatures 2->94 10 #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe 2 2->10         started        13 cmd.exe 2->13         started        15 cmd.exe 2->15         started        17 31 other processes 2->17 process3 file4 84 C:\...\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, PE32 10->84 dropped 19 #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp 3 5 10->19         started        23 sc.exe 1 13->23         started        25 sc.exe 1 15->25         started        27 sc.exe 1 17->27         started        29 sc.exe 1 17->29         started        31 sc.exe 1 17->31         started        33 27 other processes 17->33 process5 file6 70 C:\Users\user\AppData\Local\...\update.vbc, PE32 19->70 dropped 72 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 19->72 dropped 96 Adds a directory exclusion to Windows Defender 19->96 35 #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe 2 19->35         started        38 powershell.exe 23 19->38         started        41 conhost.exe 19->41         started        43 conhost.exe 23->43         started        45 conhost.exe 25->45         started        47 conhost.exe 27->47         started        49 conhost.exe 29->49         started        51 conhost.exe 31->51         started        53 27 other processes 33->53 signatures7 process8 file9 74 C:\...\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, PE32 35->74 dropped 55 #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp 4 15 35->55         started        98 Loading BitLocker PowerShell Module 38->98 59 conhost.exe 38->59         started        61 WmiPrvSE.exe 38->61         started        signatures10 process11 file12 76 C:\Users\user\AppData\Local\...\update.vbc, PE32 55->76 dropped 78 C:\Program Files (x86)\Windows NT\hrsw.vbc, PE32 55->78 dropped 80 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 55->80 dropped 82 C:\Program Files (x86)\Windows NT\7zr.exe, PE32 55->82 dropped 100 Query firmware table information (likely to detect VMs) 55->100 102 Protects its processes via BreakOnTermination flag 55->102 104 Hides threads from debuggers 55->104 106 Contains functionality to hide a thread from the debugger 55->106 63 7zr.exe 2 55->63         started        66 7zr.exe 7 55->66         started        signatures13 process14 file15 86 C:\Program Files (x86)\...\tProtect.dll, PE32+ 63->86 dropped 68 conhost.exe 63->68         started        process16

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe13%ReversingLabsWin32.Ransomware.Generic
#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe13%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\7zr.exe0%VirustotalBrowse
C:\Program Files (x86)\Windows NT\hrsw.vbc26%ReversingLabs
C:\Program Files (x86)\Windows NT\hrsw.vbc49%VirustotalBrowse
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll6%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp1%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-SIRUE.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-SIRUE.tmp\update.vbc26%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-SSCD5.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-SSCD5.tmp\update.vbc26%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exefalse
    		high
    https://www.remobjects.com/ps#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe, 00000000.00000003.1709632961.0000000003630000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe, 00000000.00000003.1710021774.000000007FB0B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000000.1712114359.0000000000D61000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000006.00000000.1804609980.0000000000D0D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp.5.dr, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp.0.drfalse
      		high
      https://www.innosetup.com/#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe, 00000000.00000003.1709632961.0000000003630000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe, 00000000.00000003.1710021774.000000007FB0B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000001.00000000.1712114359.0000000000D61000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp, 00000006.00000000.1804609980.0000000000D0D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp.5.dr, #U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp.0.drfalse
        		high

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1580582
        Start date and time:2024-12-25 11:25:34 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 9m 35s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Run name:Run with higher sleep bypass
        Number of analysed new started processes analysed:110
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Critical Process Termination
        Sample name:#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe
        renamed because original name is a hash value
        Original Sample Name:_2.1.0.exe
        Detection:MAL
        Classification:mal96.evad.winEXE@148/31@0/0
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:
        • Successful, ratio: 74%
        • Number of executed functions: 121
        • Number of non-executed functions: 103
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
        • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

        Warnings

        • Exclude process from analysis (whitelisted): Conhost.exe, SIHClient.exe
        • Excluded IPs from analysis (whitelisted): 4.245.163.56
        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
        • Not all processes where analyzed, report is missing behavior information
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size exceeded maximum capacity and may have missing disassembly code.
        • Report size getting too big, too many NtCreateKey calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.

        Simulations

        Behavior and APIs

        No simulations

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        C:\Program Files (x86)\Windows NT\7zr.exeyvaKqhmD4L.exeGet hashmaliciousUnknownBrowse
          yvaKqhmD4L.exeGet hashmaliciousUnknownBrowse
            #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeGet hashmaliciousUnknownBrowse
              #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeGet hashmaliciousUnknownBrowse
                #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeGet hashmaliciousUnknownBrowse
                  #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeGet hashmaliciousUnknownBrowse
                    #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeGet hashmaliciousUnknownBrowse
                      #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeGet hashmaliciousUnknownBrowse
                        #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeGet hashmaliciousUnknownBrowse
                          C:\Program Files (x86)\Windows NT\hrsw.vbcyvaKqhmD4L.exeGet hashmaliciousUnknownBrowse
                            yvaKqhmD4L.exeGet hashmaliciousUnknownBrowse
                              #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeGet hashmaliciousUnknownBrowse
                                #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeGet hashmaliciousUnknownBrowse
                                  #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeGet hashmaliciousUnknownBrowse
                                    #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeGet hashmaliciousUnknownBrowse
                                      #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeGet hashmaliciousUnknownBrowse
                                        #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeGet hashmaliciousUnknownBrowse
                                          #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeGet hashmaliciousUnknownBrowse

                                            Created / dropped Files

                                            C:\Program Files (x86)\Windows NT\7zr.exe

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp
                                            File Type:PE32 executable (console) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):831200
                                            Entropy (8bit):6.671005303304742
                                            Encrypted:false
                                            SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                                            MD5:84DC4B92D860E8AEA55D12B1E87EA108
                                            SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                                            SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                                            SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                            Joe Sandbox View:
                                            • Filename: yvaKqhmD4L.exe, Detection: malicious, Browse
                                            • Filename: yvaKqhmD4L.exe, Detection: malicious, Browse
                                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe, Detection: malicious, Browse
                                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe, Detection: malicious, Browse
                                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe, Detection: malicious, Browse
                                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe, Detection: malicious, Browse
                                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe, Detection: malicious, Browse
                                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe, Detection: malicious, Browse
                                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe, Detection: malicious, Browse
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................

                                            C:\Program Files (x86)\Windows NT\file.dat (copy)

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):2013712
                                            Entropy (8bit):7.999909775731037
                                            Encrypted:true
                                            SSDEEP:49152:BTyiWK1WyN+RDxRtFXvjJXlvm53Xc1irkBwMP:BuX+wTPN1BP
                                            MD5:8F08CC7E63D6300EC045AB1F8F9AA951
                                            SHA1:2D96E43F4D7DCE2FB4DE60FA86C06BECA936F1CB
                                            SHA-256:318B7D9D3A6D887B15103373F195640A971FC6741F1D3274D760231A54664150
                                            SHA-512:A43161CA6A430E8EF8E4BC379FE8A3A0D2791D8F5EAB0A1D08DAAFF91CBBEF4827EAE83DAE4D4A43E52F5D2EEFB63393EE8D925CA8D69AB2F8C6185531858658
                                            Malicious:false
                                            Preview:.@S.....C..LE.................PZX...3.(./.[x..H...tLcP&Zb.../.....j..a.K.......l..*.VB.~d..d..SeU:..b.<B.z!fj.*Ga.%.W.C2.~.B.=..W%l#.q.K.:..rT.r#^..i.....)O.{...<.X....H......o&.S{N@a.7..k...Yc.B.wM.q|8y1...&$.....w.......ESIf..:.........P!I...]B.:F...j.P....e..~.K.%j....R.i.0*A.v..(..&C.A....*=(....d..._.T.w...w..."@.....z.-:^F0...7..zN...4*lE..{\.*..&.d....f..ADd.\7..u%.j6.........Kb.)m..p}......w.N.9..>......x.:.!hj."2.B.nZ.s......_.\.....$....u....fIo.a...]BW.!..O..:...\.g...c.b....Cb.%I..|.s.1..r......e...c..V....e;.....?.R..W)...L..........|...m^...0.....b;"|I&94.O.v.Y.Hs..i.:.s...[..D..r]f...$.dG..xN..5WJ....K..h'......o.....2...c*...<7-~......W.....+xP..Q....$o....4.,....z.?..y!.P[e.VX.j.&.p.H.....9.XZ.B.Le2.F.t...{..........;...EK>....\.-.'.PY..l......ANjU.7$.-.....19...].A......B.....VW.....Fo.#..B..^..1.^.W...M...#..c.t..X.U]*d. ..g....8o./.(L.Z.9...PSxvmj......u...7'..A.|....Ne.Sx+...f.&.@..e...?.......T.*.M..s.....jq8....

                                            C:\Program Files (x86)\Windows NT\hrsw.vbc

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp
                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):3621376
                                            Entropy (8bit):7.006090025798393
                                            Encrypted:false
                                            SSDEEP:98304:UXTNS5omKHixBbVZ9yogz/lWGAxNRie71MzSRMYuefCG/gZD:U5SG7Hwke71MzxY/UZD
                                            MD5:FCADEAE28FCC52FD286350DFEECD82E5
                                            SHA1:48290AA098DEDE53C457FC774063C3198754A161
                                            SHA-256:34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
                                            SHA-512:56428AFDEEE8774518FE206AE4CD017F552F947508B87785A3BD960B14364F990F54E73F01C2A5CAF9B1862DADDD634BB894882B00B60102675D63F52245A41F
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 26%
                                            • Antivirus: Virustotal, Detection: 49%, Browse
                                            Joe Sandbox View:
                                            • Filename: yvaKqhmD4L.exe, Detection: malicious, Browse
                                            • Filename: yvaKqhmD4L.exe, Detection: malicious, Browse
                                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe, Detection: malicious, Browse
                                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe, Detection: malicious, Browse
                                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe, Detection: malicious, Browse
                                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe, Detection: malicious, Browse
                                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe, Detection: malicious, Browse
                                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe, Detection: malicious, Browse
                                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe, Detection: malicious, Browse
                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...D.jg...........!..........................................................7...........@.........................8s.......y..<....p7.X.....................7.d?..........................h9.......................{...............................text...P........................... ..`.rdata..4...........................@..@.data...............................@....00cfg........(......T(.............@..@.tls..........(......V(.............@....voltbl.F.....(......X(..................aQ#..........(......Z(............. ..`.rsrc...X....p7.......6.............@..@.reloc..d?....7..@....7.............@..B................................................................................................................................................................................................................................................................................

                                            C:\Program Files (x86)\Windows NT\is-G1N6L.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):2013712
                                            Entropy (8bit):7.999909775731037
                                            Encrypted:true
                                            SSDEEP:49152:BTyiWK1WyN+RDxRtFXvjJXlvm53Xc1irkBwMP:BuX+wTPN1BP
                                            MD5:8F08CC7E63D6300EC045AB1F8F9AA951
                                            SHA1:2D96E43F4D7DCE2FB4DE60FA86C06BECA936F1CB
                                            SHA-256:318B7D9D3A6D887B15103373F195640A971FC6741F1D3274D760231A54664150
                                            SHA-512:A43161CA6A430E8EF8E4BC379FE8A3A0D2791D8F5EAB0A1D08DAAFF91CBBEF4827EAE83DAE4D4A43E52F5D2EEFB63393EE8D925CA8D69AB2F8C6185531858658
                                            Malicious:false
                                            Preview:.@S.....C..LE.................PZX...3.(./.[x..H...tLcP&Zb.../.....j..a.K.......l..*.VB.~d..d..SeU:..b.<B.z!fj.*Ga.%.W.C2.~.B.=..W%l#.q.K.:..rT.r#^..i.....)O.{...<.X....H......o&.S{N@a.7..k...Yc.B.wM.q|8y1...&$.....w.......ESIf..:.........P!I...]B.:F...j.P....e..~.K.%j....R.i.0*A.v..(..&C.A....*=(....d..._.T.w...w..."@.....z.-:^F0...7..zN...4*lE..{\.*..&.d....f..ADd.\7..u%.j6.........Kb.)m..p}......w.N.9..>......x.:.!hj."2.B.nZ.s......_.\.....$....u....fIo.a...]BW.!..O..:...\.g...c.b....Cb.%I..|.s.1..r......e...c..V....e;.....?.R..W)...L..........|...m^...0.....b;"|I&94.O.v.Y.Hs..i.:.s...[..D..r]f...$.dG..xN..5WJ....K..h'......o.....2...c*...<7-~......W.....+xP..Q....$o....4.,....z.?..y!.P[e.VX.j.&.p.H.....9.XZ.B.Le2.F.t...{..........;...EK>....\.-.'.PY..l......ANjU.7$.-.....19...].A......B.....VW.....Fo.#..B..^..1.^.W...M...#..c.t..X.U]*d. ..g....8o./.(L.Z.9...PSxvmj......u...7'..A.|....Ne.Sx+...f.&.@..e...?.......T.*.M..s.....jq8....

                                            C:\Program Files (x86)\Windows NT\locale.bin

                                            Download File
                                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):56546
                                            Entropy (8bit):7.996334153088009
                                            Encrypted:true
                                            SSDEEP:1536:YywPS6FFSU9ntKk/GQo5eg5MkOnfoyV2d:Yxs8n/G7pyNnfzE
                                            MD5:CE6B049A9CEAF1CA63DC43A8E08325D4
                                            SHA1:26CEC46AEB554ADCCC1CABB2867F588F3810E556
                                            SHA-256:8EFB2026C56587E30418E8667DB39F273A9D4C60AEEB755ED6DBF669D2346FCF
                                            SHA-512:38309832AB68DD51792FD4CBB11C2FB34C4A8664E4CCA52805D8DF7299A4CB159FE5C073C022D59563B5060AFFE0C0CDD4A5A31D8E251214BCF9A6F328C3D026
                                            Malicious:false
                                            Preview:.@S.....4u2l ...............IP..P....N......M^..$.3LB4.....~.]M.2f.uj....I3..X..0...X...........:Q...6...\!).(.......3....f%.....5!.Lt....<...q..}kv.B..h.....D....x..|g(.!..S....v..4...Yz...G....@....1.f.k...e.&J..X....8..d.1Sz....)/..{..n.d%t<|6..2..Z.J..mm+.Z..........7"T^.hO....6B..nM..0&.EWw.-x}6"..6...%\B.J.r)...`...{r.K...E.C\.[..."%..(<.A.s............_.$/r#........z1\b.Y...5EAe.M.....B.......x..B$C......T....Y&.q.d.....27.nr.6..$...Kdx..x.c....9..`h..M/rL.LZI..8.....q@z..r..'k...k.#'(K.!....JE.c...4.m........g......}&V......O..|.V..j.X...p{.Q#'"..*is_...........n/..j..3...\..e...tGB.._...?.P.........Pn...WE.=9.U.j`=[-.r.^.y.....H.>r.\....v..........j2...t.!R8..5..lM.....Y...*.N..R,....b.!IE.<J...@....9~.UE.?.'.|lI6..v2...!..N......O.-|..a.....(..K=...S.>4.pB-.u..3...k.'.&.>6 ...a].Mo..b.n.......Y........#..s.O:.~.7E...~...V{.....&+...2Y..$..,yO...%.._1..-.+......?....UL1m.'.>K...\...{...D5.B.z....Q.b..D.....l"D.....n.}..

                                            C:\Program Files (x86)\Windows NT\locale.dat

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp
                                            File Type:7-zip archive data, version 0.4
                                            Category:dropped
                                            Size (bytes):56546
                                            Entropy (8bit):7.996334153088005
                                            Encrypted:true
                                            SSDEEP:1536:a1M9IX3uaeZQY/k1ZJOWBDtzm24KZRzhpS7SG:AM9G3wniDOWzd4aSGG
                                            MD5:7E6801C9BFDE2B66C069049E17685F1F
                                            SHA1:481F8E706F1CE00939457414A8A8D20207ED7A20
                                            SHA-256:A30AD636349FE242B9494A277EC632DB91E42F7E8CC7814224954DC99DCD5486
                                            SHA-512:F9E08821BF9D7E4447824941D5B5F309F8EEE3BF25694B0C15F51BF02C5292B00B28974F9341145E6A4782678E1FD0B497BFA66641BEC36761BE5B66AFA4EBE8
                                            Malicious:false
                                            Preview:7z..'...d.........2..........3.v]..D\H.;..E..s...PO.wD.2..!.....FrI..).97g.Q^H.nD...T....Y..L.b.b>.....VD/..`.. _.B....._.7Z...._.;...70.N>@....#7....D..N.)G @.4....}.`..h.iI.hU._V...4M_a.Q..T.FLV..z....HO1*X.n.Uh.z.:'.IX.{..K>l.1..Gl..C.U.....&+N.b1..Bi...[.@#..G|..;p.......Y..z.KE...|b~..6...-.......I.y..8...]fa.8.^.....Z.j7.X..9r.=u....#..`.|.c.7.(>.PN9+.."....v..[..nkA...&K..W.....L..Mxy..G=[eF.7.'\&...... G.;.9..`...M2.-_............b...|..h..{x..Q...P...).... ..LI/g....5..1 ..6q..e...h..ETp....v..K .!.[VO.z....r...=g..p....<..M...+.\..e6.z......i>...ga.8.h..i.g..j.bL.A:~n....................q....19Mx..7.s..P..........'....'0."....,.\l8..~..J6Esr3....G.Gj).>..Q>.`#../...N...\.#.w....).[....}...-N....o2..yc..8.?.......H..].U....[>#.*E..M.ym.Kp*$..b ....3G.,..~.....z?c.i_....?P."...{d...l..Z..!...3&6.p..l.$2.....|.x...... ...<.6.."/4.5...'|5u./..#S...4P(..Qr........qt.B.dz..b.>@...I.y......wuW^.|......{..s,7.).>...e..... ...i...G{

                                            C:\Program Files (x86)\Windows NT\locale2.bin

                                            Download File
                                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):56546
                                            Entropy (8bit):7.996966859255975
                                            Encrypted:true
                                            SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                                            MD5:CEA69F993E1CE0FB945A98BF37A66546
                                            SHA1:7114365265F041DA904574D1F5876544506F89BA
                                            SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                                            SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                                            Malicious:false
                                            Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..

                                            C:\Program Files (x86)\Windows NT\locale2.dat

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp
                                            File Type:7-zip archive data, version 0.4
                                            Category:dropped
                                            Size (bytes):56546
                                            Entropy (8bit):7.996966859255979
                                            Encrypted:true
                                            SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                                            MD5:4CB8B7E557C80FC7B014133AB834A042
                                            SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                                            SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                                            SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                                            Malicious:false
                                            Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.

                                            C:\Program Files (x86)\Windows NT\locale3.bin

                                            Download File
                                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):31890
                                            Entropy (8bit):7.99402458740637
                                            Encrypted:true
                                            SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                                            MD5:8622FC7228777F64A47BD6C61478ADD9
                                            SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                                            SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                                            SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                                            Malicious:false
                                            Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..

                                            C:\Program Files (x86)\Windows NT\locale3.dat

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp
                                            File Type:7-zip archive data, version 0.4
                                            Category:dropped
                                            Size (bytes):31890
                                            Entropy (8bit):7.99402458740637
                                            Encrypted:true
                                            SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                                            MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                                            SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                                            SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                                            SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                                            Malicious:false
                                            Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.

                                            C:\Program Files (x86)\Windows NT\locale4.bin

                                            Download File
                                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):74960
                                            Entropy (8bit):7.99759370165655
                                            Encrypted:true
                                            SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                                            MD5:950338D50B95A25F494EE74E97B7B7A9
                                            SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                                            SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                                            SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                                            Malicious:false
                                            Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...

                                            C:\Program Files (x86)\Windows NT\locale4.dat

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp
                                            File Type:7-zip archive data, version 0.4
                                            Category:dropped
                                            Size (bytes):74960
                                            Entropy (8bit):7.997593701656546
                                            Encrypted:true
                                            SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                                            MD5:059BA7C31F3E227356CA5F29E4AA2508
                                            SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                                            SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                                            SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                                            Malicious:false
                                            Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.

                                            C:\Program Files (x86)\Windows NT\locale7.bin

                                            Download File
                                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):29730
                                            Entropy (8bit):7.994290657653607
                                            Encrypted:true
                                            SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                                            MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                                            SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                                            SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                                            SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                                            Malicious:false
                                            Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.

                                            C:\Program Files (x86)\Windows NT\locale7.dat

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp
                                            File Type:7-zip archive data, version 0.4
                                            Category:dropped
                                            Size (bytes):29730
                                            Entropy (8bit):7.994290657653608
                                            Encrypted:true
                                            SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                                            MD5:A9C8A3E00692F79E1BA9693003F85D18
                                            SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                                            SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                                            SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                                            Malicious:false
                                            Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8

                                            C:\Program Files (x86)\Windows NT\res.dat

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp
                                            File Type:7-zip archive data, version 0.4
                                            Category:dropped
                                            Size (bytes):2013712
                                            Entropy (8bit):7.999909775731039
                                            Encrypted:true
                                            SSDEEP:24576:aeAeOnYmlpxI9mjU6aNrR9wkT4yXheu0VCZNdh5yUR3JL45INST1LGhgwFdfEsUF:aeSl7+mQ6an9FxX50qXk1ihLy5gChWsH
                                            MD5:40AB1E948FE3856EADAFC9463FF0EA8A
                                            SHA1:8DF92A812C48F2E9C0C07EEE9E52FA91DBD5EC14
                                            SHA-256:169723E66AC1D3CD061E80DCDAA8CC6AFC00FFC398DAA7B755E6985247ADA3E5
                                            SHA-512:92F2018E87B0996E1A5879FE2A3D9F7A7F7C6B5472C93ECD005B39CA206319C3F9BC87E59B82988803BA6930A1DD3C8A5412471E7EB2CC119EC531BC73A8FDF7
                                            Malicious:false
                                            Preview:7z..'...1.`c........@.......#.%...{...`.`..l..Q........3.".C.,...vW.....{..ZO.?..w.4..;z..a........MR.......I.....w...B.....$....@....^..<.....#7o.4.....7.....e..7i.z.p1...w..h...../.<.Ty(^..]..b....xsL..M&....ZHGS7...B..$'.r.5{e_....8k...TYr.F..FG..LL.g.!c.Y..4......Y..W..i.r.N_D.....g]=.#.p.].w.)=2.....g..!v4......zhP.>.D..DMm..._.X..).X....F.?._{...2...=.....{E..\*..Z...f.~,..{^.p`;X.|...*g'.T\u.c.'.......XE..E./....c.5..K..N#..2...m.A.TyM....>l.R}_.....M..|m.3UYz.w.g.O.A.i.+y>..n.jc...l..V...V....g.P.mB.jN$~L.....T8....E.......^.V./v.R..w.E.8...69...8zF.bG...........#..tI.^.2...:y..r.......O+9..T..;c....._S..>..+.....4+.X<u.3*-.:.].....9....z.t......!Rf...../.e`.{.#..=.AcA....3'..B.../......-u...+lP.O.a.......}..\...1..F.DF07..R...S.J...~......Zu.:cp{$)........B.D..L}....q....g.'*'C...hl....4.l.4..-.:4..?L...P.<=6.5.'....(..H.d.....m...k..H.;.r...-?...........b..l....pP.T..2....)....Th.C...A2.}.x..."f>4@*;..."....v.FEX...N)!6

                                            C:\Program Files (x86)\Windows NT\tProtect.dll

                                            Download File
                                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                            File Type:PE32+ executable (native) x86-64, for MS Windows
                                            Category:dropped
                                            Size (bytes):63640
                                            Entropy (8bit):6.482810107683822
                                            Encrypted:false
                                            SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                                            MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                                            SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                                            SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                                            SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 9%
                                            • Antivirus: Virustotal, Detection: 6%, Browse
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................

                                            C:\Program Files (x86)\Windows NT\task.xml

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp
                                            File Type:ASCII text
                                            Category:dropped
                                            Size (bytes):4096
                                            Entropy (8bit):3.3443983145211007
                                            Encrypted:false
                                            SSDEEP:48:dXKLzDlnyL6w0QldOVQOj933ODOiTdKbKsz72eW+5yF:dXazDlnHwhldOVQOj6dKbKsz7
                                            MD5:1E67E91688292692932CD9096EDEA2BD
                                            SHA1:AA8859477C235F2F194FC7C4D75EF4C082A6864B
                                            SHA-256:ED20E6ED002708041CC98B046F976B2BE43685B258AE6461F291CF73F7128924
                                            SHA-512:7C6DE3E403542FE6D33C75F286212A114C7112B8401EAC8323EDBE856CADE905CE11E0B9C4083AE01A711E6B1EC12329CBF43AB0B585BCB56FE8A0F151B47B3E
                                            Malicious:false
                                            Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\turminoob</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAva

                                            C:\Program Files (x86)\Windows NT\trash

                                            Download File
                                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):1763587
                                            Entropy (8bit):7.999883611742324
                                            Encrypted:true
                                            SSDEEP:24576:ngGrcwCAZ/N47RABjDLL6uFD2z/DfjbdxUggZTCRvT3H+ReRfik9iL6W5vay+:nNrPq7RAB/zdQj8ggGR6ARN9WJar
                                            MD5:D118512C2CE146376953136C2C11E2DA
                                            SHA1:32B96DF4C8AC90710245B2B5B4B270EE1E12ED3B
                                            SHA-256:B47D07D59DB1A526BF02A84334216A8709E26F617199EFBA8B91E4D19CD4296E
                                            SHA-512:77E862C7E99D40258910F12CFA7D46633B8BEB8D1AE55D87DF17236E8331A8A7A537D8F3FA3AD1D2E38B2B05F66309866873EB18D8A353E421571964FF3827AC
                                            Malicious:false
                                            Preview:{...w.HW../..|?...!...Q.....$.z..#}..kB.O."|.."..3....!...2C.L.u.&..#..P..-.H......-....)...2.t..e.|Co.7A..#'..q.,.........-/.B.<@..v...i.....jA4.....n...v........6.V..hV...`.<!Q.s*J'.x...bCHc.....vF..th}..d4.lB...Z....)....G.Y..o.. .8....Y.F....#90'.....~L.....$...Px]...^.0t...'P.........b...no../.....wx..T. .+6i.p ..7.E.b.@WX..;In#.........U.:._k..R....$.>..P...{F.....e^......)>md....(x..O..5.R?!....S@.Y..l..Mo.#..UN[-.....U..N./....Yc'z"...4.-F#....E.q..<..\.`....W...~.M.H..6 x......gkS..k.....Z.......T.........k#.h......x..V..:.]e...@.P....C..sis.H%..H..l......#.T...k..+.j,....Ge&..w....>....qt......an.6....|Z.Y.H...R.{.....CkIu.u....On......s.......a$.1/..}.O...5..@sk..Y8.C..v.~..a..P.B.p.B]...l...#u....9.().....9..p.6./>|.;..#...P.8H.r3...*9..p.Y.......0h\\......a.h..N..@#...\y....1.(.(.....!..[E;..H..OB]..f........Z"...?....!.k.=I.u.B..e.L. 2...}.c.m8 Cd2.l.%.....(`..........Q;.d..\.}..t^..=i+.....m.}I.......s..c.S.a|....H.s...r...s

                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):64
                                            Entropy (8bit):1.1628158735648508
                                            Encrypted:false
                                            SSDEEP:3:Nlllul5mxllp:NllU4x/
                                            MD5:3A925CB766CE4286E251C26E90B55CE8
                                            SHA1:3FA8EE6E901101A4661723B94D6C9309E281BD28
                                            SHA-256:4E844662CDFFAAD50BA6320DC598EBE0A31619439D0F6AB379DF978FE81C7BF8
                                            SHA-512:F348B4AFD42C262BBED07D6BDEA6EE4B7F5CFA2E18BFA725225584E93251188D9787506C2AFEAC482B606B1EA0341419F229A69FF1E9100B01DE42025F915788
                                            Malicious:false
                                            Preview:@...e................................................@..........

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2bjjspwc.i15.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gndpzbom.gjh.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lr2izdss.s1j.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u5g0pmqz.xzi.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp

                                            Download File
                                            Process:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):3366912
                                            Entropy (8bit):6.530565567370247
                                            Encrypted:false
                                            SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                            MD5:22F03937DBEFC57A5B60577F7577D53A
                                            SHA1:8DF2FE400E061C766AD31D400EB7EB6A63A57AB3
                                            SHA-256:ACEA922C33710AB9E3106BF3F1463FA2829EA257E747F6CABC7F59E91CC73397
                                            SHA-512:02E1FF9BC56CBF82901A6AF0E68BE00DF6124036C22F28019CD782EAF1ED23E76F2C487C91506F217AA9350BD14983E9BB9C6EB18A0DECE814FDBF52272C8DAB
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Virustotal, Detection: 1%, Browse
                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                                            C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp

                                            Download File
                                            Process:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):3366912
                                            Entropy (8bit):6.530565567370247
                                            Encrypted:false
                                            SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                            MD5:22F03937DBEFC57A5B60577F7577D53A
                                            SHA1:8DF2FE400E061C766AD31D400EB7EB6A63A57AB3
                                            SHA-256:ACEA922C33710AB9E3106BF3F1463FA2829EA257E747F6CABC7F59E91CC73397
                                            SHA-512:02E1FF9BC56CBF82901A6AF0E68BE00DF6124036C22F28019CD782EAF1ED23E76F2C487C91506F217AA9350BD14983E9BB9C6EB18A0DECE814FDBF52272C8DAB
                                            Malicious:true
                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                                            C:\Users\user\AppData\Local\Temp\is-SIRUE.tmp\_isetup\_setup64.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp
                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                            Category:dropped
                                            Size (bytes):6144
                                            Entropy (8bit):4.720366600008286
                                            Encrypted:false
                                            SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                            MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                            SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                            SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                            SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Temp\is-SIRUE.tmp\update.vbc

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp
                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):3621376
                                            Entropy (8bit):7.006090025798393
                                            Encrypted:false
                                            SSDEEP:98304:UXTNS5omKHixBbVZ9yogz/lWGAxNRie71MzSRMYuefCG/gZD:U5SG7Hwke71MzxY/UZD
                                            MD5:FCADEAE28FCC52FD286350DFEECD82E5
                                            SHA1:48290AA098DEDE53C457FC774063C3198754A161
                                            SHA-256:34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
                                            SHA-512:56428AFDEEE8774518FE206AE4CD017F552F947508B87785A3BD960B14364F990F54E73F01C2A5CAF9B1862DADDD634BB894882B00B60102675D63F52245A41F
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 26%
                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...D.jg...........!..........................................................7...........@.........................8s.......y..<....p7.X.....................7.d?..........................h9.......................{...............................text...P........................... ..`.rdata..4...........................@..@.data...............................@....00cfg........(......T(.............@..@.tls..........(......V(.............@....voltbl.F.....(......X(..................aQ#..........(......Z(............. ..`.rsrc...X....p7.......6.............@..@.reloc..d?....7..@....7.............@..B................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Temp\is-SSCD5.tmp\_isetup\_setup64.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp
                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                            Category:dropped
                                            Size (bytes):6144
                                            Entropy (8bit):4.720366600008286
                                            Encrypted:false
                                            SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                            MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                            SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                            SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                            SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Temp\is-SSCD5.tmp\update.vbc

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp
                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):3621376
                                            Entropy (8bit):7.006090025798393
                                            Encrypted:false
                                            SSDEEP:98304:UXTNS5omKHixBbVZ9yogz/lWGAxNRie71MzSRMYuefCG/gZD:U5SG7Hwke71MzxY/UZD
                                            MD5:FCADEAE28FCC52FD286350DFEECD82E5
                                            SHA1:48290AA098DEDE53C457FC774063C3198754A161
                                            SHA-256:34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
                                            SHA-512:56428AFDEEE8774518FE206AE4CD017F552F947508B87785A3BD960B14364F990F54E73F01C2A5CAF9B1862DADDD634BB894882B00B60102675D63F52245A41F
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 26%
                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...D.jg...........!..........................................................7...........@.........................8s.......y..<....p7.X.....................7.d?..........................h9.......................{...............................text...P........................... ..`.rdata..4...........................@..@.data...............................@....00cfg........(......T(.............@..@.tls..........(......V(.............@....voltbl.F.....(......X(..................aQ#..........(......Z(............. ..`.rsrc...X....p7.......6.............@..@.reloc..d?....7..@....7.............@..B................................................................................................................................................................................................................................................................................

                                            \Device\ConDrv

                                            Download File
                                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                            File Type:ASCII text, with CRLF, CR line terminators
                                            Category:dropped
                                            Size (bytes):406
                                            Entropy (8bit):5.117520345541057
                                            Encrypted:false
                                            SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                                            MD5:9200058492BCA8F9D88B4877F842C148
                                            SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                                            SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                                            SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                                            Malicious:false
                                            Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Entropy (8bit):7.948220624850858
                                            TrID:
                                            • Win32 Executable (generic) a (10002005/4) 98.04%
                                            • Inno Setup installer (109748/4) 1.08%
                                            • InstallShield setup (43055/19) 0.42%
                                            • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                            • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                            File name:#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe
                                            File size:7'420'234 bytes
                                            MD5:600e95b436735aec1a9e8667c9e07396
                                            SHA1:f170160f0b04e668baddd8ba0346bb527db91dd5
                                            SHA256:817888612efe9489ead214871176b5cd4b0b147001bb82bd738572d6338d5c24
                                            SHA512:675573d07e83d4ad36502c766fb3bfbb03d16407e76155ca1eb9b1b96172fe883d2856365356c5c61957959490d7ee153aecf3445b71c4bfab328abb0eb26314
                                            SSDEEP:98304:XwREO6yDBViBRU12eA2v9BmxMrsWb8jy4ai5+lL5jUvkm/HT2sA7AdMwZgz:lO6yEB2bmxMb8m7HlVUvHqs3a
                                            TLSH:B0762213F2CBD43EE05E073B19B2A25494FB7A20A522AD579AECB4ECCF255101D3E647
                                            File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                            File Icon

                                            Icon Hash:0c0c2d33ceec80aa

                                            Static PE Info

                                            General

                                            Entrypoint:0x4a83bc
                                            Entrypoint Section:.itext
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                            Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:6
                                            OS Version Minor:1
                                            File Version Major:6
                                            File Version Minor:1
                                            Subsystem Version Major:6
                                            Subsystem Version Minor:1
                                            Import Hash:40ab50289f7ef5fae60801f88d4541fc

                                            Entrypoint Preview

                                            Instruction
                                            push ebp
                                            mov ebp, esp
                                            add esp, FFFFFFA4h
                                            push ebx
                                            push esi
                                            push edi
                                            xor eax, eax
                                            mov dword ptr [ebp-3Ch], eax
                                            mov dword ptr [ebp-40h], eax
                                            mov dword ptr [ebp-5Ch], eax
                                            mov dword ptr [ebp-30h], eax
                                            mov dword ptr [ebp-38h], eax
                                            mov dword ptr [ebp-34h], eax
                                            mov dword ptr [ebp-2Ch], eax
                                            mov dword ptr [ebp-28h], eax
                                            mov dword ptr [ebp-14h], eax
                                            mov eax, 004A2EBCh
                                            call 00007FF658F68155h
                                            xor eax, eax
                                            push ebp
                                            push 004A8AC1h
                                            push dword ptr fs:[eax]
                                            mov dword ptr fs:[eax], esp
                                            xor edx, edx
                                            push ebp
                                            push 004A8A7Bh
                                            push dword ptr fs:[edx]
                                            mov dword ptr fs:[edx], esp
                                            mov eax, dword ptr [004B0634h]
                                            call 00007FF658FF9ADBh
                                            call 00007FF658FF962Eh
                                            lea edx, dword ptr [ebp-14h]
                                            xor eax, eax
                                            call 00007FF658FF4308h
                                            mov edx, dword ptr [ebp-14h]
                                            mov eax, 004B41F4h
                                            call 00007FF658F62203h
                                            push 00000002h
                                            push 00000000h
                                            push 00000001h
                                            mov ecx, dword ptr [004B41F4h]
                                            mov dl, 01h
                                            mov eax, dword ptr [0049CD14h]
                                            call 00007FF658FF5633h
                                            mov dword ptr [004B41F8h], eax
                                            xor edx, edx
                                            push ebp
                                            push 004A8A27h
                                            push dword ptr fs:[edx]
                                            mov dword ptr fs:[edx], esp
                                            call 00007FF658FF9B63h
                                            mov dword ptr [004B4200h], eax
                                            mov eax, dword ptr [004B4200h]
                                            cmp dword ptr [eax+0Ch], 01h
                                            jne 00007FF65900084Ah
                                            mov eax, dword ptr [004B4200h]
                                            mov edx, 00000028h
                                            call 00007FF658FF5F28h
                                            mov edx, dword ptr [004B4200h]

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                            .rsrc0xcb0000x110000x11000337ff2608e1482ac22c0f5c41294ee7eFalse0.18770105698529413data3.723642188828799IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                                            RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                                            RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                                            RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                                            RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                                            RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                                            RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                                            RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                                            RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                                            RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                                            RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                                            RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                                            RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                                            RT_STRING0xd8e000x3f8data0.3198818897637795
                                            RT_STRING0xd91f80x2dcdata0.36475409836065575
                                            RT_STRING0xd94d40x430data0.40578358208955223
                                            RT_STRING0xd99040x44cdata0.38636363636363635
                                            RT_STRING0xd9d500x2d4data0.39226519337016574
                                            RT_STRING0xda0240xb8data0.6467391304347826
                                            RT_STRING0xda0dc0x9cdata0.6410256410256411
                                            RT_STRING0xda1780x374data0.4230769230769231
                                            RT_STRING0xda4ec0x398data0.3358695652173913
                                            RT_STRING0xda8840x368data0.3795871559633027
                                            RT_STRING0xdabec0x2a4data0.4275147928994083
                                            RT_RCDATA0xdae900x10data1.5
                                            RT_RCDATA0xdaea00x310data0.6173469387755102
                                            RT_RCDATA0xdb1b00x2cdata1.2045454545454546
                                            RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                                            RT_VERSION0xdb2980x584dataEnglishUnited States0.2769121813031161
                                            RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163

                                            Imports

                                            DLLImport
                                            kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                            comctl32.dllInitCommonControls
                                            user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                            oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                            advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

                                            Exports

                                            NameOrdinalAddress
                                            __dbk_fcall_wrapper20x40fc10
                                            dbkFCallWrapperAddr10x4b063c

                                            Possible Origin

                                            Language of compilation systemCountry where language is spokenMap
                                            EnglishUnited States

                                            Network Behavior

                                            No network behavior found

                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:05:26:28
                                            Start date:25/12/2024
                                            Path:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe"
                                            Imagebase:0xea0000
                                            File size:7'420'234 bytes
                                            MD5 hash:600E95B436735AEC1A9E8667C9E07396
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:Borland Delphi
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:1
                                            Start time:05:26:28
                                            Start date:25/12/2024
                                            Path:C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\AppData\Local\Temp\is-H84TN.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp" /SL5="$20428,6465800,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe"
                                            Imagebase:0xd60000
                                            File size:3'366'912 bytes
                                            MD5 hash:22F03937DBEFC57A5B60577F7577D53A
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:Borland Delphi
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:2
                                            Start time:05:26:29
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):false
                                            Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                                            Imagebase:0x7ff788560000
                                            File size:452'608 bytes
                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:3
                                            Start time:05:26:29
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:4
                                            Start time:05:26:32
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                            Imagebase:0x7ff693ab0000
                                            File size:496'640 bytes
                                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                            Has elevated privileges:true
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:false

                                            General

                                            Target ID:5
                                            Start time:05:26:37
                                            Start date:25/12/2024
                                            Path:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe" /VERYSILENT
                                            Imagebase:0xea0000
                                            File size:7'420'234 bytes
                                            MD5 hash:600E95B436735AEC1A9E8667C9E07396
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:Borland Delphi
                                            Reputation:low
                                            Has exited:false

                                            General

                                            Target ID:6
                                            Start time:05:26:37
                                            Start date:25/12/2024
                                            Path:C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\AppData\Local\Temp\is-1GGEB.tmp\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.tmp" /SL5="$50160,6465800,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe" /VERYSILENT
                                            Imagebase:0xa90000
                                            File size:3'366'912 bytes
                                            MD5 hash:22F03937DBEFC57A5B60577F7577D53A
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:Borland Delphi
                                            Antivirus matches:
                                            • Detection: 1%, Virustotal, Browse
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:7
                                            Start time:05:26:39
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                            Imagebase:0x7ff671d10000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:8
                                            Start time:05:26:40
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                            Imagebase:0x7ff734490000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:9
                                            Start time:05:26:40
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:10
                                            Start time:05:26:40
                                            Start date:25/12/2024
                                            Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                            Wow64 process (32bit):true
                                            Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                                            Imagebase:0x420000
                                            File size:831'200 bytes
                                            MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Antivirus matches:
                                            • Detection: 0%, ReversingLabs
                                            • Detection: 0%, Virustotal, Browse
                                            Has exited:true

                                            General

                                            Target ID:11
                                            Start time:05:26:40
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:12
                                            Start time:05:26:40
                                            Start date:25/12/2024
                                            Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                            Wow64 process (32bit):true
                                            Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                                            Imagebase:0x420000
                                            File size:831'200 bytes
                                            MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:13
                                            Start time:05:26:40
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:14
                                            Start time:05:26:40
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff671d10000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:15
                                            Start time:05:26:40
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff734490000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:16
                                            Start time:05:26:40
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:17
                                            Start time:05:26:40
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff671d10000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:18
                                            Start time:05:26:40
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff734490000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:19
                                            Start time:05:26:40
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:20
                                            Start time:05:26:41
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff671d10000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:21
                                            Start time:05:26:41
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff734490000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:22
                                            Start time:05:26:41
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:23
                                            Start time:05:26:41
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff671d10000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:24
                                            Start time:05:26:41
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff734490000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:25
                                            Start time:05:26:41
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:26
                                            Start time:05:26:41
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff671d10000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:27
                                            Start time:05:26:41
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff734490000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:28
                                            Start time:05:26:41
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:29
                                            Start time:05:26:42
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff671d10000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:30
                                            Start time:05:26:42
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff734490000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:31
                                            Start time:05:26:42
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:32
                                            Start time:05:26:42
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff671d10000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:33
                                            Start time:05:26:42
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff734490000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:34
                                            Start time:05:26:42
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:35
                                            Start time:05:26:42
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff671d10000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:36
                                            Start time:05:26:42
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff734490000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:37
                                            Start time:05:26:42
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:38
                                            Start time:05:26:42
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff671d10000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:39
                                            Start time:05:26:42
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff734490000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:40
                                            Start time:05:26:42
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:41
                                            Start time:05:26:42
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff671d10000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:42
                                            Start time:05:26:42
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff734490000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:43
                                            Start time:05:26:42
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:44
                                            Start time:05:26:42
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff671d10000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:45
                                            Start time:05:26:42
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff734490000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:46
                                            Start time:05:26:42
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:47
                                            Start time:05:26:42
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff671d10000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:48
                                            Start time:05:26:42
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff734490000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:49
                                            Start time:05:26:42
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:51
                                            Start time:05:26:43
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff671d10000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:52
                                            Start time:05:26:43
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff734490000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:53
                                            Start time:05:26:43
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:54
                                            Start time:05:26:43
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff671d10000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:55
                                            Start time:05:26:43
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff734490000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:56
                                            Start time:05:26:43
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:57
                                            Start time:05:26:43
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff671d10000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:58
                                            Start time:05:26:43
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff734490000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:59
                                            Start time:05:26:43
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:60
                                            Start time:05:26:43
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff671d10000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:61
                                            Start time:05:26:43
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff734490000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:62
                                            Start time:05:26:43
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:63
                                            Start time:05:26:43
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff671d10000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:64
                                            Start time:05:26:43
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff734490000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:65
                                            Start time:05:26:43
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:66
                                            Start time:05:26:43
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff671d10000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:67
                                            Start time:05:26:43
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff734490000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:68
                                            Start time:05:26:43
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:69
                                            Start time:05:26:44
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff671d10000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:70
                                            Start time:05:26:44
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff734490000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:71
                                            Start time:05:26:44
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:72
                                            Start time:05:26:44
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff671d10000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:73
                                            Start time:05:26:44
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff734490000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:74
                                            Start time:05:26:44
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:75
                                            Start time:05:26:44
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff671d10000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:76
                                            Start time:05:26:44
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff734490000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:77
                                            Start time:05:26:44
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:78
                                            Start time:05:26:44
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff671d10000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:79
                                            Start time:05:26:44
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff734490000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:80
                                            Start time:05:26:44
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:81
                                            Start time:05:26:44
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff671d10000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:82
                                            Start time:05:26:44
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff734490000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:83
                                            Start time:05:26:44
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:84
                                            Start time:05:26:44
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff671d10000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:85
                                            Start time:05:26:44
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff734490000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:86
                                            Start time:05:26:44
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:87
                                            Start time:05:26:44
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff671d10000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:88
                                            Start time:05:26:45
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff734490000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:89
                                            Start time:05:26:45
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:90
                                            Start time:05:26:45
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff671d10000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:91
                                            Start time:05:26:45
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff734490000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:92
                                            Start time:05:26:45
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:93
                                            Start time:05:26:45
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff671d10000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:94
                                            Start time:05:26:45
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff734490000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:95
                                            Start time:05:26:45
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:96
                                            Start time:05:26:45
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff671d10000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:97
                                            Start time:05:26:45
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff734490000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:98
                                            Start time:05:26:45
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:99
                                            Start time:05:26:45
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff671d10000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:100
                                            Start time:05:26:45
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff734490000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:101
                                            Start time:05:26:45
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:102
                                            Start time:05:26:45
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff671d10000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:103
                                            Start time:05:26:45
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff734490000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:104
                                            Start time:05:26:45
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:105
                                            Start time:05:26:45
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff671d10000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:106
                                            Start time:05:26:45
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:sc start CleverSoar
                                            Imagebase:0x7ff734490000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:107
                                            Start time:05:26:45
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:108
                                            Start time:05:26:46
                                            Start date:25/12/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd /c start sc start CleverSoar
                                            Imagebase:0x7ff671d10000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:1.9%
                                              Dynamic/Decrypted Code Coverage:0%
                                              Signature Coverage:5.2%
                                              Total number of Nodes:731
                                              Total number of Limit Nodes:8
                                              execution_graph 63586 6bd2f8a3 63588 6bd2f887 63586->63588 63587 6bd302ac GetCurrentProcess TerminateProcess 63589 6bd302ca 63587->63589 63588->63587 63590 6bd14b53 63748 6be9a133 63590->63748 63592 6bd14b5c _Yarn 63762 6be8e090 63592->63762 63594 6bd3639e 63855 6bea3820 18 API calls __Getctype 63594->63855 63596 6bd14cff 63597 6bd15164 CreateFileA CloseHandle 63602 6bd151ec 63597->63602 63598 6bd14bae std::ios_base::_Ios_base_dtor 63598->63594 63598->63596 63598->63597 63599 6bd2245a _Yarn _strlen 63598->63599 63599->63594 63600 6be8e090 2 API calls 63599->63600 63616 6bd22a83 std::ios_base::_Ios_base_dtor 63600->63616 63768 6be98810 OpenSCManagerA 63602->63768 63604 6bd1fc00 63847 6be98930 CreateToolhelp32Snapshot 63604->63847 63607 6be9a133 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 63644 6bd15478 std::ios_base::_Ios_base_dtor _Yarn _strlen 63607->63644 63609 6bd237d0 Sleep 63654 6bd237e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 63609->63654 63610 6be8e090 2 API calls 63610->63644 63611 6bd363b2 63856 6bd115e0 18 API calls std::ios_base::_Ios_base_dtor 63611->63856 63612 6be98930 4 API calls 63630 6bd2053a 63612->63630 63613 6be98930 4 API calls 63636 6bd212e2 63613->63636 63615 6bd1ffe3 63615->63612 63621 6bd20abc 63615->63621 63616->63594 63772 6be80880 63616->63772 63617 6bd364f8 63618 6bd36ba0 104 API calls 63618->63644 63619 6bd36e60 32 API calls 63619->63644 63621->63599 63621->63613 63623 6be98930 4 API calls 63623->63621 63624 6be98930 4 API calls 63641 6bd21dd9 63624->63641 63625 6bd2211c 63625->63599 63626 6bd2241a 63625->63626 63629 6be80880 10 API calls 63626->63629 63627 6be8e090 2 API calls 63627->63654 63632 6bd2244d 63629->63632 63630->63621 63630->63623 63631 6bd16722 63823 6be94860 25 API calls 4 library calls 63631->63823 63853 6be99450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 63632->63853 63634 6bd22452 Sleep 63634->63599 63635 6bd216ac 63636->63624 63636->63625 63636->63635 63637 6bd16162 63638 6bd1740b 63824 6be986e0 CreateProcessA 63638->63824 63640 6be98930 4 API calls 63640->63625 63641->63625 63641->63640 63644->63594 63644->63604 63644->63607 63644->63610 63644->63618 63644->63619 63644->63631 63644->63637 63809 6bd37090 63644->63809 63822 6bd5e010 67 API calls 63644->63822 63645 6bd37090 77 API calls 63645->63654 63647 6bd1775a _strlen 63647->63594 63648 6bd17b92 63647->63648 63649 6bd17ba9 63647->63649 63652 6bd17b43 _Yarn 63647->63652 63650 6be9a133 std::_Facet_Register 4 API calls 63648->63650 63651 6be9a133 std::_Facet_Register 4 API calls 63649->63651 63650->63652 63651->63652 63653 6be8e090 2 API calls 63652->63653 63663 6bd17be7 std::ios_base::_Ios_base_dtor 63653->63663 63654->63594 63654->63627 63654->63645 63780 6bd36ba0 63654->63780 63799 6bd36e60 63654->63799 63854 6bd5e010 67 API calls 63654->63854 63655 6be986e0 4 API calls 63666 6bd18a07 63655->63666 63656 6bd19d68 63659 6be9a133 std::_Facet_Register 4 API calls 63656->63659 63657 6bd19d7f 63660 6be9a133 std::_Facet_Register 4 API calls 63657->63660 63658 6bd1962c _strlen 63658->63594 63658->63656 63658->63657 63661 6bd19d18 _Yarn 63658->63661 63659->63661 63660->63661 63662 6be8e090 2 API calls 63661->63662 63669 6bd19dbd std::ios_base::_Ios_base_dtor 63662->63669 63663->63594 63663->63655 63663->63658 63664 6bd18387 63663->63664 63665 6be986e0 4 API calls 63674 6bd19120 63665->63674 63666->63665 63667 6be986e0 4 API calls 63684 6bd1a215 _strlen 63667->63684 63668 6be986e0 4 API calls 63671 6bd19624 63668->63671 63669->63594 63669->63667 63677 6bd1e8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 63669->63677 63670 6be9a133 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 63670->63677 63828 6be99450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 63671->63828 63673 6be8e090 2 API calls 63673->63677 63674->63668 63675 6bd1f7b1 63846 6be99450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 63675->63846 63676 6bd1ed02 Sleep 63696 6bd1e8c1 63676->63696 63677->63594 63677->63670 63677->63673 63677->63675 63677->63676 63679 6bd1e8dd GetCurrentProcess TerminateProcess 63679->63677 63680 6bd1a9a4 63682 6be9a133 std::_Facet_Register 4 API calls 63680->63682 63681 6bd1a9bb 63683 6be9a133 std::_Facet_Register 4 API calls 63681->63683 63691 6bd1a953 _Yarn _strlen 63682->63691 63683->63691 63684->63594 63684->63680 63684->63681 63684->63691 63685 6be986e0 4 API calls 63685->63696 63686 6bd1fbb8 63687 6bd1fbe8 ExitWindowsEx Sleep 63686->63687 63687->63604 63688 6bd1f7c0 63688->63686 63689 6bd1aff0 63692 6be9a133 std::_Facet_Register 4 API calls 63689->63692 63690 6bd1b009 63693 6be9a133 std::_Facet_Register 4 API calls 63690->63693 63691->63611 63691->63689 63691->63690 63694 6bd1afa0 _Yarn 63691->63694 63692->63694 63693->63694 63829 6be99050 63694->63829 63696->63677 63696->63679 63696->63685 63697 6bd1b059 std::ios_base::_Ios_base_dtor _strlen 63697->63594 63698 6bd1b443 63697->63698 63699 6bd1b42c 63697->63699 63702 6bd1b3da _Yarn _strlen 63697->63702 63701 6be9a133 std::_Facet_Register 4 API calls 63698->63701 63700 6be9a133 std::_Facet_Register 4 API calls 63699->63700 63700->63702 63701->63702 63702->63611 63703 6bd1b7b7 63702->63703 63704 6bd1b79e 63702->63704 63707 6bd1b751 _Yarn 63702->63707 63706 6be9a133 std::_Facet_Register 4 API calls 63703->63706 63705 6be9a133 std::_Facet_Register 4 API calls 63704->63705 63705->63707 63706->63707 63708 6be99050 104 API calls 63707->63708 63709 6bd1b804 std::ios_base::_Ios_base_dtor _strlen 63708->63709 63709->63594 63710 6bd1bc26 63709->63710 63711 6bd1bc0f 63709->63711 63714 6bd1bbbd _Yarn _strlen 63709->63714 63713 6be9a133 std::_Facet_Register 4 API calls 63710->63713 63712 6be9a133 std::_Facet_Register 4 API calls 63711->63712 63712->63714 63713->63714 63714->63611 63715 6bd1c075 63714->63715 63716 6bd1c08e 63714->63716 63719 6bd1c028 _Yarn 63714->63719 63717 6be9a133 std::_Facet_Register 4 API calls 63715->63717 63718 6be9a133 std::_Facet_Register 4 API calls 63716->63718 63717->63719 63718->63719 63720 6be99050 104 API calls 63719->63720 63725 6bd1c0db std::ios_base::_Ios_base_dtor _strlen 63720->63725 63721 6bd1c7a5 63723 6be9a133 std::_Facet_Register 4 API calls 63721->63723 63722 6bd1c7bc 63724 6be9a133 std::_Facet_Register 4 API calls 63722->63724 63732 6bd1c753 _Yarn _strlen 63723->63732 63724->63732 63725->63594 63725->63721 63725->63722 63725->63732 63726 6bd1d406 63729 6be9a133 std::_Facet_Register 4 API calls 63726->63729 63727 6bd1d3ed 63728 6be9a133 std::_Facet_Register 4 API calls 63727->63728 63730 6bd1d39a _Yarn 63728->63730 63729->63730 63731 6be99050 104 API calls 63730->63731 63733 6bd1d458 std::ios_base::_Ios_base_dtor _strlen 63731->63733 63732->63611 63732->63726 63732->63727 63732->63730 63738 6bd1cb2f 63732->63738 63733->63594 63734 6bd1d8a4 63733->63734 63735 6bd1d8bb 63733->63735 63739 6bd1d852 _Yarn _strlen 63733->63739 63736 6be9a133 std::_Facet_Register 4 API calls 63734->63736 63737 6be9a133 std::_Facet_Register 4 API calls 63735->63737 63736->63739 63737->63739 63739->63611 63740 6bd1dcb6 63739->63740 63741 6bd1dccf 63739->63741 63744 6bd1dc69 _Yarn 63739->63744 63742 6be9a133 std::_Facet_Register 4 API calls 63740->63742 63743 6be9a133 std::_Facet_Register 4 API calls 63741->63743 63742->63744 63743->63744 63745 6be99050 104 API calls 63744->63745 63747 6bd1dd1c std::ios_base::_Ios_base_dtor 63745->63747 63746 6be986e0 4 API calls 63746->63677 63747->63594 63747->63746 63749 6be9a138 63748->63749 63750 6be9a152 63749->63750 63753 6be9a154 std::_Facet_Register 63749->63753 63857 6bea2704 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 63749->63857 63750->63592 63752 6be9afb3 std::_Facet_Register 63861 6be9ca69 RaiseException 63752->63861 63753->63752 63858 6be9ca69 RaiseException 63753->63858 63755 6be9b7ac IsProcessorFeaturePresent 63761 6be9b7d1 63755->63761 63757 6be9af73 63859 6be9ca69 RaiseException 63757->63859 63759 6be9af93 std::invalid_argument::invalid_argument 63860 6be9ca69 RaiseException 63759->63860 63761->63592 63763 6be8e0a4 63762->63763 63764 6be8e0a6 FindFirstFileA 63762->63764 63763->63764 63765 6be8e0e0 63764->63765 63766 6be8e0e2 FindClose 63765->63766 63767 6be8e13c 63765->63767 63766->63765 63767->63598 63769 6be98846 63768->63769 63770 6be988be OpenServiceA 63769->63770 63771 6be98922 63769->63771 63770->63769 63771->63644 63773 6be80893 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 63772->63773 63774 6be84e71 CloseHandle 63773->63774 63775 6be83bd1 CloseHandle 63773->63775 63776 6bd237cb 63773->63776 63777 6be6cea0 WriteFile ReadFile WriteFile WriteFile 63773->63777 63862 6be6c390 63773->63862 63774->63773 63775->63773 63779 6be99450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 63776->63779 63777->63773 63779->63609 63781 6bd36bd5 63780->63781 63873 6bd62020 63781->63873 63783 6bd36c68 63784 6be9a133 std::_Facet_Register 4 API calls 63783->63784 63785 6bd36ca0 63784->63785 63890 6be9aa17 63785->63890 63787 6bd36cb4 63902 6bd61d90 63787->63902 63790 6bd36d8e 63790->63654 63792 6bd36dc8 63910 6bd626e0 24 API calls 4 library calls 63792->63910 63794 6bd36dda 63911 6be9ca69 RaiseException 63794->63911 63796 6bd36def 63912 6bd5e010 67 API calls 63796->63912 63798 6bd36e0f 63798->63654 63800 6bd36e9f 63799->63800 63804 6bd36eb3 63800->63804 64307 6bd63560 32 API calls std::_Xinvalid_argument 63800->64307 63801 6bd36f5b 63806 6bd36f6e 63801->63806 64308 6bd637e0 32 API calls std::_Xinvalid_argument 63801->64308 63804->63801 64309 6bd62250 30 API calls 63804->64309 64310 6bd626e0 24 API calls 4 library calls 63804->64310 64311 6be9ca69 RaiseException 63804->64311 63806->63654 63810 6bd3709e 63809->63810 63813 6bd370d1 63809->63813 64312 6bd601f0 63810->64312 63811 6bd37183 63811->63644 63813->63811 64316 6bd62250 30 API calls 63813->64316 63816 6bea4208 67 API calls 63816->63813 63817 6bd371ae 64317 6bd62340 24 API calls 63817->64317 63819 6bd371be 64318 6be9ca69 RaiseException 63819->64318 63821 6bd371c9 63822->63644 63823->63638 63825 6be98770 63824->63825 63826 6be987b0 WaitForSingleObject CloseHandle CloseHandle 63825->63826 63827 6be987a4 63825->63827 63826->63825 63827->63647 63828->63658 63830 6be990a7 63829->63830 64364 6be996e0 63830->64364 63832 6be990b8 63833 6bd36ba0 104 API calls 63832->63833 63839 6be990dc 63833->63839 63834 6be99157 64416 6bd5e010 67 API calls 63834->64416 63836 6be9918f std::ios_base::_Ios_base_dtor 64417 6bd5e010 67 API calls 63836->64417 63839->63834 63840 6be99144 63839->63840 64383 6be99a30 63839->64383 64391 6bd73010 63839->64391 64401 6be99280 63840->64401 63842 6be991d2 std::ios_base::_Ios_base_dtor 63842->63697 63844 6be9914c 63845 6bd37090 77 API calls 63844->63845 63845->63834 63846->63688 63848 6be98966 std::locale::_Setgloballocale 63847->63848 63849 6be98a64 Process32NextW 63848->63849 63850 6be98a14 CloseHandle 63848->63850 63851 6be98a45 Process32FirstW 63848->63851 63852 6be98a96 63848->63852 63849->63848 63850->63848 63851->63848 63852->63615 63853->63634 63854->63654 63856->63617 63857->63749 63858->63757 63859->63759 63860->63752 63861->63755 63863 6be6c3a3 _Yarn __wsopen_s std::locale::_Setgloballocale 63862->63863 63864 6be6ce3c 63863->63864 63865 6be6cab9 CreateFileA 63863->63865 63867 6be6b4d0 63863->63867 63864->63773 63865->63863 63869 6be6b4e3 __wsopen_s std::locale::_Setgloballocale 63867->63869 63868 6be6c206 WriteFile 63868->63869 63869->63868 63870 6be6b619 WriteFile 63869->63870 63871 6be6c377 63869->63871 63872 6be6bc23 ReadFile 63869->63872 63870->63869 63871->63863 63872->63869 63874 6be9a133 std::_Facet_Register 4 API calls 63873->63874 63875 6bd6207e 63874->63875 63876 6be9aa17 43 API calls 63875->63876 63877 6bd62092 63876->63877 63913 6bd62f60 42 API calls 4 library calls 63877->63913 63879 6bd6210d 63885 6bd62120 63879->63885 63914 6be9a67e 9 API calls 2 library calls 63879->63914 63880 6bd620c8 63880->63879 63881 6bd62136 63880->63881 63915 6bd62250 30 API calls 63881->63915 63884 6bd6215b 63916 6bd62340 24 API calls 63884->63916 63885->63783 63887 6bd62171 63917 6be9ca69 RaiseException 63887->63917 63889 6bd6217c 63889->63783 63891 6be9aa23 __EH_prolog3 63890->63891 63918 6be9a5a5 63891->63918 63896 6be9aa41 63932 6be9aaaa 39 API calls std::locale::_Setgloballocale 63896->63932 63897 6be9aa9c 63897->63787 63899 6be9aa49 63933 6be9a8a1 HeapFree GetLastError _Yarn 63899->63933 63901 6be9aa5f 63924 6be9a5d6 63901->63924 63903 6bd36d5d 63902->63903 63904 6bd61ddc 63902->63904 63903->63790 63909 6bd62250 30 API calls 63903->63909 63938 6be9ab37 63904->63938 63908 6bd61e82 63909->63792 63910->63794 63911->63796 63912->63798 63913->63880 63914->63885 63915->63884 63916->63887 63917->63889 63919 6be9a5bb 63918->63919 63920 6be9a5b4 63918->63920 63922 6be9a5b9 63919->63922 63935 6be9bc7b EnterCriticalSection 63919->63935 63934 6bea3abd 6 API calls std::_Lockit::_Lockit 63920->63934 63922->63901 63931 6be9a920 6 API calls 2 library calls 63922->63931 63925 6bea3acb 63924->63925 63927 6be9a5e0 63924->63927 63937 6bea3aa6 LeaveCriticalSection 63925->63937 63928 6be9a5f3 63927->63928 63936 6be9bc89 LeaveCriticalSection 63927->63936 63928->63897 63929 6bea3ad2 63929->63897 63931->63896 63932->63899 63933->63901 63934->63922 63935->63922 63936->63928 63937->63929 63939 6be9ab40 63938->63939 63940 6bd61dea 63939->63940 63947 6bea343a 63939->63947 63940->63903 63946 6be9fc53 18 API calls __Getctype 63940->63946 63942 6be9ab8c 63942->63940 63958 6bea3148 65 API calls 63942->63958 63944 6be9aba7 63944->63940 63959 6bea4208 63944->63959 63946->63908 63949 6bea3445 __wsopen_s 63947->63949 63948 6bea3458 63984 6bea3810 18 API calls __Getctype 63948->63984 63949->63948 63950 6bea3478 63949->63950 63954 6bea3468 63950->63954 63970 6beae4fc 63950->63970 63954->63942 63958->63944 63960 6bea4214 __wsopen_s 63959->63960 63961 6bea421e 63960->63961 63962 6bea4233 63960->63962 64180 6bea3810 18 API calls __Getctype 63961->64180 63963 6bea422e 63962->63963 64165 6be9fc99 EnterCriticalSection 63962->64165 63963->63940 63965 6bea4250 64166 6bea428c 63965->64166 63968 6bea425b 64181 6bea4282 LeaveCriticalSection 63968->64181 63971 6beae508 __wsopen_s 63970->63971 63986 6bea3a8f EnterCriticalSection 63971->63986 63973 6beae516 63987 6beae5a0 63973->63987 63978 6beae662 63979 6beae781 63978->63979 64011 6beae804 63979->64011 63982 6bea34bc 63985 6bea34e5 LeaveCriticalSection 63982->63985 63984->63954 63985->63954 63986->63973 63995 6beae5c3 63987->63995 63988 6beae61b 64006 6beaa8d5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 63988->64006 63990 6beae624 64007 6bea7eab HeapFree GetLastError __dosmaperr 63990->64007 63993 6beae62d 63996 6beae523 63993->63996 64008 6beaa30f 6 API calls std::_Lockit::_Lockit 63993->64008 63995->63988 63995->63996 64004 6be9fc99 EnterCriticalSection 63995->64004 64005 6be9fcad LeaveCriticalSection 63995->64005 64001 6beae55c 63996->64001 63998 6beae64c 64009 6be9fc99 EnterCriticalSection 63998->64009 64000 6beae65f 64000->63996 64010 6bea3aa6 LeaveCriticalSection 64001->64010 64003 6bea3493 64003->63954 64003->63978 64004->63995 64005->63995 64006->63990 64007->63993 64008->63998 64009->64000 64010->64003 64012 6beae823 64011->64012 64013 6beae836 64012->64013 64017 6beae84b 64012->64017 64027 6bea3810 18 API calls __Getctype 64013->64027 64015 6beae797 64015->63982 64024 6beb76ce 64015->64024 64017->64017 64022 6beae96b 64017->64022 64028 6beb7598 37 API calls __Getctype 64017->64028 64019 6beae9bb 64019->64022 64029 6beb7598 37 API calls __Getctype 64019->64029 64021 6beae9d9 64021->64022 64030 6beb7598 37 API calls __Getctype 64021->64030 64022->64015 64031 6bea3810 18 API calls __Getctype 64022->64031 64032 6beb7a86 64024->64032 64027->64015 64028->64019 64029->64021 64030->64022 64031->64015 64033 6beb7a92 __wsopen_s 64032->64033 64034 6beb7a99 64033->64034 64035 6beb7ac4 64033->64035 64050 6bea3810 18 API calls __Getctype 64034->64050 64041 6beb76ee 64035->64041 64040 6beb76e9 64040->63982 64052 6bea3dbb 64041->64052 64046 6beb7724 64049 6beb7756 64046->64049 64092 6bea7eab HeapFree GetLastError __dosmaperr 64046->64092 64051 6beb7b1b LeaveCriticalSection __wsopen_s 64049->64051 64050->64040 64051->64040 64093 6be9f3db 64052->64093 64056 6bea3ddf 64057 6be9f4e6 64056->64057 64102 6be9f53e 64057->64102 64059 6be9f4fe 64059->64046 64060 6beb775c 64059->64060 64117 6beb7bdc 64060->64117 64066 6beb778e __dosmaperr 64066->64046 64067 6beb7882 GetFileType 64068 6beb788d GetLastError 64067->64068 64069 6beb78d4 64067->64069 64146 6bea30e2 __dosmaperr 64068->64146 64147 6beb4ea0 SetStdHandle __dosmaperr __wsopen_s 64069->64147 64070 6beb7857 GetLastError 64070->64066 64072 6beb7805 64072->64067 64072->64070 64145 6beb7b47 CreateFileW 64072->64145 64073 6beb789b CloseHandle 64073->64066 64088 6beb78c4 64073->64088 64076 6beb784a 64076->64067 64076->64070 64077 6beb78f5 64078 6beb7941 64077->64078 64148 6beb7d56 70 API calls 2 library calls 64077->64148 64082 6beb7948 64078->64082 64162 6beb7e00 70 API calls 2 library calls 64078->64162 64081 6beb7976 64081->64082 64083 6beb7984 64081->64083 64149 6beaf015 64082->64149 64083->64066 64085 6beb7a00 CloseHandle 64083->64085 64163 6beb7b47 CreateFileW 64085->64163 64087 6beb7a2b 64087->64088 64089 6beb7a35 GetLastError 64087->64089 64088->64066 64090 6beb7a41 __dosmaperr 64089->64090 64164 6beb4e0f SetStdHandle __dosmaperr __wsopen_s 64090->64164 64092->64049 64094 6be9f3fb 64093->64094 64100 6be9f3f2 64093->64100 64095 6bea80a2 __Getctype 37 API calls 64094->64095 64094->64100 64096 6be9f41b 64095->64096 64097 6bea8618 __Getctype 37 API calls 64096->64097 64098 6be9f431 64097->64098 64099 6bea8645 __cftoe 37 API calls 64098->64099 64099->64100 64100->64056 64101 6beaa0c5 5 API calls std::_Lockit::_Lockit 64100->64101 64101->64056 64103 6be9f54c 64102->64103 64104 6be9f566 64102->64104 64105 6be9f4cc __wsopen_s HeapFree GetLastError 64103->64105 64106 6be9f56d 64104->64106 64107 6be9f58c 64104->64107 64108 6be9f556 __dosmaperr 64105->64108 64106->64108 64110 6be9f48d __wsopen_s HeapFree GetLastError 64106->64110 64109 6bea7f33 __fassign MultiByteToWideChar 64107->64109 64108->64059 64111 6be9f59b 64109->64111 64110->64108 64112 6be9f5a2 GetLastError 64111->64112 64113 6be9f48d __wsopen_s HeapFree GetLastError 64111->64113 64115 6be9f5c8 64111->64115 64112->64108 64113->64115 64114 6bea7f33 __fassign MultiByteToWideChar 64116 6be9f5df 64114->64116 64115->64108 64115->64114 64116->64108 64116->64112 64119 6beb7c17 64117->64119 64120 6beb7bfd 64117->64120 64118 6beb7b6c __wsopen_s 18 API calls 64124 6beb7c4f 64118->64124 64119->64118 64120->64119 64121 6bea3810 __Getctype 18 API calls 64120->64121 64121->64119 64122 6beb7c7e 64123 6beb9001 __wsopen_s 18 API calls 64122->64123 64130 6beb7779 64122->64130 64125 6beb7ccc 64123->64125 64124->64122 64127 6bea3810 __Getctype 18 API calls 64124->64127 64126 6beb7d49 64125->64126 64125->64130 64128 6bea383d __Getctype 11 API calls 64126->64128 64127->64122 64129 6beb7d55 64128->64129 64130->64066 64131 6beb4cfc 64130->64131 64132 6beb4d08 __wsopen_s 64131->64132 64133 6bea3a8f std::_Lockit::_Lockit EnterCriticalSection 64132->64133 64135 6beb4d0f 64133->64135 64134 6beb4d56 64137 6beb4e06 __wsopen_s LeaveCriticalSection 64134->64137 64135->64134 64136 6beb4d34 64135->64136 64141 6beb4da3 EnterCriticalSection 64135->64141 64139 6beb4f32 __wsopen_s 11 API calls 64136->64139 64138 6beb4d76 64137->64138 64138->64066 64144 6beb7b47 CreateFileW 64138->64144 64140 6beb4d39 64139->64140 64140->64134 64143 6beb5080 __wsopen_s EnterCriticalSection 64140->64143 64141->64134 64142 6beb4db0 LeaveCriticalSection 64141->64142 64142->64135 64143->64134 64144->64072 64145->64076 64146->64073 64147->64077 64148->64078 64150 6beb4c92 __wsopen_s 18 API calls 64149->64150 64153 6beaf025 64150->64153 64151 6beaf02b 64152 6beb4e0f __wsopen_s SetStdHandle 64151->64152 64159 6beaf083 __dosmaperr 64152->64159 64153->64151 64155 6beb4c92 __wsopen_s 18 API calls 64153->64155 64161 6beaf05d 64153->64161 64154 6beb4c92 __wsopen_s 18 API calls 64156 6beaf069 CloseHandle 64154->64156 64157 6beaf054 64155->64157 64156->64151 64158 6beaf075 GetLastError 64156->64158 64160 6beb4c92 __wsopen_s 18 API calls 64157->64160 64158->64151 64159->64066 64160->64161 64161->64151 64161->64154 64162->64081 64163->64087 64164->64088 64165->63965 64167 6bea4299 64166->64167 64168 6bea42ae 64166->64168 64204 6bea3810 18 API calls __Getctype 64167->64204 64171 6bea42a9 64168->64171 64182 6bea43a9 64168->64182 64171->63968 64176 6bea42d1 64197 6beaef88 64176->64197 64178 6bea42d7 64178->64171 64205 6bea7eab HeapFree GetLastError __dosmaperr 64178->64205 64180->63963 64181->63963 64183 6bea43c1 64182->64183 64187 6bea42c3 64182->64187 64184 6bead350 18 API calls 64183->64184 64183->64187 64185 6bea43df 64184->64185 64206 6beaf25c 64185->64206 64188 6beabe2e 64187->64188 64189 6bea42cb 64188->64189 64190 6beabe45 64188->64190 64192 6bead350 64189->64192 64190->64189 64294 6bea7eab HeapFree GetLastError __dosmaperr 64190->64294 64193 6bead35c 64192->64193 64194 6bead371 64192->64194 64295 6bea3810 18 API calls __Getctype 64193->64295 64194->64176 64196 6bead36c 64196->64176 64198 6beaefae 64197->64198 64199 6beaef99 __dosmaperr 64197->64199 64200 6beaefd5 64198->64200 64202 6beaeff7 __dosmaperr 64198->64202 64199->64178 64296 6beaf0b1 64200->64296 64304 6bea3810 18 API calls __Getctype 64202->64304 64204->64171 64205->64171 64207 6beaf268 __wsopen_s 64206->64207 64208 6beaf2ba 64207->64208 64209 6beaf323 __dosmaperr 64207->64209 64213 6beaf270 __dosmaperr 64207->64213 64217 6beb5080 EnterCriticalSection 64208->64217 64247 6bea3810 18 API calls __Getctype 64209->64247 64211 6beaf2c0 64215 6beaf2dc __dosmaperr 64211->64215 64218 6beaf34e 64211->64218 64213->64187 64246 6beaf31b LeaveCriticalSection __wsopen_s 64215->64246 64217->64211 64219 6beaf370 64218->64219 64245 6beaf38c __dosmaperr 64218->64245 64220 6beaf3c4 64219->64220 64221 6beaf374 __dosmaperr 64219->64221 64222 6beaf3d7 64220->64222 64256 6beae359 20 API calls __wsopen_s 64220->64256 64255 6bea3810 18 API calls __Getctype 64221->64255 64248 6beaf530 64222->64248 64227 6beaf42c 64231 6beaf440 64227->64231 64232 6beaf485 WriteFile 64227->64232 64228 6beaf3ed 64229 6beaf3f1 64228->64229 64230 6beaf416 64228->64230 64229->64245 64257 6beaf94b 6 API calls __wsopen_s 64229->64257 64258 6beaf5a1 43 API calls 5 library calls 64230->64258 64235 6beaf44b 64231->64235 64236 6beaf475 64231->64236 64234 6beaf4a9 GetLastError 64232->64234 64232->64245 64234->64245 64239 6beaf450 64235->64239 64240 6beaf465 64235->64240 64261 6beaf9b3 7 API calls 2 library calls 64236->64261 64242 6beaf455 64239->64242 64239->64245 64260 6beafb77 8 API calls 3 library calls 64240->64260 64259 6beafa8e 7 API calls 2 library calls 64242->64259 64244 6beaf463 64244->64245 64245->64215 64246->64213 64247->64213 64262 6beb50d5 64248->64262 64250 6beaf541 64251 6beaf3e8 64250->64251 64267 6bea80a2 GetLastError 64250->64267 64251->64227 64251->64228 64254 6beaf57e GetConsoleMode 64254->64251 64255->64245 64256->64222 64257->64245 64258->64245 64259->64244 64260->64244 64261->64244 64264 6beb50ef 64262->64264 64265 6beb50e2 64262->64265 64263 6beb50fb 64263->64250 64264->64263 64266 6bea3810 __Getctype 18 API calls 64264->64266 64265->64250 64266->64265 64268 6bea80b9 64267->64268 64269 6bea80bf 64267->64269 64270 6beaa213 __Getctype 6 API calls 64268->64270 64271 6beaa252 __Getctype 6 API calls 64269->64271 64273 6bea80c5 SetLastError 64269->64273 64270->64269 64272 6bea80dd 64271->64272 64272->64273 64274 6bea80e1 64272->64274 64278 6bea8159 64273->64278 64279 6bea8153 64273->64279 64275 6beaa8d5 __Getctype EnterCriticalSection LeaveCriticalSection HeapAlloc 64274->64275 64277 6bea80ed 64275->64277 64280 6bea810c 64277->64280 64281 6bea80f5 64277->64281 64283 6bea41b9 __Getctype 35 API calls 64278->64283 64279->64251 64279->64254 64284 6beaa252 __Getctype 6 API calls 64280->64284 64282 6beaa252 __Getctype 6 API calls 64281->64282 64285 6bea8103 64282->64285 64286 6bea815e 64283->64286 64287 6bea8118 64284->64287 64290 6bea7eab _free HeapFree GetLastError 64285->64290 64288 6bea811c 64287->64288 64289 6bea812d 64287->64289 64291 6beaa252 __Getctype 6 API calls 64288->64291 64293 6bea7eab _free HeapFree GetLastError 64289->64293 64292 6bea8109 64290->64292 64291->64285 64292->64273 64293->64292 64294->64189 64295->64196 64297 6beaf0bd __wsopen_s 64296->64297 64305 6beb5080 EnterCriticalSection 64297->64305 64299 6beaf0cb 64300 6beaf015 __wsopen_s 21 API calls 64299->64300 64301 6beaf0f8 64299->64301 64300->64301 64306 6beaf131 LeaveCriticalSection __wsopen_s 64301->64306 64303 6beaf11a 64303->64199 64304->64199 64305->64299 64306->64303 64307->63804 64308->63806 64309->63804 64310->63804 64311->63804 64313 6bd6022e 64312->64313 64314 6bd370c4 64313->64314 64319 6bea4ecb 64313->64319 64314->63816 64316->63817 64317->63819 64318->63821 64320 6bea4ed9 64319->64320 64321 6bea4ef6 64319->64321 64320->64321 64322 6bea4efa 64320->64322 64323 6bea4ee6 64320->64323 64321->64313 64327 6bea50f2 64322->64327 64335 6bea3810 18 API calls __Getctype 64323->64335 64328 6bea50fe __wsopen_s 64327->64328 64336 6be9fc99 EnterCriticalSection 64328->64336 64330 6bea510c 64337 6bea50af 64330->64337 64334 6bea4f2c 64334->64313 64335->64321 64336->64330 64345 6beabc96 64337->64345 64343 6bea50e9 64344 6bea5141 LeaveCriticalSection 64343->64344 64344->64334 64346 6bead350 18 API calls 64345->64346 64347 6beabca7 64346->64347 64348 6beb50d5 __wsopen_s 18 API calls 64347->64348 64349 6beabcad __wsopen_s 64348->64349 64350 6bea50c3 64349->64350 64362 6bea7eab HeapFree GetLastError __dosmaperr 64349->64362 64352 6bea4f2e 64350->64352 64354 6bea4f40 64352->64354 64356 6bea4f5e 64352->64356 64353 6bea4f4e 64363 6bea3810 18 API calls __Getctype 64353->64363 64354->64353 64354->64356 64359 6bea4f76 _Yarn 64354->64359 64361 6beabd49 62 API calls 64356->64361 64357 6bea43a9 62 API calls 64357->64359 64358 6bead350 18 API calls 64358->64359 64359->64356 64359->64357 64359->64358 64360 6beaf25c __wsopen_s 62 API calls 64359->64360 64360->64359 64361->64343 64362->64350 64363->64356 64365 6be99715 64364->64365 64366 6bd62020 52 API calls 64365->64366 64367 6be997b6 64366->64367 64368 6be9a133 std::_Facet_Register 4 API calls 64367->64368 64369 6be997ee 64368->64369 64370 6be9aa17 43 API calls 64369->64370 64371 6be99802 64370->64371 64372 6bd61d90 89 API calls 64371->64372 64373 6be998ab 64372->64373 64374 6be998dc 64373->64374 64418 6bd62250 30 API calls 64373->64418 64374->63832 64376 6be99916 64419 6bd626e0 24 API calls 4 library calls 64376->64419 64378 6be99928 64420 6be9ca69 RaiseException 64378->64420 64380 6be9993d 64421 6bd5e010 67 API calls 64380->64421 64382 6be9994f 64382->63832 64384 6be99a7d 64383->64384 64422 6be99c90 64384->64422 64386 6be99a95 64388 6be99b6c 64386->64388 64440 6bd62250 30 API calls 64386->64440 64441 6bd626e0 24 API calls 4 library calls 64386->64441 64442 6be9ca69 RaiseException 64386->64442 64388->63839 64392 6bd7304f 64391->64392 64395 6bd73063 64392->64395 64451 6bd63560 32 API calls std::_Xinvalid_argument 64392->64451 64398 6bd7311e 64395->64398 64453 6bd62250 30 API calls 64395->64453 64454 6bd626e0 24 API calls 4 library calls 64395->64454 64455 6be9ca69 RaiseException 64395->64455 64397 6bd73131 64397->63839 64398->64397 64452 6bd637e0 32 API calls std::_Xinvalid_argument 64398->64452 64402 6be9928e 64401->64402 64404 6be992c1 64401->64404 64403 6bd601f0 64 API calls 64402->64403 64406 6be992b4 64403->64406 64405 6be99373 64404->64405 64456 6bd62250 30 API calls 64404->64456 64405->63844 64407 6bea4208 67 API calls 64406->64407 64407->64404 64409 6be9939e 64457 6bd62340 24 API calls 64409->64457 64411 6be993ae 64458 6be9ca69 RaiseException 64411->64458 64413 6be993b9 64459 6bd5e010 67 API calls 64413->64459 64415 6be99412 std::ios_base::_Ios_base_dtor 64415->63844 64416->63836 64417->63842 64418->64376 64419->64378 64420->64380 64421->64382 64423 6be99cf8 64422->64423 64424 6be99ccc 64422->64424 64429 6be99d09 64423->64429 64443 6bd63560 32 API calls std::_Xinvalid_argument 64423->64443 64438 6be99cf1 64424->64438 64445 6bd62250 30 API calls 64424->64445 64427 6be99ed8 64446 6bd62340 24 API calls 64427->64446 64429->64438 64444 6bd62f60 42 API calls 4 library calls 64429->64444 64430 6be99ee7 64447 6be9ca69 RaiseException 64430->64447 64434 6be99f17 64449 6bd62340 24 API calls 64434->64449 64436 6be99f2d 64450 6be9ca69 RaiseException 64436->64450 64438->64386 64439 6be99d43 64439->64438 64448 6bd62250 30 API calls 64439->64448 64440->64386 64441->64386 64442->64386 64443->64429 64444->64439 64445->64427 64446->64430 64447->64439 64448->64434 64449->64436 64450->64438 64451->64395 64452->64397 64453->64395 64454->64395 64455->64395 64456->64409 64457->64411 64458->64413 64459->64415 64460 6bd2f150 64462 6bd2efbe 64460->64462 64461 6bd2f243 CreateFileA 64464 6bd2f2a7 64461->64464 64462->64461 64463 6bd302ca 64464->64463 64465 6bd302ac GetCurrentProcess TerminateProcess 64464->64465 64465->64463 64466 6bd13d62 64468 6bd13bc0 64466->64468 64467 6bd13e8a GetCurrentThread NtSetInformationThread 64469 6bd13eea 64467->64469 64468->64467 64470 6bea262f 64471 6bea263b __wsopen_s 64470->64471 64472 6bea264f 64471->64472 64473 6bea2642 GetLastError ExitThread 64471->64473 64474 6bea80a2 __Getctype 37 API calls 64472->64474 64475 6bea2654 64474->64475 64482 6bead456 64475->64482 64478 6bea266b 64488 6bea259a 16 API calls 2 library calls 64478->64488 64481 6bea268d 64483 6bead468 GetPEB 64482->64483 64485 6bea265f 64482->64485 64484 6bead47b 64483->64484 64483->64485 64489 6beaa508 5 API calls std::_Lockit::_Lockit 64484->64489 64485->64478 64487 6beaa45f 5 API calls std::_Lockit::_Lockit 64485->64487 64487->64478 64488->64481 64489->64485 64490 6beb01c3 64491 6beb01ed 64490->64491 64492 6beb01d5 __dosmaperr 64490->64492 64491->64492 64494 6beb0238 __dosmaperr 64491->64494 64495 6beb0267 64491->64495 64532 6bea3810 18 API calls __Getctype 64494->64532 64496 6beb0280 64495->64496 64497 6beb029b __dosmaperr 64495->64497 64500 6beb02d7 __wsopen_s 64495->64500 64496->64497 64499 6beb0285 64496->64499 64525 6bea3810 18 API calls __Getctype 64497->64525 64498 6beb50d5 __wsopen_s 18 API calls 64501 6beb042e 64498->64501 64499->64498 64526 6bea7eab HeapFree GetLastError __dosmaperr 64500->64526 64505 6beb04a4 64501->64505 64508 6beb0447 GetConsoleMode 64501->64508 64503 6beb02f7 64527 6bea7eab HeapFree GetLastError __dosmaperr 64503->64527 64507 6beb04a8 ReadFile 64505->64507 64510 6beb051c GetLastError 64507->64510 64511 6beb04c2 64507->64511 64508->64505 64512 6beb0458 64508->64512 64509 6beb02fe 64513 6beb02b2 __dosmaperr __wsopen_s 64509->64513 64528 6beae359 20 API calls __wsopen_s 64509->64528 64510->64513 64511->64510 64514 6beb0499 64511->64514 64512->64507 64515 6beb045e ReadConsoleW 64512->64515 64529 6bea7eab HeapFree GetLastError __dosmaperr 64513->64529 64514->64513 64519 6beb04fe 64514->64519 64520 6beb04e7 64514->64520 64515->64514 64518 6beb047a GetLastError 64515->64518 64518->64513 64519->64513 64521 6beb0515 64519->64521 64530 6beb05ee 23 API calls 3 library calls 64520->64530 64531 6beb08a6 21 API calls __wsopen_s 64521->64531 64524 6beb051a 64524->64513 64525->64513 64526->64503 64527->64509 64528->64499 64529->64492 64530->64513 64531->64524 64532->64492

                                              Executed Functions

                                              Function 6BD14754 Relevance: 69.2, APIs: 28, Strings: 1, Instructions: 18471COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: _strlen
                                              • String ID: HR^
                                              • API String ID: 4218353326-1341859651
                                              • Opcode ID: fc8d06e2955c75f89ffd9768f35efaf3d5a7edea60f11927a4238a4a402da6ad
                                              • Instruction ID: ec3424e40a30b65080eaa5de34a4df63ed0e35610e88d124969af94137e37d5f
                                              • Opcode Fuzzy Hash: fc8d06e2955c75f89ffd9768f35efaf3d5a7edea60f11927a4238a4a402da6ad
                                              • Instruction Fuzzy Hash: E5740771644B02CFC728CF28C8D0695B7E3EF95328B198A6DC0E68F655E778B54ACB50
                                              Function 6BE98930 Relevance: 6.1, APIs: 4, Instructions: 95processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 4604 6be98930-6be98964 CreateToolhelp32Snapshot 4605 6be98980-6be98989 4604->4605 4606 6be9898b-6be98990 4605->4606 4607 6be989d0-6be989d5 4605->4607 4608 6be98a0d-6be98a12 4606->4608 4609 6be98992-6be98997 4606->4609 4610 6be98a34-6be98a62 call 6be9f010 Process32FirstW 4607->4610 4611 6be989d7-6be989dc 4607->4611 4616 6be98a8b-6be98a90 4608->4616 4617 6be98a14-6be98a2f CloseHandle 4608->4617 4612 6be98999-6be9899e 4609->4612 4613 6be98966-6be98973 4609->4613 4620 6be98a76-6be98a86 4610->4620 4614 6be989e2-6be989e7 4611->4614 4615 6be98a64-6be98a71 Process32NextW 4611->4615 4612->4605 4622 6be989a0-6be989ca call 6bea62f5 4612->4622 4613->4605 4614->4605 4623 6be989e9-6be98a08 4614->4623 4615->4620 4616->4605 4621 6be98a96-6be98aa4 4616->4621 4617->4605 4620->4605 4622->4605 4623->4605
                                              APIs
                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6BE9893E
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: CreateSnapshotToolhelp32
                                              • String ID:
                                              • API String ID: 3332741929-0
                                              • Opcode ID: b38f6735a3080be7bfa1dfa9776f00a1eec2454077f2fd2ec61e6892d8bd98ed
                                              • Instruction ID: a929cb02bbd12bded9afab2458bbed8b8ef433226faf9888785088eb1edb7633
                                              • Opcode Fuzzy Hash: b38f6735a3080be7bfa1dfa9776f00a1eec2454077f2fd2ec61e6892d8bd98ed
                                              • Instruction Fuzzy Hash: 90317E70509301AFD701AF68D88475ABBE4AF8A788F204D6DF4C8D6370D779D8998B53
                                              Function 6BD13886 Relevance: 3.6, APIs: 2, Instructions: 573COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 4877 6bd13886-6bd1388e 4878 6bd13970-6bd1397d 4877->4878 4879 6bd13894-6bd13896 4877->4879 4881 6bd139f1-6bd139f8 4878->4881 4882 6bd1397f-6bd13989 4878->4882 4879->4878 4880 6bd1389c-6bd138b9 4879->4880 4883 6bd138c0-6bd138c1 4880->4883 4885 6bd13ab5-6bd13aba 4881->4885 4886 6bd139fe-6bd13a03 4881->4886 4882->4880 4884 6bd1398f-6bd13994 4882->4884 4887 6bd1395e 4883->4887 4889 6bd13b16-6bd13b18 4884->4889 4890 6bd1399a-6bd1399f 4884->4890 4885->4880 4888 6bd13ac0-6bd13ac7 4885->4888 4891 6bd138d2-6bd138d4 4886->4891 4892 6bd13a09-6bd13a2f 4886->4892 4895 6bd13960-6bd13964 4887->4895 4888->4883 4894 6bd13acd-6bd13ad6 4888->4894 4889->4883 4896 6bd139a5-6bd139bf 4890->4896 4897 6bd1383b-6bd13855 call 6be62a20 call 6be62a30 4890->4897 4893 6bd13957-6bd1395c 4891->4893 4898 6bd13a35-6bd13a3a 4892->4898 4899 6bd138f8-6bd13955 4892->4899 4893->4887 4894->4889 4904 6bd13ad8-6bd13aeb 4894->4904 4900 6bd13860-6bd13885 4895->4900 4901 6bd1396a 4895->4901 4906 6bd13a5a-6bd13a5d 4896->4906 4897->4900 4902 6bd13a40-6bd13a57 4898->4902 4903 6bd13b1d-6bd13b22 4898->4903 4899->4893 4900->4877 4907 6bd13ba1-6bd13bb6 4901->4907 4902->4906 4912 6bd13b24-6bd13b44 4903->4912 4913 6bd13b49-6bd13b50 4903->4913 4904->4899 4910 6bd13af1-6bd13af8 4904->4910 4908 6bd13a87-6bd13aa7 4906->4908 4909 6bd13aa9-6bd13ab0 4906->4909 4915 6bd13bc0-6bd13bda call 6be62a20 call 6be62a30 4907->4915 4908->4909 4909->4895 4916 6bd13b62-6bd13b85 4910->4916 4917 6bd13afa-6bd13aff 4910->4917 4912->4908 4913->4883 4919 6bd13b56-6bd13b5d 4913->4919 4928 6bd13be0-6bd13bfe 4915->4928 4916->4899 4924 6bd13b8b 4916->4924 4917->4893 4919->4895 4924->4907 4931 6bd13c04-6bd13c11 4928->4931 4932 6bd13e7b 4928->4932 4934 6bd13ce0-6bd13cea 4931->4934 4935 6bd13c17-6bd13c20 4931->4935 4933 6bd13e81-6bd13ee0 call 6bd13750 GetCurrentThread NtSetInformationThread 4932->4933 4953 6bd13eea-6bd13f04 call 6be62a20 call 6be62a30 4933->4953 4936 6bd13d3a-6bd13d3c 4934->4936 4937 6bd13cec-6bd13d0c 4934->4937 4939 6bd13dc5 4935->4939 4940 6bd13c26-6bd13c2d 4935->4940 4944 6bd13d70-6bd13d8d 4936->4944 4945 6bd13d3e-6bd13d45 4936->4945 4943 6bd13d90-6bd13d95 4937->4943 4947 6bd13dc6 4939->4947 4941 6bd13dc3 4940->4941 4942 6bd13c33-6bd13c3a 4940->4942 4941->4939 4948 6bd13c40-6bd13c5b 4942->4948 4949 6bd13e26-6bd13e2b 4942->4949 4951 6bd13d97-6bd13db8 4943->4951 4952 6bd13dba-6bd13dc1 4943->4952 4944->4943 4950 6bd13d50-6bd13d57 4945->4950 4954 6bd13dc8-6bd13dcc 4947->4954 4955 6bd13e1b-6bd13e24 4948->4955 4956 6bd13e31 4949->4956 4957 6bd13c7b-6bd13cd0 4949->4957 4950->4947 4951->4939 4952->4941 4960 6bd13dd7-6bd13ddc 4952->4960 4971 6bd13f75-6bd13fa1 4953->4971 4954->4928 4958 6bd13dd2 4954->4958 4955->4954 4956->4915 4957->4950 4961 6bd13e76-6bd13e79 4958->4961 4963 6bd13e36-6bd13e3d 4960->4963 4964 6bd13dde-6bd13e17 4960->4964 4961->4933 4966 6bd13e5c-6bd13e5f 4963->4966 4967 6bd13e3f-6bd13e5a 4963->4967 4964->4955 4966->4957 4969 6bd13e65-6bd13e69 4966->4969 4967->4955 4969->4954 4969->4961 4975 6bd14020-6bd14026 4971->4975 4976 6bd13fa3-6bd13fa8 4971->4976 4979 6bd13f06-6bd13f35 4975->4979 4980 6bd1402c-6bd1403c 4975->4980 4977 6bd1407c-6bd14081 4976->4977 4978 6bd13fae-6bd13fcf 4976->4978 4983 6bd14083-6bd1408a 4977->4983 4984 6bd140aa-6bd140ae 4977->4984 4978->4984 4985 6bd13f38-6bd13f61 4979->4985 4981 6bd140b3-6bd140b8 4980->4981 4982 6bd1403e-6bd14058 4980->4982 4981->4978 4989 6bd140be-6bd140c9 4981->4989 4986 6bd1405a-6bd14063 4982->4986 4983->4985 4987 6bd14090 4983->4987 4988 6bd13f6b-6bd13f6f 4984->4988 4990 6bd13f64-6bd13f67 4985->4990 4991 6bd140f5-6bd1413f 4986->4991 4992 6bd14069-6bd1406c 4986->4992 4987->4953 4988->4971 4989->4984 4993 6bd140cb-6bd140d4 4989->4993 4994 6bd13f69 4990->4994 4991->4994 4995 6bd14072-6bd14077 4992->4995 4996 6bd14144-6bd1414b 4992->4996 4997 6bd140a7 4993->4997 4998 6bd140d6-6bd140f0 4993->4998 4994->4988 4995->4990 4996->4988 4997->4984 4998->4986
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 15962b63fbf74a91a42e18ca5400964c6ac70a7605dfa420cfe48e72b4e860aa
                                              • Instruction ID: 1ea9dbdf613573b6be239e4e58943774a6df037427729d4572e7d109fbb347f1
                                              • Opcode Fuzzy Hash: 15962b63fbf74a91a42e18ca5400964c6ac70a7605dfa420cfe48e72b4e860aa
                                              • Instruction Fuzzy Hash: 1332C032249B01CFC334CF28D890696B7E3EF913347698A6DC0EA5F695D779B44A8B50
                                              Function 6BD13A6A Relevance: 3.1, APIs: 2, Instructions: 148threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: CurrentThread
                                              • String ID:
                                              • API String ID: 2882836952-0
                                              • Opcode ID: 6f8beac5c66190d45622e8fbb154f9e1c304f303b2dd46b2d1db8154aeb9331e
                                              • Instruction ID: 9d21aa19a5b0780121aa58b9f3ce47611a0fbfed2696409dfe1df34ce2739adb
                                              • Opcode Fuzzy Hash: 6f8beac5c66190d45622e8fbb154f9e1c304f303b2dd46b2d1db8154aeb9331e
                                              • Instruction Fuzzy Hash: E651E0725587019FC330CF28D880785B7A3BF95334F698A6DC0EA5F295EB78B4468B51
                                              Function 6BD139CF Relevance: 3.1, APIs: 2, Instructions: 139threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: CurrentThread
                                              • String ID:
                                              • API String ID: 2882836952-0
                                              • Opcode ID: ec56f7b129f9646f26cfaf93d69488cb9f8596b59fb1c69d7fc2f1530d739450
                                              • Instruction ID: 4bc61e7897eef9a94542d088d8ed78ba075a81ce306dbba3ff711f2779950ac8
                                              • Opcode Fuzzy Hash: ec56f7b129f9646f26cfaf93d69488cb9f8596b59fb1c69d7fc2f1530d739450
                                              • Instruction Fuzzy Hash: 0D51DD71508B01DBC330CF28D480796B7A3BF95334F698A5DC0EA5F295EB78B4468B91
                                              Function 6BD13D18 Relevance: 3.1, APIs: 2, Instructions: 89threadnativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentThread.KERNEL32 ref: 6BD13E9D
                                              • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6BD13EAA
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: Thread$CurrentInformation
                                              • String ID:
                                              • API String ID: 1650627709-0
                                              • Opcode ID: 75e96401dcb9eba407a3e86cf2885a48040b4366bcc9f61722830557de21ae28
                                              • Instruction ID: 78515c30b2cf7409bf4deceb6cb2559ea4ed8030b2800429008290b91d8fb59c
                                              • Opcode Fuzzy Hash: 75e96401dcb9eba407a3e86cf2885a48040b4366bcc9f61722830557de21ae28
                                              • Instruction Fuzzy Hash: A931F071559B01CBC330CF24D8847C6B7A3AF96334F298A1CC0EA5F290EB78700A8B51
                                              Function 6BD13D62 Relevance: 3.1, APIs: 2, Instructions: 83threadnativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentThread.KERNEL32 ref: 6BD13E9D
                                              • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6BD13EAA
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: Thread$CurrentInformation
                                              • String ID:
                                              • API String ID: 1650627709-0
                                              • Opcode ID: 256e7f5b747a4288e37b38e0937100a6697935bf07757875da833fac0825bc21
                                              • Instruction ID: 0bb26d8dabe5b139da5b7b8ac4a851ad069a3bdc94e2beedf7819dcf48b81cf3
                                              • Opcode Fuzzy Hash: 256e7f5b747a4288e37b38e0937100a6697935bf07757875da833fac0825bc21
                                              • Instruction Fuzzy Hash: 1E310F71018701DBC734CF28D490796B7A7AF92328F254A6CC0EA4F281EBB9B045CF51
                                              Function 6BD13C62 Relevance: 3.1, APIs: 2, Instructions: 72threadnativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentThread.KERNEL32 ref: 6BD13E9D
                                              • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6BD13EAA
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: Thread$CurrentInformation
                                              • String ID:
                                              • API String ID: 1650627709-0
                                              • Opcode ID: fc38bb24a121d54a1f900ceb3fe4c689dea96beff7d45a48e4d1649c1f434284
                                              • Instruction ID: e7acf3ed6fc94402382eb8dae0fc70d145495302d639fdbaed2e2854840bd9d5
                                              • Opcode Fuzzy Hash: fc38bb24a121d54a1f900ceb3fe4c689dea96beff7d45a48e4d1649c1f434284
                                              • Instruction Fuzzy Hash: A921D17055C701DBD734CF34D890796B7A6AF52334F248A2DC0EA8F290EBB8A4458F51
                                              Function 6BE98810 Relevance: 3.1, APIs: 2, Instructions: 72serviceCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6BE98820
                                              • OpenServiceA.ADVAPI32(?,?,00000004), ref: 6BE988C5
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: Open$ManagerService
                                              • String ID:
                                              • API String ID: 2351955762-0
                                              • Opcode ID: 864623a6a222c9c84b9c90fe631b2850e653b75e8527db5f419d50f1a9274223
                                              • Instruction ID: ffb87db28a0c525cd0056512535da2b4223c12dff779be0726eb69c12cacfe58
                                              • Opcode Fuzzy Hash: 864623a6a222c9c84b9c90fe631b2850e653b75e8527db5f419d50f1a9274223
                                              • Instruction Fuzzy Hash: EA31F874928341AFC710AF28D849B0EBBF0AB89794F508859F498D7361D375C8598B67
                                              Function 6BE8E090 Relevance: 3.0, APIs: 2, Instructions: 47fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileA.KERNEL32(?,?), ref: 6BE8E0AC
                                              • FindClose.KERNEL32(000000FF), ref: 6BE8E0E2
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: Find$CloseFileFirst
                                              • String ID:
                                              • API String ID: 2295610775-0
                                              • Opcode ID: b2d9631792c81f9d9e1aee7bdb799c1614125f2041f916fce3a53afc825748c1
                                              • Instruction ID: 31df27de0d2d9d9db8782a84597d73a6b46c47ff10cfdcb9b9152dfa758af417
                                              • Opcode Fuzzy Hash: b2d9631792c81f9d9e1aee7bdb799c1614125f2041f916fce3a53afc825748c1
                                              • Instruction Fuzzy Hash: F3114C7452CB51DFC7108F28C944A4ABBE4AF86714F248D4AF4A9C73A0D738D8998B43
                                              Function 6BEB01C3 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301COMMONLIBRARYCODE
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 3722 6beb01c3-6beb01d3 3723 6beb01ed-6beb01ef 3722->3723 3724 6beb01d5-6beb01e8 call 6bea30cf call 6bea30bc 3722->3724 3725 6beb01f5-6beb01fb 3723->3725 3726 6beb0554-6beb0561 call 6bea30cf call 6bea30bc 3723->3726 3738 6beb056c 3724->3738 3725->3726 3729 6beb0201-6beb0227 3725->3729 3743 6beb0567 call 6bea3810 3726->3743 3729->3726 3732 6beb022d-6beb0236 3729->3732 3736 6beb0238-6beb024b call 6bea30cf call 6bea30bc 3732->3736 3737 6beb0250-6beb0252 3732->3737 3736->3743 3741 6beb0258-6beb025b 3737->3741 3742 6beb0550-6beb0552 3737->3742 3744 6beb056f-6beb0572 3738->3744 3741->3742 3746 6beb0261-6beb0265 3741->3746 3742->3744 3743->3738 3746->3736 3749 6beb0267-6beb027e 3746->3749 3751 6beb02cf-6beb02d5 3749->3751 3752 6beb0280-6beb0283 3749->3752 3753 6beb029b-6beb02b2 call 6bea30cf call 6bea30bc call 6bea3810 3751->3753 3754 6beb02d7-6beb02e1 3751->3754 3755 6beb0293-6beb0299 3752->3755 3756 6beb0285-6beb028e 3752->3756 3788 6beb0487 3753->3788 3760 6beb02e8-6beb0306 call 6bea7ee5 call 6bea7eab * 2 3754->3760 3761 6beb02e3-6beb02e5 3754->3761 3755->3753 3758 6beb02b7-6beb02ca 3755->3758 3757 6beb0353-6beb0363 3756->3757 3763 6beb0369-6beb0375 3757->3763 3764 6beb0428-6beb0431 call 6beb50d5 3757->3764 3758->3757 3792 6beb0308-6beb031e call 6bea30bc call 6bea30cf 3760->3792 3793 6beb0323-6beb034c call 6beae359 3760->3793 3761->3760 3763->3764 3768 6beb037b-6beb037d 3763->3768 3776 6beb0433-6beb0445 3764->3776 3777 6beb04a4 3764->3777 3768->3764 3772 6beb0383-6beb03a7 3768->3772 3772->3764 3778 6beb03a9-6beb03bf 3772->3778 3776->3777 3783 6beb0447-6beb0456 GetConsoleMode 3776->3783 3781 6beb04a8-6beb04c0 ReadFile 3777->3781 3778->3764 3779 6beb03c1-6beb03c3 3778->3779 3779->3764 3784 6beb03c5-6beb03eb 3779->3784 3786 6beb051c-6beb0527 GetLastError 3781->3786 3787 6beb04c2-6beb04c8 3781->3787 3783->3777 3789 6beb0458-6beb045c 3783->3789 3784->3764 3791 6beb03ed-6beb0403 3784->3791 3794 6beb0529-6beb053b call 6bea30bc call 6bea30cf 3786->3794 3795 6beb0540-6beb0543 3786->3795 3787->3786 3796 6beb04ca 3787->3796 3790 6beb048a-6beb0494 call 6bea7eab 3788->3790 3789->3781 3797 6beb045e-6beb0478 ReadConsoleW 3789->3797 3790->3744 3791->3764 3799 6beb0405-6beb0407 3791->3799 3792->3788 3793->3757 3794->3788 3806 6beb0549-6beb054b 3795->3806 3807 6beb0480-6beb0486 call 6bea30e2 3795->3807 3803 6beb04cd-6beb04df 3796->3803 3804 6beb047a GetLastError 3797->3804 3805 6beb0499-6beb04a2 3797->3805 3799->3764 3809 6beb0409-6beb0423 3799->3809 3803->3790 3813 6beb04e1-6beb04e5 3803->3813 3804->3807 3805->3803 3806->3790 3807->3788 3809->3764 3817 6beb04fe-6beb0509 3813->3817 3818 6beb04e7-6beb04f7 call 6beb05ee 3813->3818 3820 6beb050b call 6beb0573 3817->3820 3821 6beb0515-6beb051a call 6beb08a6 3817->3821 3830 6beb04fa-6beb04fc 3818->3830 3828 6beb0510-6beb0513 3820->3828 3821->3828 3828->3830 3830->3790
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 8Q
                                              • API String ID: 0-4022487301
                                              • Opcode ID: 7bb39e8d398f01a4bc245b6581bad063a38e9200a71979690e47e516d3e6c2ef
                                              • Instruction ID: 28346582a5cd30cbe3d90a2ad57bb684f5eb7f187ed842aa64093d914826582a
                                              • Opcode Fuzzy Hash: 7bb39e8d398f01a4bc245b6581bad063a38e9200a71979690e47e516d3e6c2ef
                                              • Instruction Fuzzy Hash: 33C1E670E042059FDF15CFA8CA90BADBBB4AF4A318F20449DE514AB383C739E955CB61
                                              Function 6BEB775C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 3831 6beb775c-6beb778c call 6beb7bdc 3834 6beb778e-6beb7799 call 6bea30cf 3831->3834 3835 6beb77a7-6beb77b3 call 6beb4cfc 3831->3835 3842 6beb779b-6beb77a2 call 6bea30bc 3834->3842 3840 6beb77cc-6beb7815 call 6beb7b47 3835->3840 3841 6beb77b5-6beb77ca call 6bea30cf call 6bea30bc 3835->3841 3851 6beb7882-6beb788b GetFileType 3840->3851 3852 6beb7817-6beb7820 3840->3852 3841->3842 3849 6beb7a81-6beb7a85 3842->3849 3853 6beb788d-6beb78be GetLastError call 6bea30e2 CloseHandle 3851->3853 3854 6beb78d4-6beb78d7 3851->3854 3856 6beb7822-6beb7826 3852->3856 3857 6beb7857-6beb787d GetLastError call 6bea30e2 3852->3857 3853->3842 3868 6beb78c4-6beb78cf call 6bea30bc 3853->3868 3860 6beb78d9-6beb78de 3854->3860 3861 6beb78e0-6beb78e6 3854->3861 3856->3857 3862 6beb7828-6beb7855 call 6beb7b47 3856->3862 3857->3842 3865 6beb78ea-6beb7938 call 6beb4ea0 3860->3865 3861->3865 3866 6beb78e8 3861->3866 3862->3851 3862->3857 3873 6beb793a-6beb7946 call 6beb7d56 3865->3873 3874 6beb7957-6beb797f call 6beb7e00 3865->3874 3866->3865 3868->3842 3873->3874 3880 6beb7948 3873->3880 3881 6beb7981-6beb7982 3874->3881 3882 6beb7984-6beb79c5 3874->3882 3883 6beb794a-6beb7952 call 6beaf015 3880->3883 3881->3883 3884 6beb79c7-6beb79cb 3882->3884 3885 6beb79e6-6beb79f4 3882->3885 3883->3849 3884->3885 3889 6beb79cd-6beb79e1 3884->3889 3886 6beb79fa-6beb79fe 3885->3886 3887 6beb7a7f 3885->3887 3886->3887 3890 6beb7a00-6beb7a33 CloseHandle call 6beb7b47 3886->3890 3887->3849 3889->3885 3894 6beb7a67-6beb7a7b 3890->3894 3895 6beb7a35-6beb7a61 GetLastError call 6bea30e2 call 6beb4e0f 3890->3895 3894->3887 3895->3894
                                              APIs
                                                • Part of subcall function 6BEB7B47: CreateFileW.KERNEL32(00000000,00000000,?,6BEB7805,?,?,00000000,?,6BEB7805,00000000,0000000C), ref: 6BEB7B64
                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BEB7870
                                              • __dosmaperr.LIBCMT ref: 6BEB7877
                                              • GetFileType.KERNEL32(00000000), ref: 6BEB7883
                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BEB788D
                                              • __dosmaperr.LIBCMT ref: 6BEB7896
                                              • CloseHandle.KERNEL32(00000000), ref: 6BEB78B6
                                              • CloseHandle.KERNEL32(6BEAE7C0), ref: 6BEB7A03
                                              • GetLastError.KERNEL32 ref: 6BEB7A35
                                              • __dosmaperr.LIBCMT ref: 6BEB7A3C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                              • String ID: 8Q
                                              • API String ID: 4237864984-4022487301
                                              • Opcode ID: c9a78ebbfc1f0a16d21ec0b2efdd0f39f308199e57f68abcca39c1d6c0485eed
                                              • Instruction ID: 4216e3321ec0822c28f6e732bdeb7ff63dd06d322016b96e737dfa554fffa7f7
                                              • Opcode Fuzzy Hash: c9a78ebbfc1f0a16d21ec0b2efdd0f39f308199e57f68abcca39c1d6c0485eed
                                              • Instruction Fuzzy Hash: 1AA14532A141159FCF199F78CD91BAE7BB1AB07328F24019DE811EF391DB398926CB51
                                              Function 6BE6B4D0 Relevance: 16.6, APIs: 3, Strings: 6, Instructions: 834fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WriteFile.KERNEL32(?,?,00000038,?,00000000), ref: 6BE6B62F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: FileWrite
                                              • String ID: *$,=ym$-=ym$-=ym$B$H
                                              • API String ID: 3934441357-3163594065
                                              • Opcode ID: e3563dce2eda221f7647ea04d1c4d0167ff2eafd038cb5d4771a05fb670eacbb
                                              • Instruction ID: 6ce035a6718fd230c5fe42194a593e7df8a18cee4f2691ec4570f5369922ad54
                                              • Opcode Fuzzy Hash: e3563dce2eda221f7647ea04d1c4d0167ff2eafd038cb5d4771a05fb670eacbb
                                              • Instruction Fuzzy Hash: F6729C70A883459FCB14CF28C49169EBBE2AF89744F248D5EF599CB350E778D8468B43
                                              Function 6BD14200 Relevance: 9.0, APIs: 3, Strings: 1, Instructions: 2005COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: ;T55
                                              • API String ID: 0-2572755013
                                              • Opcode ID: c3f86d3c8456381685120269f00ee34c73575de47e7bb4fa1a6c572046480007
                                              • Instruction ID: 4761c2f7884c3397f8d4c56a5af85f7ab0ac0f76834ddcd64be9d640da87305d
                                              • Opcode Fuzzy Hash: c3f86d3c8456381685120269f00ee34c73575de47e7bb4fa1a6c572046480007
                                              • Instruction Fuzzy Hash: 6403F131644B41CFC728CF28C8D0696B7E3AFD53287198E6DC1EA4B695DB78B44ACB50
                                              Function 6BE986E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62processsynchronizationCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 4469 6be986e0-6be98767 CreateProcessA 4470 6be9878b-6be98794 4469->4470 4471 6be987b0-6be987fa WaitForSingleObject CloseHandle * 2 4470->4471 4472 6be98796-6be9879b 4470->4472 4471->4470 4473 6be9879d-6be987a2 4472->4473 4474 6be98770-6be98783 4472->4474 4473->4470 4475 6be987a4-6be98807 4473->4475 4474->4470
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: CloseHandle$CreateObjectProcessSingleWait
                                              • String ID: D
                                              • API String ID: 2059082233-2746444292
                                              • Opcode ID: 11f3dd20e56c908095663f0785f8a8adbe8b46f0802e31ff91637424fcd8d889
                                              • Instruction ID: e3cb1e25ed986e7d78eb64f9cc756f2f5cd6e063c4af0029e58576aff0cf7c45
                                              • Opcode Fuzzy Hash: 11f3dd20e56c908095663f0785f8a8adbe8b46f0802e31ff91637424fcd8d889
                                              • Instruction Fuzzy Hash: 0531C271818380CFD740EF28D18475ABBF0AB99358F505A1EF8E996360D7789999CF43
                                              Function 6BEAF34E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177fileCOMMONLIBRARYCODE
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 4477 6beaf34e-6beaf36a 4478 6beaf529 4477->4478 4479 6beaf370-6beaf372 4477->4479 4480 6beaf52b-6beaf52f 4478->4480 4481 6beaf394-6beaf3b5 4479->4481 4482 6beaf374-6beaf387 call 6bea30cf call 6bea30bc call 6bea3810 4479->4482 4484 6beaf3bc-6beaf3c2 4481->4484 4485 6beaf3b7-6beaf3ba 4481->4485 4499 6beaf38c-6beaf38f 4482->4499 4484->4482 4487 6beaf3c4-6beaf3c9 4484->4487 4485->4484 4485->4487 4489 6beaf3da-6beaf3eb call 6beaf530 4487->4489 4490 6beaf3cb-6beaf3d7 call 6beae359 4487->4490 4497 6beaf42c-6beaf43e 4489->4497 4498 6beaf3ed-6beaf3ef 4489->4498 4490->4489 4502 6beaf440-6beaf449 4497->4502 4503 6beaf485-6beaf4a7 WriteFile 4497->4503 4500 6beaf3f1-6beaf3f9 4498->4500 4501 6beaf416-6beaf422 call 6beaf5a1 4498->4501 4499->4480 4504 6beaf4bb-6beaf4be 4500->4504 4505 6beaf3ff-6beaf40c call 6beaf94b 4500->4505 4513 6beaf427-6beaf42a 4501->4513 4509 6beaf44b-6beaf44e 4502->4509 4510 6beaf475-6beaf483 call 6beaf9b3 4502->4510 4507 6beaf4a9-6beaf4af GetLastError 4503->4507 4508 6beaf4b2 4503->4508 4515 6beaf4c1-6beaf4c6 4504->4515 4521 6beaf40f-6beaf411 4505->4521 4507->4508 4514 6beaf4b5-6beaf4ba 4508->4514 4516 6beaf450-6beaf453 4509->4516 4517 6beaf465-6beaf473 call 6beafb77 4509->4517 4510->4513 4513->4521 4514->4504 4522 6beaf4c8-6beaf4cd 4515->4522 4523 6beaf524-6beaf527 4515->4523 4516->4515 4524 6beaf455-6beaf463 call 6beafa8e 4516->4524 4517->4513 4521->4514 4527 6beaf4f9-6beaf505 4522->4527 4528 6beaf4cf-6beaf4d4 4522->4528 4523->4480 4524->4513 4532 6beaf50c-6beaf51f call 6bea30bc call 6bea30cf 4527->4532 4533 6beaf507-6beaf50a 4527->4533 4529 6beaf4ed-6beaf4f4 call 6bea30e2 4528->4529 4530 6beaf4d6-6beaf4e8 call 6bea30bc call 6bea30cf 4528->4530 4529->4499 4530->4499 4532->4499 4533->4478 4533->4532
                                              APIs
                                                • Part of subcall function 6BEAF5A1: GetConsoleCP.KERNEL32(?,6BEAE7C0,?), ref: 6BEAF5E9
                                              • WriteFile.KERNEL32(?,?,6BEB7DDC,00000000,00000000,?,00000000,00000000,6BEB91A6,00000000,00000000,?,00000000,6BEAE7C0,6BEB7DDC,00000000), ref: 6BEAF49F
                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,6BEB7DDC,6BEAE7C0,00000000,?,?,?,?,00000000,?), ref: 6BEAF4A9
                                              • __dosmaperr.LIBCMT ref: 6BEAF4EE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: ConsoleErrorFileLastWrite__dosmaperr
                                              • String ID: 8Q
                                              • API String ID: 251514795-4022487301
                                              • Opcode ID: ddac1057f1f99feee76686d89cadc306cc46adfd1377a7ae8e83348a4959f65f
                                              • Instruction ID: f6e6612ac52f75b4903ed4ed77688c4f5afef3d75fcc16c86d6bd4332529259f
                                              • Opcode Fuzzy Hash: ddac1057f1f99feee76686d89cadc306cc46adfd1377a7ae8e83348a4959f65f
                                              • Instruction Fuzzy Hash: 7E518F7190010AAADB11DFB8C881BEEBBBDEF0A358F200595D510EF251D77CD94587E1
                                              Function 6BE99280 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 142COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 4544 6be99280-6be9928c 4545 6be992cd 4544->4545 4546 6be9928e-6be99299 4544->4546 4549 6be992cf-6be99347 4545->4549 4547 6be9929b-6be992ad 4546->4547 4548 6be992af-6be992bc call 6bd601f0 call 6bea4208 4546->4548 4547->4548 4557 6be992c1-6be992cb 4548->4557 4551 6be99349-6be99371 4549->4551 4552 6be99373-6be99379 4549->4552 4551->4552 4554 6be9937a-6be99439 call 6bd62250 call 6bd62340 call 6be9ca69 call 6bd5e010 call 6be9a778 4551->4554 4557->4549
                                              APIs
                                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6BE99421
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: Ios_base_dtorstd::ios_base::_
                                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                              • API String ID: 323602529-1866435925
                                              • Opcode ID: 94559e6075dbe8ff46a03770074710025975aea97e420566654ef3d0aa836737
                                              • Instruction ID: dcce5e78ea22dbb643647acec8acb5c0758e904c8e9f8591e57ca09d5da76d59
                                              • Opcode Fuzzy Hash: 94559e6075dbe8ff46a03770074710025975aea97e420566654ef3d0aa836737
                                              • Instruction Fuzzy Hash: A95145B5900B008FD725DF29D581B97BBF1BB48318F108A2DD8964BB91E779B909CF90
                                              Function 6BE6CEA0 Relevance: 6.2, APIs: 4, Instructions: 187fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 4567 6be6cea0-6be6cf03 call 6be9a260 4570 6be6cf40-6be6cf49 4567->4570 4571 6be6cf90-6be6cf95 4570->4571 4572 6be6cf4b-6be6cf50 4570->4572 4573 6be6d030-6be6d035 4571->4573 4574 6be6cf9b-6be6cfa0 4571->4574 4575 6be6cf56-6be6cf5b 4572->4575 4576 6be6d000-6be6d005 4572->4576 4583 6be6d17d-6be6d191 4573->4583 4584 6be6d03b-6be6d040 4573->4584 4579 6be6cfa6-6be6cfab 4574->4579 4580 6be6cf05-6be6cf21 WriteFile 4574->4580 4577 6be6d065-6be6d08c 4575->4577 4578 6be6cf61-6be6cf66 4575->4578 4581 6be6d125-6be6d158 call 6be9ea90 4576->4581 4582 6be6d00b-6be6d010 4576->4582 4589 6be6cf33-6be6cf38 4577->4589 4587 6be6d091-6be6d0aa WriteFile 4578->4587 4588 6be6cf6c-6be6cf71 4578->4588 4591 6be6cfb1-6be6cfb6 4579->4591 4592 6be6d0af-6be6d120 WriteFile 4579->4592 4594 6be6cf30 4580->4594 4581->4570 4595 6be6d016-6be6d01b 4582->4595 4596 6be6d15d-6be6d175 4582->4596 4593 6be6d195-6be6d1a2 4583->4593 4585 6be6d046-6be6d060 4584->4585 4586 6be6d1a7-6be6d1ac 4584->4586 4585->4593 4586->4570 4600 6be6d1b2-6be6d1c0 4586->4600 4587->4594 4588->4570 4597 6be6cf73-6be6cf86 4588->4597 4589->4570 4591->4570 4599 6be6cfb8-6be6cfee call 6be9f010 ReadFile 4591->4599 4592->4594 4593->4570 4594->4589 4595->4570 4601 6be6d021-6be6d02b 4595->4601 4596->4583 4597->4589 4599->4594 4601->4594
                                              APIs
                                              • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 6BE6CFE1
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: FileRead
                                              • String ID:
                                              • API String ID: 2738559852-0
                                              • Opcode ID: 70efa77b6cba2323e50be87a3cdff08e81893532a87f4d8e5c34f5bdd193bce2
                                              • Instruction ID: ff65432c953e123b8dd72572a62afa297970f72360809ae1d721f47f04134d62
                                              • Opcode Fuzzy Hash: 70efa77b6cba2323e50be87a3cdff08e81893532a87f4d8e5c34f5bdd193bce2
                                              • Instruction Fuzzy Hash: 657161B4698344AFDB10CF18C884B5ABBE4BF89748F60481EF495C7350E3B9D9559F82
                                              Function 6BE6C390 Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 631COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 4626 6be6c390-6be6c406 call 6be9a260 call 6be9f010 4631 6be6c426-6be6c42f 4626->4631 4632 6be6c490-6be6c495 4631->4632 4633 6be6c431-6be6c436 4631->4633 4636 6be6c570-6be6c575 4632->4636 4637 6be6c49b-6be6c4a0 4632->4637 4634 6be6c500-6be6c505 4633->4634 4635 6be6c43c-6be6c441 4633->4635 4640 6be6c50b-6be6c510 4634->4640 4641 6be6c679-6be6c67e 4634->4641 4638 6be6c447-6be6c44c 4635->4638 4639 6be6c5bf-6be6c5c4 4635->4639 4642 6be6c6d6-6be6c6db 4636->4642 4643 6be6c57b-6be6c580 4636->4643 4644 6be6c4a6-6be6c4ab 4637->4644 4645 6be6c638-6be6c63d 4637->4645 4650 6be6c742-6be6c747 4638->4650 4651 6be6c452-6be6c457 4638->4651 4648 6be6c863-6be6c868 4639->4648 4649 6be6c5ca-6be6c5cf 4639->4649 4652 6be6c516-6be6c51b 4640->4652 4653 6be6c7de-6be6c7e3 4640->4653 4656 6be6c684-6be6c689 4641->4656 4657 6be6c8e2-6be6c8e7 4641->4657 4646 6be6c912-6be6c917 4642->4646 4647 6be6c6e1-6be6c6e6 4642->4647 4658 6be6c586-6be6c58b 4643->4658 4659 6be6c830-6be6c835 4643->4659 4660 6be6c796-6be6c79b 4644->4660 4661 6be6c4b1-6be6c4b6 4644->4661 4654 6be6c643-6be6c648 4645->4654 4655 6be6c8ab-6be6c8b0 4645->4655 4664 6be6c91d-6be6c922 4646->4664 4665 6be6ce1a-6be6ce29 4646->4665 4666 6be6cc12-6be6cc4d call 6be9f010 call 6be6b4d0 4647->4666 4667 6be6c6ec-6be6c6f1 4647->4667 4682 6be6cdb7-6be6cdbf 4648->4682 4683 6be6c86e-6be6c873 4648->4683 4680 6be6c5d5-6be6c5da 4649->4680 4681 6be6ca71-6be6ca9b call 6be9ea90 4649->4681 4668 6be6cca3-6be6ccba 4650->4668 4669 6be6c74d-6be6c752 4650->4669 4684 6be6c93d-6be6c95b 4651->4684 4685 6be6c45d-6be6c462 4651->4685 4670 6be6c9a3-6be6c9b3 4652->4670 4671 6be6c521-6be6c526 4652->4671 4674 6be6ccfa-6be6cd23 4653->4674 4675 6be6c7e9-6be6c7ee 4653->4675 4686 6be6c64e-6be6c653 4654->4686 4687 6be6cb08-6be6cb34 4654->4687 4688 6be6c8b6-6be6c8bb 4655->4688 4689 6be6cdda-6be6cdf1 4655->4689 4692 6be6cb61-6be6cb85 4656->4692 4693 6be6c68f-6be6c694 4656->4693 4690 6be6c8ed-6be6c8f2 4657->4690 4691 6be6cdf9-6be6ce12 4657->4691 4676 6be6c591-6be6c596 4658->4676 4677 6be6c9fe-6be6ca3a 4658->4677 4678 6be6cd6c-6be6cd88 4659->4678 4679 6be6c83b-6be6c840 4659->4679 4672 6be6c7a1-6be6c7a6 4660->4672 4673 6be6c408-6be6c418 4660->4673 4662 6be6c4bc-6be6c4c1 4661->4662 4663 6be6c97a-6be6c984 4661->4663 4716 6be6c4c7-6be6c4cc 4662->4716 4717 6be6c989-6be6c99e 4662->4717 4663->4631 4664->4631 4718 6be6c928-6be6c938 4664->4718 4710 6be6ce31-6be6ce36 4665->4710 4752 6be6cc52-6be6cc72 4666->4752 4697 6be6cc77-6be6cc88 4667->4697 4698 6be6c6f7-6be6c6fc 4667->4698 4694 6be6ccbc-6be6ccc4 4668->4694 4700 6be6c758-6be6c75d 4669->4700 4701 6be6ccc9-6be6ccd8 4669->4701 4720 6be6c9bd-6be6c9c5 4670->4720 4719 6be6c52c-6be6c531 4671->4719 4671->4720 4703 6be6cce0-6be6ccf5 4672->4703 4704 6be6c7ac-6be6c7b1 4672->4704 4707 6be6c41d 4673->4707 4674->4631 4705 6be6c7f4-6be6c7f9 4675->4705 4706 6be6cd28-6be6cd67 4675->4706 4722 6be6ca43-6be6ca6c 4676->4722 4723 6be6c59c-6be6c5a1 4676->4723 4677->4722 4699 6be6cd8a-6be6cd98 4678->4699 4708 6be6c846-6be6c84b 4679->4708 4709 6be6cd9d-6be6cdad 4679->4709 4724 6be6caa0-6be6cb03 call 6be6ce50 CreateFileA 4680->4724 4725 6be6c5e0-6be6c5e5 4680->4725 4681->4631 4702 6be6cdc4-6be6cdd5 4682->4702 4683->4710 4711 6be6c879-6be6c8a6 4683->4711 4684->4699 4712 6be6c960-6be6c975 4685->4712 4713 6be6c468-6be6c46d 4685->4713 4727 6be6cb39-6be6cb5c 4686->4727 4728 6be6c659-6be6c65e 4686->4728 4687->4631 4688->4631 4714 6be6c8c1-6be6c8dd 4688->4714 4689->4691 4690->4631 4715 6be6c8f8-6be6c90d 4690->4715 4691->4665 4692->4631 4695 6be6cb8a-6be6cc0d 4693->4695 4696 6be6c69a-6be6c69f 4693->4696 4694->4631 4695->4631 4696->4631 4729 6be6c6a5-6be6c6d1 4696->4729 4738 6be6cc8d-6be6cc9e 4697->4738 4698->4631 4730 6be6c702-6be6c73d 4698->4730 4699->4631 4700->4631 4731 6be6c763-6be6c791 4700->4731 4701->4703 4702->4631 4703->4707 4704->4631 4732 6be6c7b7-6be6c7d9 4704->4732 4705->4631 4733 6be6c7ff-6be6c82b 4705->4733 4706->4631 4734 6be6c420-6be6c424 4707->4734 4708->4631 4736 6be6c851-6be6c85e 4708->4736 4709->4682 4710->4631 4735 6be6ce3c-6be6ce47 4710->4735 4711->4631 4712->4631 4713->4631 4737 6be6c46f-6be6c483 4713->4737 4714->4738 4715->4631 4716->4631 4739 6be6c4d2-6be6c4fa call 6be62a20 call 6be62a30 4716->4739 4717->4734 4718->4702 4719->4631 4741 6be6c537-6be6c561 4719->4741 4740 6be6c9ca-6be6c9f9 4720->4740 4722->4631 4723->4631 4743 6be6c5a7-6be6c5ba 4723->4743 4724->4631 4725->4631 4745 6be6c5eb-6be6c633 4725->4745 4727->4631 4728->4631 4747 6be6c664-6be6c674 4728->4747 4729->4631 4730->4631 4731->4694 4732->4699 4733->4631 4734->4631 4736->4740 4737->4702 4738->4631 4739->4631 4740->4631 4741->4631 4743->4631 4745->4631 4747->4740 4752->4631
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @*Z$@*Z
                                              • API String ID: 0-2842812045
                                              • Opcode ID: 607a189f869223083bbe7ca7bf0103ca911658bac5ac843972355fb2b0b1bf85
                                              • Instruction ID: 927d4103d9ad014ffa07732febb5936458029460350ff3b6c5d652ddaf5fa263
                                              • Opcode Fuzzy Hash: 607a189f869223083bbe7ca7bf0103ca911658bac5ac843972355fb2b0b1bf85
                                              • Instruction Fuzzy Hash: 3C426A70A893428FCB14CF28C49166EBBE1AB89754F244D6EF499C7351E339D946CB13
                                              Function 6BEAF015 Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 4755 6beaf015-6beaf029 call 6beb4c92 4758 6beaf02b-6beaf02d 4755->4758 4759 6beaf02f-6beaf037 4755->4759 4760 6beaf07d-6beaf09d call 6beb4e0f 4758->4760 4761 6beaf039-6beaf040 4759->4761 4762 6beaf042-6beaf045 4759->4762 4771 6beaf0ab 4760->4771 4772 6beaf09f-6beaf0a9 call 6bea30e2 4760->4772 4761->4762 4764 6beaf04d-6beaf061 call 6beb4c92 * 2 4761->4764 4765 6beaf063-6beaf073 call 6beb4c92 CloseHandle 4762->4765 4766 6beaf047-6beaf04b 4762->4766 4764->4758 4764->4765 4765->4758 4774 6beaf075-6beaf07b GetLastError 4765->4774 4766->4764 4766->4765 4776 6beaf0ad-6beaf0b0 4771->4776 4772->4776 4774->4760
                                              APIs
                                              • CloseHandle.KERNEL32(00000000,?,00000000,?,6BEB794F), ref: 6BEAF06B
                                              • GetLastError.KERNEL32(?,00000000,?,6BEB794F), ref: 6BEAF075
                                              • __dosmaperr.LIBCMT ref: 6BEAF0A0
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: CloseErrorHandleLast__dosmaperr
                                              • String ID:
                                              • API String ID: 2583163307-0
                                              • Opcode ID: d5d61915aac7645b548f59f5be947634ef7e898e414c48cdfda1f25c2a5a46e6
                                              • Instruction ID: 636b9dee23bf2338127e818e55c07efa9649197f5168028cd53d7a922793e4de
                                              • Opcode Fuzzy Hash: d5d61915aac7645b548f59f5be947634ef7e898e414c48cdfda1f25c2a5a46e6
                                              • Instruction Fuzzy Hash: 2C01E132A052202AD611273899C5B6E376D4F82B3CF35459AE926EE3C1DF6DC89143D1
                                              Function 6BEA428C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 5000 6bea428c-6bea4297 5001 6bea4299-6bea42ac call 6bea30bc call 6bea3810 5000->5001 5002 6bea42ae-6bea42bb 5000->5002 5013 6bea4300-6bea4302 5001->5013 5004 6bea42bd-6bea42d2 call 6bea43a9 call 6beabe2e call 6bead350 call 6beaef88 5002->5004 5005 6bea42f6-6bea42ff call 6beae565 5002->5005 5019 6bea42d7-6bea42dc 5004->5019 5005->5013 5020 6bea42de-6bea42e1 5019->5020 5021 6bea42e3-6bea42e7 5019->5021 5020->5005 5021->5005 5022 6bea42e9-6bea42f5 call 6bea7eab 5021->5022 5022->5005
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 8Q
                                              • API String ID: 0-4022487301
                                              • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                              • Instruction ID: 12883354f32e96a3e0ab7c483094fe8ca6d7af20ca62bd7cd9ebbd14c7eb3d4d
                                              • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                              • Instruction Fuzzy Hash: DBF0D1368406145AD6316A399C0178B33BC8F82339F31471EE9209E1C0CF3CD40686B1
                                              Function 6BE99050 Relevance: 3.1, APIs: 2, Instructions: 108COMMON
                                              Download Yara Rule
                                              APIs
                                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6BE991A4
                                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6BE991E4
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: Ios_base_dtorstd::ios_base::_
                                              • String ID:
                                              • API String ID: 323602529-0
                                              • Opcode ID: 9794c178cbad04bb638804c040ed37ad659ea45a977b627d718b2a723ccd0dad
                                              • Instruction ID: 2309de090a3941e4774307cecce33fbd01bd80ada6263c01f6b4c7b353050d5c
                                              • Opcode Fuzzy Hash: 9794c178cbad04bb638804c040ed37ad659ea45a977b627d718b2a723ccd0dad
                                              • Instruction Fuzzy Hash: 7A515674601B00DFE725DF25D885BA6BBF0BF05728F508A1CD4AA8B291DB38B549CB90
                                              Function 6BEA262F Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLastError.KERNEL32(6BEC9DD0,0000000C), ref: 6BEA2642
                                              • ExitThread.KERNEL32 ref: 6BEA2649
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: ErrorExitLastThread
                                              • String ID:
                                              • API String ID: 1611280651-0
                                              • Opcode ID: a9d11d261b4cbc36928fe8d58101bdfae2cdb5246f1a1050802334397036c100
                                              • Instruction ID: 0a8d7ed66bc478ccfa95219d36f3dfba51b26b00a21325a13b5ca85b9440ac5c
                                              • Opcode Fuzzy Hash: a9d11d261b4cbc36928fe8d58101bdfae2cdb5246f1a1050802334397036c100
                                              • Instruction Fuzzy Hash: CEF0C275940205AFDB04AB70C84AA6E7B78FF45704F30415CE411AB291CF3CA941CB61
                                              Function 6BEAE662 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: __wsopen_s
                                              • String ID:
                                              • API String ID: 3347428461-0
                                              • Opcode ID: c19a07dc453c10cc2c266a3b3e5cdc5d1f59d79e075c5696d3246aa1cfe08ef1
                                              • Instruction ID: dba95732cd367d97b57382714850474d4e75ee3cb8197b766c758db83e48c9ae
                                              • Opcode Fuzzy Hash: c19a07dc453c10cc2c266a3b3e5cdc5d1f59d79e075c5696d3246aa1cfe08ef1
                                              • Instruction Fuzzy Hash: AE114C72A0420AAFCF05DF58E94599B7BF8EF49304F2544A9F805AB311D770ED22CBA5
                                              Function 6BEB76EE Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: _free
                                              • String ID:
                                              • API String ID: 269201875-0
                                              • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                              • Instruction ID: 992520573a186d7a837da8dfc4482950771013f6cf88719b2544cb19399ca414
                                              • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                              • Instruction Fuzzy Hash: DF01FF72C1015DAFCF019FB88D01AEE7FB5AF08314F244169F964E21A1E7358A65DB91
                                              Function 6BEB7B47 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNEL32(00000000,00000000,?,6BEB7805,?,?,00000000,?,6BEB7805,00000000,0000000C), ref: 6BEB7B64
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: CreateFile
                                              • String ID:
                                              • API String ID: 823142352-0
                                              • Opcode ID: 9f7b2a6e26515b23b5ab30125574d762b5e3d835df6977d9a80309c3bfff39ca
                                              • Instruction ID: 8b7a90b1d9b043cf1dfe3eeb87226b58f09089620d3d5180bbe2966ba8d540ad
                                              • Opcode Fuzzy Hash: 9f7b2a6e26515b23b5ab30125574d762b5e3d835df6977d9a80309c3bfff39ca
                                              • Instruction Fuzzy Hash: 8ED06C3204014DBBDF028E85DC06EDA3BAAFB48715F014010BA1856020C732E861AB90
                                              Function 6BD683A0 Relevance: 1.5, APIs: 1, Instructions: 1COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                              • Instruction ID: 5fecce72dab1a880bd724c5ae6d1fdacf9246e0960821e959a49eac3a0619a29
                                              • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                              • Instruction Fuzzy Hash:

                                              Non-executed Functions

                                              Function 6BE94860 Relevance: 11.0, APIs: 3, Strings: 1, Instructions: 4048COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: _strlen
                                              • String ID: C
                                              • API String ID: 4218353326-4157497815
                                              • Opcode ID: 8e619ffb797611a7b873b20801c3bc16131f4867aaaa28a18b3ef0ad9b6d2be6
                                              • Instruction ID: 33a262a5d9187b5989b7aeaa79c5a45849579bdcf78d87808dff9e4207b6a385
                                              • Opcode Fuzzy Hash: 8e619ffb797611a7b873b20801c3bc16131f4867aaaa28a18b3ef0ad9b6d2be6
                                              • Instruction Fuzzy Hash: 2C73E771644B018FC728CF28D8D0A95B7F2BF953187298A6DC0A787B55EB78B54ECB40
                                              Function 6BE99450 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 31nativeshutdownCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcess.KERNEL32 ref: 6BE9945A
                                              • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 6BE99466
                                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 6BE99474
                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 6BE9949B
                                              • NtInitiatePowerAction.NTDLL ref: 6BE994AF
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: ProcessToken$ActionAdjustCurrentInitiateLookupOpenPowerPrivilegePrivilegesValue
                                              • String ID: SeShutdownPrivilege
                                              • API String ID: 3256374457-3733053543
                                              • Opcode ID: 62f60083c30ebf99c7424c7418ae97bb00b4fd13557ffa4ca45dcf46f1d4e539
                                              • Instruction ID: 7d65c6c6c155f365c75cecf6652d8bfeb0e8adbc31eec8f9c07e3a01edbd5c54
                                              • Opcode Fuzzy Hash: 62f60083c30ebf99c7424c7418ae97bb00b4fd13557ffa4ca45dcf46f1d4e539
                                              • Instruction Fuzzy Hash: A6F0B471544304BBEA407F28CE0EF5A7BA8EF45701F004508F945AA0E1D770A989CBA7
                                              Function 6BD11950 Relevance: 9.3, APIs: 2, Strings: 3, Instructions: 594COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: \j`7$\j`7$j
                                              • API String ID: 0-3644614255
                                              • Opcode ID: 2a139f38c62f0c3ed539aa4ff749e92353487209683293b296a548c350b8c847
                                              • Instruction ID: 25db497b6b3a530899c7ade4302e30383952c8bae0fc775f1c4decf2d6aa5725
                                              • Opcode Fuzzy Hash: 2a139f38c62f0c3ed539aa4ff749e92353487209683293b296a548c350b8c847
                                              • Instruction Fuzzy Hash: 16423174A4D382CFCB14CF68D48065ABBE1BB9A264F14496EE4E9CB360D338D945CB53
                                              Function 6BEF9CE0 Relevance: 5.4, APIs: 1, Strings: 1, Instructions: 1923COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 6BEF9CE5
                                                • Part of subcall function 6BECFC2A: __EH_prolog.LIBCMT ref: 6BECFC2F
                                                • Part of subcall function 6BED16A6: __EH_prolog.LIBCMT ref: 6BED16AB
                                                • Part of subcall function 6BEF9A0E: __EH_prolog.LIBCMT ref: 6BEF9A13
                                                • Part of subcall function 6BEF9837: __EH_prolog.LIBCMT ref: 6BEF983C
                                                • Part of subcall function 6BEFD143: __EH_prolog.LIBCMT ref: 6BEFD148
                                                • Part of subcall function 6BEFD143: ctype.LIBCPMT ref: 6BEFD16C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: H_prolog$ctype
                                              • String ID:
                                              • API String ID: 1039218491-3916222277
                                              • Opcode ID: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                                              • Instruction ID: 2da8bd55f52831f8df9d20092971cd7bfcebe7733914e155bf3b8c6b13efa2a3
                                              • Opcode Fuzzy Hash: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                                              • Instruction Fuzzy Hash: 1403BC30D44248DEDF15CFB8C941BDDBBB9AF15308F2080DDD4596B291DB389A8ADB62
                                              Function 6BEA3871 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 6BEA3969
                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 6BEA3973
                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 6BEA3980
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                              • String ID:
                                              • API String ID: 3906539128-0
                                              • Opcode ID: d1125bf84ad753753914de742298f8bad116ffcaf719a2983cc8de9dbfbd3cb8
                                              • Instruction ID: 3f2ddfe94f8825e3d3af51a46488f541b7ed4564771ffcc93445d2508860900d
                                              • Opcode Fuzzy Hash: d1125bf84ad753753914de742298f8bad116ffcaf719a2983cc8de9dbfbd3cb8
                                              • Instruction Fuzzy Hash: 8531C374D0132CABCB61DF24D889B8DBBB8BF08314F6045EAE41CA7250EB749B858F44
                                              Function 6BEA286D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcess.KERNEL32(?,?,6BEA2925,?,?,?,?), ref: 6BEA288F
                                              • TerminateProcess.KERNEL32(00000000,?,6BEA2925,?,?,?,?), ref: 6BEA2896
                                              • ExitProcess.KERNEL32 ref: 6BEA28A8
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: Process$CurrentExitTerminate
                                              • String ID:
                                              • API String ID: 1703294689-0
                                              • Opcode ID: c20830350ed21c0476eaf6a9c2208f63e26d2d416672170bc0cd8feaa58e031b
                                              • Instruction ID: d00ca046b404f64f77eff60ffe8a99d7142aeaf2375fbb102325b523717385ab
                                              • Opcode Fuzzy Hash: c20830350ed21c0476eaf6a9c2208f63e26d2d416672170bc0cd8feaa58e031b
                                              • Instruction Fuzzy Hash: 5DE0B631480148ABCF016F66C809A597F7DFB59755B204468F8299A221CB3AE992DA80
                                              Function 6BECBEA1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 246COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: x=J
                                              • API String ID: 3519838083-1497497802
                                              • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                              • Instruction ID: 24b5aad52925bf522668c062146bdb059b06f83bb57212af94bd556961d8573e
                                              • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                              • Instruction Fuzzy Hash: 9B91A231E00259DACF04DFB4DA929EEB771AF05308F3080ADD876A7351DB395986CB92
                                              Function 6BE9A133 Relevance: 3.3, APIs: 2, Instructions: 302COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6BE9AFA0
                                              • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6BE9B7C3
                                                • Part of subcall function 6BE9CA69: RaiseException.KERNEL32(E06D7363,00000001,00000003,6BE9B7AC,00000000,?,?,?,6BE9B7AC,?,6BEC853C), ref: 6BE9CAC9
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: ExceptionFeaturePresentProcessorRaisestd::invalid_argument::invalid_argument
                                              • String ID:
                                              • API String ID: 915016180-0
                                              • Opcode ID: ce8ace1a425e3d17e5e1179ce6d9f6e4bdfebc916af1358a019bc75c1c1c9df8
                                              • Instruction ID: 9c05bdde53433cd4ab8e4dfe0abe2db63190121d868ffba95f91151c8ead90c4
                                              • Opcode Fuzzy Hash: ce8ace1a425e3d17e5e1179ce6d9f6e4bdfebc916af1358a019bc75c1c1c9df8
                                              • Instruction Fuzzy Hash: 8EB18E71D24205AFDB18EFA9D88179EBBB4FB49318F20816AE415E73A0D378D549CF90
                                              Function 6BECB972 Relevance: 2.6, Strings: 2, Instructions: 91COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @4J$DsL
                                              • API String ID: 0-2004129199
                                              • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                              • Instruction ID: 2896ee6994271fa6c234c48e7786299c153c7246ee0ac2e0a865dee51495a2f2
                                              • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                              • Instruction Fuzzy Hash: C0217137AA49564BD74CCA28DC33EB92690E745305B89627EED4BCB3E1DF5D8800CA48
                                              Function 6BEE840A Relevance: 2.3, APIs: 1, Instructions: 760COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 6BEE840F
                                                • Part of subcall function 6BEE9137: __EH_prolog.LIBCMT ref: 6BEE913C
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID:
                                              • API String ID: 3519838083-0
                                              • Opcode ID: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                                              • Instruction ID: 70c3c54dcc3377177b961af9b0d9475969caaa4d4ccb5ff888025e6a4089d3fc
                                              • Opcode Fuzzy Hash: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                                              • Instruction Fuzzy Hash: BC625A71D00259CFDF15CFA4C891BEDBBB5BF04308F20459AE819AB281D7789A52CFA1
                                              Function 6BF40AD0 Relevance: 1.9, Strings: 1, Instructions: 669COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: YA1
                                              • API String ID: 0-613462611
                                              • Opcode ID: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                                              • Instruction ID: ffdf894afbe5387fea6d49c6d0acd78d1c491f1198cda5aa1e158903deff8482
                                              • Opcode Fuzzy Hash: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                                              • Instruction Fuzzy Hash: 1C42B2726083918FD315CF38C49069ABFE2EFD9308F14496DE8D58B362D6B9D946CB42
                                              Function 6BED3BCA Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: __aullrem
                                              • String ID:
                                              • API String ID: 3758378126-0
                                              • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                              • Instruction ID: fa40e025648d6dd146ffdba72fa2c5ab14aab651c064156d5e570675a6bf9284
                                              • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                              • Instruction Fuzzy Hash: E851A972A083559BD710CF5AC4C06EDFBF6EF79214F24C05EE88897242D27A599BCB60
                                              Function 6BF4CE80 Relevance: 1.7, Strings: 1, Instructions: 424COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID: 0-3916222277
                                              • Opcode ID: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                              • Instruction ID: 84050d214d0e1f41dcff22b78fc4d4b0843487acbea025ef1fd7fb97592c0422
                                              • Opcode Fuzzy Hash: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                              • Instruction Fuzzy Hash: 1D02AA366483808BD724CF28C49079EBBE2AFC9714F144A6DE8C597366D778DD46CB82
                                              Function 6BECF7CF Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: (SL
                                              • API String ID: 0-669240678
                                              • Opcode ID: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                              • Instruction ID: 18ef43d1957215a4087ed443f38ccdc24457d51e62fb8b5b33facacec851f072
                                              • Opcode Fuzzy Hash: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                              • Instruction Fuzzy Hash: 51519473E208214AD78CCE24DC2177672D2E784310F8BC1B99D8BAB6E6DD78989587C4
                                              Function 6BFA7A46 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: B
                                              • API String ID: 0-1255198513
                                              • Opcode ID: 26643807f12313c04aaa413d9f20b4c0588d72bb55b68c80837e514dee027d31
                                              • Instruction ID: 4e115d19fecefc888a3ac818323eb04865de7bc221aeaf0f3e1d920797b0de0d
                                              • Opcode Fuzzy Hash: 26643807f12313c04aaa413d9f20b4c0588d72bb55b68c80837e514dee027d31
                                              • Instruction Fuzzy Hash: 4E3124315087518BD314DF68D884AABB3E2FBC4325F60CA3ED89ACBA94E7745815CF41
                                              Function 6BF43020 Relevance: .8, Instructions: 762COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                                              • Instruction ID: 8e8a4a640a8a16f964ad66e191677a36b1185880a8067207e4c4b5cf5384248a
                                              • Opcode Fuzzy Hash: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                                              • Instruction Fuzzy Hash: AB523C72608B418BD328CF29C5906AABBE2FF95308F148A7DD4DAC7752DB78E445CB41
                                              Function 6BF5D930 Relevance: .7, Instructions: 740COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                              • Instruction ID: 7522de9b39e01c66ab2133a24de5b46e22640eff75ae9a2232ad422d3b270c6a
                                              • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                              • Instruction Fuzzy Hash: 2D6205B6A493458FC714CF29C480A1AFBF1BFD8744F108A6EE89987325D774E855CB82
                                              Function 6BF46D50 Relevance: .5, Instructions: 547COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                              • Instruction ID: 1fbaf234e67699857b1ce0d6edad6964286e2d35e1b875b2cec8a3fe864e66f0
                                              • Opcode Fuzzy Hash: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                              • Instruction Fuzzy Hash: AF12BD722083428FC718CF28C59066ABBE2FFC9304F54496DE9D68B762D739E945CB91
                                              Function 6BF57AA0 Relevance: .5, Instructions: 474COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                              • Instruction ID: c26dc21689e42639c3759890349f2bd7cf2feb826c147ff72eb211f6c3c7b0e9
                                              • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                              • Instruction Fuzzy Hash: 39022C33E083118BC318CE2CC484269BBF2FBD4355F158A2EE49697664E778D995CBD2
                                              Function 6BF42A50 Relevance: .5, Instructions: 453COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                                              • Instruction ID: 7b1808d13200f3d2da10f7ab3a02d7b81d57809de0b6c0d1a855af7180d9ef88
                                              • Opcode Fuzzy Hash: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                                              • Instruction Fuzzy Hash: 6BF102326142898BEB24CF28D8507EEBBE2FBC5310F54453DD889CB352DB3A954AC791
                                              Function 6BF525C0 Relevance: .3, Instructions: 333COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                                              • Instruction ID: 3dc1d05888252ff80695633d6085407a13588f6710ad52a76adf9cdd47243ee1
                                              • Opcode Fuzzy Hash: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                                              • Instruction Fuzzy Hash: 5ED122735046168FD718CF1CD494276BBE1FF85300F054ABDD9A28B3A6D73AA525CB50
                                              Function 6BFE4F0A Relevance: .3, Instructions: 332COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b1f756ee2fe841902191c907d409ace29a41e7dd29706095e1f65657f94ace09
                                              • Instruction ID: fa9b9c50a6fdd36e7e334fe74bbeaa876799279c62e98d264713bdafa62e89e5
                                              • Opcode Fuzzy Hash: b1f756ee2fe841902191c907d409ace29a41e7dd29706095e1f65657f94ace09
                                              • Instruction Fuzzy Hash: 45B1B7366087128BE318DE78D8509FB73E2EBC1320F90863EE596C75D4DB35951A8B85
                                              Function 6BF45580 Relevance: .3, Instructions: 316COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                              • Instruction ID: ea26fd8b9bf7695b386a6ae6422bbfe699fb86436265fec2a1235d228a8ef28d
                                              • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                              • Instruction Fuzzy Hash: 9EC1C4362047418BC718DF39D0A06A6BFE2EFDA314F148A6DC5CE4B766DA34A40ECB55
                                              Function 6BF41810 Relevance: .3, Instructions: 296COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                              • Instruction ID: ddc091b7313c1451d8cd0f06255c82e38d1852bf4b414f443e614a8836048aac
                                              • Opcode Fuzzy Hash: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                              • Instruction Fuzzy Hash: 33B1D5333047054BE324DF39C891BDABBE2AF85744F00452DC5AA87262EF79A619C791
                                              Function 6BF44AA0 Relevance: .3, Instructions: 291COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                                              • Instruction ID: 9e5bdf1b77f108a6ba9e2862e355fa283f4c86762f91d5dc1f98a436ceec0e88
                                              • Opcode Fuzzy Hash: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                                              • Instruction Fuzzy Hash: C6B1AF756087028BC304DF29C8806ABFBE2FFC8304F14896DD599C7326EB75A559CB95
                                              Function 6BF4C9F0 Relevance: .3, Instructions: 287COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                                              • Instruction ID: 78ea47ee9b09f358e0739245e8d37e357d49f6c919d46ffaf51c4c74239ca2bb
                                              • Opcode Fuzzy Hash: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                                              • Instruction Fuzzy Hash: 7BA1F5736083418FC304CF29C49069BBFE1ABD5348F04996DE5D687362E675E98ECB42
                                              Function 6BF4C6E0 Relevance: .2, Instructions: 223COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                                              • Instruction ID: 1fdb4af2905c6da583ddbc0ccfc4593df0783a37329691024aab56734c239fc7
                                              • Opcode Fuzzy Hash: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                                              • Instruction Fuzzy Hash: 1F81A736A047058FC320CF29C480696FBE1FF99714F24C9ADC5999B721E776E94ACB41
                                              Function 6C003881 Relevance: .2, Instructions: 184COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 009345f38ae626d469f014b0d0cdef2e0b6b81041916f6b4890b19886bbdf896
                                              • Instruction ID: 4d01d0439a8191b3520e59695a8d2eb2ddfdba150f2e4e3e7edaded846454d2a
                                              • Opcode Fuzzy Hash: 009345f38ae626d469f014b0d0cdef2e0b6b81041916f6b4890b19886bbdf896
                                              • Instruction Fuzzy Hash: B951A8366166224BD30CDA3CD8615E73392EBC5370B58C73EE59AC79D4EB79940BC600
                                              Function 6BEE3B66 Relevance: .2, Instructions: 167COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                              • Instruction ID: 531af6fd6d4fd41e1f75599843ebed5186d013095560d55d6b927cbb6ea0ee6b
                                              • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                              • Instruction Fuzzy Hash: 04518F72F006099BDB18CE98DD916EDB7F2EB88304F2481ADD516E7391D778DA42CB60
                                              Function 6C06B06F Relevance: .2, Instructions: 155COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9302b36b025ec877457fbbf1a21bafb2f45ab16812df500e0537ae03573401d4
                                              • Instruction ID: cd43df50873be515d3cf86f19903c167e118a15ba2a5dd05fd984ffe28c39c6b
                                              • Opcode Fuzzy Hash: 9302b36b025ec877457fbbf1a21bafb2f45ab16812df500e0537ae03573401d4
                                              • Instruction Fuzzy Hash: C35125365087068BC314DF6CE8409EAB3E1AFC5320F618B3EA495CB8D1EB75512A8B46
                                              Function 6BEE5EC9 Relevance: .1, Instructions: 136COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                              • Instruction ID: 24ac872434c3ed9b9982e7826a3492a50bcb6e04b2341bc6e025167599e9f168
                                              • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                              • Instruction Fuzzy Hash: 8F3114277A440103C70CC93BCC1279F91936BD422AB6EDB79AD09CEF65DA2CC8239154
                                              Function 6C01CB30 Relevance: .1, Instructions: 118COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 72dc5befcd5641c74073c4fd3c7b9069dba8b663327ac0416c781d8079928172
                                              • Instruction ID: 238811c058165076c56d16df72d60c0bd4d0a2aebc6e1a5ee106e2a3e481d667
                                              • Opcode Fuzzy Hash: 72dc5befcd5641c74073c4fd3c7b9069dba8b663327ac0416c781d8079928172
                                              • Instruction Fuzzy Hash: 7F419F729487168FC304DE58EC804F6B3A6EFC5310F504B3DA865972D5D7756519C390
                                              Function 6C078D12 Relevance: .1, Instructions: 97COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 098c659f76e41217d8669f6238bf7423f4d33ff929d6c702424d2a71048e67eb
                                              • Instruction ID: 36fcd40157d7e4e1431f52c5b83b44b19941a2a61c110b8b8a9e68081c05057f
                                              • Opcode Fuzzy Hash: 098c659f76e41217d8669f6238bf7423f4d33ff929d6c702424d2a71048e67eb
                                              • Instruction Fuzzy Hash: F4319A32A047128BD729CE39D4401ABB3E7EFC5314B54CB3DC0568B599EB79600BCB41
                                              Function 6BF6C700 Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                                              • Instruction ID: d74f126d9de7aefd59e48766860c1b243722c2492de57420ac1e479019c8cd82
                                              • Opcode Fuzzy Hash: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                                              • Instruction Fuzzy Hash: 92218E77320A0647E74C8A38D83737532D0A705318F98A22DEA6BCE2C2E73AC457C385
                                              Function 6BEAD456 Relevance: .0, Instructions: 29COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0c0cc410962bddc2900f3fb73f8b0580988559b5f16a447da387ccf6997a2b62
                                              • Instruction ID: 43c15cf121c3291682099a5a418427a6f4ae461048f0d42c3eb9f28a5f6257f3
                                              • Opcode Fuzzy Hash: 0c0cc410962bddc2900f3fb73f8b0580988559b5f16a447da387ccf6997a2b62
                                              • Instruction Fuzzy Hash: 5AF03032A542249BCB16DB48D405B4973BCEB45BA5F21909AE9419F250D6B8ED50C7C4
                                              Function 6BEAD425 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                                              • Instruction ID: e6aae773aa6d7787302e461ef543f6fb386a52968a8883e2ed60ab5ced8a41c8
                                              • Opcode Fuzzy Hash: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                                              • Instruction Fuzzy Hash: 16E08C72951238EBCB11CF98C904D8AF3ECEB45B04B2140AAF905D7200C278EE00C7D0
                                              Function 6BF6A720 Relevance: .0, Instructions: 16COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d8b2ce9af6ca23b39d287f27f794cd19cdb7301d321a8ca7d0b17b1edfa8364a
                                              • Instruction ID: 5d31b09239aa269fa612e9e04aec4372c0c62122fb880fe9177b002b7e3e372a
                                              • Opcode Fuzzy Hash: d8b2ce9af6ca23b39d287f27f794cd19cdb7301d321a8ca7d0b17b1edfa8364a
                                              • Instruction Fuzzy Hash: C0C08CA312810017C306EA2598C0BAAF6F37360330F228C2EA0A2E7E43C328C0648111
                                              Function 6BF01B50 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 341COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                                              • API String ID: 3519838083-609671
                                              • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                              • Instruction ID: f43b13a968b4142aef62165a800751e38b1e85ab558aa60936364c96c1d13b8f
                                              • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                              • Instruction Fuzzy Hash: F8D1A072A0421ADFCB11CFA4D9A0BEEB7B5FF05308F208459E455A3270DF79AA45DB60
                                              Function 6BEE9798 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 461COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: __aulldiv$H_prolog
                                              • String ID: >WJ$x$x
                                              • API String ID: 2300968129-3162267903
                                              • Opcode ID: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                              • Instruction ID: beef3e209a0d51573df5f2243dc0476aafe322d992f23edce82c207d2f5f8027
                                              • Opcode Fuzzy Hash: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                              • Instruction Fuzzy Hash: 8D126A75D00219EFDF10DFA4C880ADDBBF5BF48318F2081ADE919AB261D7399952CB60
                                              Function 6BE9D1C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
                                              Download Yara Rule
                                              APIs
                                              • _ValidateLocalCookies.LIBCMT ref: 6BE9D1F7
                                              • ___except_validate_context_record.LIBVCRUNTIME ref: 6BE9D1FF
                                              • _ValidateLocalCookies.LIBCMT ref: 6BE9D288
                                              • __IsNonwritableInCurrentImage.LIBCMT ref: 6BE9D2B3
                                              • _ValidateLocalCookies.LIBCMT ref: 6BE9D308
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                              • String ID: csm
                                              • API String ID: 1170836740-1018135373
                                              • Opcode ID: 982c00fe402fbf6765a9310a34b105fdad77bc4412576e9259ff1334732f6a9e
                                              • Instruction ID: 4d21d9a07b9b76e20fdf84e6489ae9a43c0d9a8c578ed225e83660201e34fcc9
                                              • Opcode Fuzzy Hash: 982c00fe402fbf6765a9310a34b105fdad77bc4412576e9259ff1334732f6a9e
                                              • Instruction Fuzzy Hash: 1041A939D40228ABCF00EF78D944A9E7BB5EF45318F20C199E8189B355D739DA1ACBD1
                                              Function 6BEAA58A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: api-ms-$ext-ms-
                                              • API String ID: 0-537541572
                                              • Opcode ID: 7e7546fb9d6ca1b3066367deef56910d436d19bbb2734b6382b2fbf8e98daea1
                                              • Instruction ID: 9be45a0a020cab67de949a662727107f6ae0df2510e9edd24ff3b44a381075da
                                              • Opcode Fuzzy Hash: 7e7546fb9d6ca1b3066367deef56910d436d19bbb2734b6382b2fbf8e98daea1
                                              • Instruction Fuzzy Hash: 3A21DB71D85311EBDB218668CC44E5B376C9B46F64F313565E821AF381D73CDD128AE0
                                              Function 6BEAF5A1 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetConsoleCP.KERNEL32(?,6BEAE7C0,?), ref: 6BEAF5E9
                                              • __fassign.LIBCMT ref: 6BEAF7C8
                                              • __fassign.LIBCMT ref: 6BEAF7E5
                                              • WriteFile.KERNEL32(?,6BEB91A6,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6BEAF82D
                                              • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6BEAF86D
                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6BEAF919
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: FileWrite__fassign$ConsoleErrorLast
                                              • String ID:
                                              • API String ID: 4031098158-0
                                              • Opcode ID: fa54da469260c74dc5a8748a3fd4ffb2c915757e654e8a800d26d69011408433
                                              • Instruction ID: d63bf38d01888c92ca90802175b883776ef0f2d2fc65b841684dac77331aadc2
                                              • Opcode Fuzzy Hash: fa54da469260c74dc5a8748a3fd4ffb2c915757e654e8a800d26d69011408433
                                              • Instruction Fuzzy Hash: 73D18A75D002589FDF11CFA8C8909EDBBB9BF49318F24016AE855FB341D739AA46CB90
                                              Function 6BD62F60 Relevance: 9.1, APIs: 6, Instructions: 107COMMON
                                              Download Yara Rule
                                              APIs
                                              • std::_Lockit::_Lockit.LIBCPMT ref: 6BD62F95
                                              • std::_Lockit::_Lockit.LIBCPMT ref: 6BD62FAF
                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 6BD62FD0
                                              • __Getctype.LIBCPMT ref: 6BD63084
                                              • std::_Facet_Register.LIBCPMT ref: 6BD6309C
                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 6BD630B7
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                                              • String ID:
                                              • API String ID: 1102183713-0
                                              • Opcode ID: 44bb6e14305d04d97098e58ead5b046a5c3f722c46fe549df2f565d5a7167b22
                                              • Instruction ID: 8c48c7d6346b4f6f96da5e0387b8a5f959345a23694283a7f081215896df1999
                                              • Opcode Fuzzy Hash: 44bb6e14305d04d97098e58ead5b046a5c3f722c46fe549df2f565d5a7167b22
                                              • Instruction Fuzzy Hash: 194169B1E00218CFCB14DF98D851B9EB7B0FF48764F144169D859AB350EB79AA09CFA1
                                              Function 6BED7FA6 Relevance: 9.1, APIs: 6, Instructions: 95COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: __aulldiv$__aullrem
                                              • String ID:
                                              • API String ID: 2022606265-0
                                              • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                              • Instruction ID: d8ab8d811298518834823a13ec73000ce78433b47b26d37d783c2e11736bac22
                                              • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                              • Instruction Fuzzy Hash: 5E21E53194022ABFEF108FA4CC41D8F7AAAFB417E8F208625B924611A0E6B54D61D661
                                              Function 6BEDD6EC Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 183COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 6BEDD6F1
                                                • Part of subcall function 6BEEC173: __EH_prolog.LIBCMT ref: 6BEEC178
                                              • __EH_prolog.LIBCMT ref: 6BEDD8F9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: IJ$WIJ$J
                                              • API String ID: 3519838083-740443243
                                              • Opcode ID: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                              • Instruction ID: 457b7379e1f960c980313dd9bbcfb73a0ea25fbcf07532885189360df5734899
                                              • Opcode Fuzzy Hash: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                              • Instruction Fuzzy Hash: D671A039A40245DFDB14DFA8C441BDDB7B0BF15308F2080ADD8656B391CBB9AA0ACF91
                                              Function 6BEB90FD Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132fileCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • _free.LIBCMT ref: 6BEB91CD
                                              • _free.LIBCMT ref: 6BEB91F6
                                              • SetEndOfFile.KERNEL32(00000000,6BEB7DDC,00000000,6BEAE7C0,?,?,?,?,?,?,?,6BEB7DDC,6BEAE7C0,00000000), ref: 6BEB9228
                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,6BEB7DDC,6BEAE7C0,00000000,?,?,?,?,00000000,?), ref: 6BEB9244
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: _free$ErrorFileLast
                                              • String ID: 8Q
                                              • API String ID: 1547350101-4022487301
                                              • Opcode ID: 6da3cf8bcb38158732e9481656f7402b29142d28706d5c566303b49a5b4b98a2
                                              • Instruction ID: 92e535f90287b85a60b775d96c7626fb21f931e7e4db7053298f36e98a40196b
                                              • Opcode Fuzzy Hash: 6da3cf8bcb38158732e9481656f7402b29142d28706d5c566303b49a5b4b98a2
                                              • Instruction Fuzzy Hash: 9141293AD00605ABDB119FB8CE45B8E3B79AF55328F320158E924FB392EB3CC8515721
                                              Function 6BEF1418 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 6BEF141D
                                                • Part of subcall function 6BEF1E40: __EH_prolog.LIBCMT ref: 6BEF1E45
                                                • Part of subcall function 6BEF18EB: __EH_prolog.LIBCMT ref: 6BEF18F0
                                                • Part of subcall function 6BEF1593: __EH_prolog.LIBCMT ref: 6BEF1598
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: &qB$0aJ$A0$XqB
                                              • API String ID: 3519838083-1326096578
                                              • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                              • Instruction ID: 042fca359f0fafa3d6ee7934394572e65d811222d61e2b7c769aa28c3f48c43d
                                              • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                              • Instruction Fuzzy Hash: 0E218B71D01358AACB08DFF4DA929EDBBB5AF15308F20406DD42227281DB785E09CB62
                                              Function 6BEF1234 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 43COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: J$0J$DJ$`J
                                              • API String ID: 3519838083-2453737217
                                              • Opcode ID: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                                              • Instruction ID: c6d130be61cae4e264273a5bc0eac6320ef64003327d70fe96885ed77ae24a4d
                                              • Opcode Fuzzy Hash: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                                              • Instruction Fuzzy Hash: 0711C2B0900B64CEC724CF6AC55419AFBE8FFA5708B10CA1FC4A687B50D7F8A505CB99
                                              Function 6BEA281A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6BEA28A4,?,?,6BEA2925,?,?,?), ref: 6BEA282F
                                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6BEA2842
                                              • FreeLibrary.KERNEL32(00000000,?,?,6BEA28A4,?,?,6BEA2925,?,?,?), ref: 6BEA2865
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: AddressFreeHandleLibraryModuleProc
                                              • String ID: CorExitProcess$mscoree.dll
                                              • API String ID: 4061214504-1276376045
                                              • Opcode ID: 2b09c3f4fc878358002986430849321e1ee333fe27e9e1ec218eba1919833321
                                              • Instruction ID: a43e6c589341362b07820cdffcd70fdfae4cec4c7e844498b5efa760ac432f48
                                              • Opcode Fuzzy Hash: 2b09c3f4fc878358002986430849321e1ee333fe27e9e1ec218eba1919833321
                                              • Instruction Fuzzy Hash: 91F05830510119FBDB01AB62CD09F9EBBB9AB0535AF2000B4B920B2161CF38CA11DB90
                                              Function 6BE9AA17 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog3.LIBCMT ref: 6BE9AA1E
                                              • std::_Lockit::_Lockit.LIBCPMT ref: 6BE9AA29
                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 6BE9AA97
                                                • Part of subcall function 6BE9A920: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6BE9A938
                                              • std::locale::_Setgloballocale.LIBCPMT ref: 6BE9AA44
                                              • _Yarn.LIBCPMT ref: 6BE9AA5A
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                              • String ID:
                                              • API String ID: 1088826258-0
                                              • Opcode ID: bf7fd81a6cdeca03889a251dbe9a557a69af6737ae4db2d3ec3547736c3a09c7
                                              • Instruction ID: 34c251d4b836d5bfae210126c2c3f50e626a44778e2c5946001c95e360699aab
                                              • Opcode Fuzzy Hash: bf7fd81a6cdeca03889a251dbe9a557a69af6737ae4db2d3ec3547736c3a09c7
                                              • Instruction Fuzzy Hash: 3D019A75E502119FDB06FF30A941A3D3BB2FF85244B25504CD81157390CF38AA0ACB81
                                              Function 6BF19E3F Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 452COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: $!$@
                                              • API String ID: 3519838083-2517134481
                                              • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                              • Instruction ID: 55ac8e9155e6232fb36ec2acb8ae336721942c2d5d4c5a541ea1f52587050ede
                                              • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                              • Instruction Fuzzy Hash: 6B128072D0924ADFCB04CFE4C490ADDBBF1FF08304F148869E855AB662DB39A955CB90
                                              Function 6BEE5B91 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 284COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: H_prolog__aulldiv
                                              • String ID: $SJ
                                              • API String ID: 4125985754-3948962906
                                              • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                              • Instruction ID: 4edf22f5c33585aa74f528eefe51f774dbd59e1737116c2054f4c0da32361378
                                              • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                              • Instruction Fuzzy Hash: D4B12D71D00209DFCB24CFA9C9909AEBBF1FF48354F60856ED51AA7350D738AA52CB60
                                              Function 6BD62020 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 6BE9AA17: __EH_prolog3.LIBCMT ref: 6BE9AA1E
                                                • Part of subcall function 6BE9AA17: std::_Lockit::_Lockit.LIBCPMT ref: 6BE9AA29
                                                • Part of subcall function 6BE9AA17: std::locale::_Setgloballocale.LIBCPMT ref: 6BE9AA44
                                                • Part of subcall function 6BE9AA17: _Yarn.LIBCPMT ref: 6BE9AA5A
                                                • Part of subcall function 6BE9AA17: std::_Lockit::~_Lockit.LIBCPMT ref: 6BE9AA97
                                                • Part of subcall function 6BD62F60: std::_Lockit::_Lockit.LIBCPMT ref: 6BD62F95
                                                • Part of subcall function 6BD62F60: std::_Lockit::_Lockit.LIBCPMT ref: 6BD62FAF
                                                • Part of subcall function 6BD62F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6BD62FD0
                                                • Part of subcall function 6BD62F60: __Getctype.LIBCPMT ref: 6BD63084
                                                • Part of subcall function 6BD62F60: std::_Facet_Register.LIBCPMT ref: 6BD6309C
                                                • Part of subcall function 6BD62F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6BD630B7
                                              • std::ios_base::_Addstd.LIBCPMT ref: 6BD6211B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$AddstdFacet_GetctypeH_prolog3RegisterSetgloballocaleYarnstd::ios_base::_std::locale::_
                                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                              • API String ID: 3332196525-1866435925
                                              • Opcode ID: c141c825511c15507925c8906b4b64cb74748128d9a723af1dbb1d4554214e26
                                              • Instruction ID: 57c95bd3475422a418a2a599408430d67cc35c5a1a995095465c18a55eaacc10
                                              • Opcode Fuzzy Hash: c141c825511c15507925c8906b4b64cb74748128d9a723af1dbb1d4554214e26
                                              • Instruction Fuzzy Hash: BC4191B0E003099FDB00DF64D8457AABBB1FF48368F104268E919AF391E7799985CF91
                                              Function 6BEE91D6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: $CK$CK
                                              • API String ID: 3519838083-2957773085
                                              • Opcode ID: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                                              • Instruction ID: d13ac8e279fb4f473bce25b266ac76dc3ea67e4bc4ac5442e6d029881ae82021
                                              • Opcode Fuzzy Hash: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                                              • Instruction Fuzzy Hash: D8218E79E016058BCF04DFE8D4811EEB7F6AF99304F24452EC412A7292D7784A43CAA1
                                              Function 6BF00584 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: 0$LrJ$x
                                              • API String ID: 3519838083-658305261
                                              • Opcode ID: 4d1a12b996d8cdd79ba2c3eb3f59f6bf691634cc710ec0f5f651f2212a36eb1c
                                              • Instruction ID: bf657b21ec350948ac346ee2621778b6db4284a1b176ed000a2e47e29068833c
                                              • Opcode Fuzzy Hash: 4d1a12b996d8cdd79ba2c3eb3f59f6bf691634cc710ec0f5f651f2212a36eb1c
                                              • Instruction Fuzzy Hash: A4213E36E0111DDACF04DFE8CA91AEEB7B5EF59308F20005AD411B7250DBB95E04DBA1
                                              Function 6BEF7EC7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 54COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 6BEF7ECC
                                                • Part of subcall function 6BEE258A: __EH_prolog.LIBCMT ref: 6BEE258F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: :hJ$dJ$xJ
                                              • API String ID: 3519838083-2437443688
                                              • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                              • Instruction ID: c0dbba1b033fb640dad9e3320d0363575e41bb21239b36cbdb597dd5f3b18d31
                                              • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                              • Instruction Fuzzy Hash: 7F21C6B0801B40DFC764CF6AC14424ABBF4BF29708B10C96EC0AA97A11E7B8A609CF55
                                              Function 6BEAE480 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • SetFilePointerEx.KERNEL32(00000000,?,00000000,6BEAE7C0,6BD61DEA,00008000,6BEAE7C0,?,?,?,6BEAE36F,6BEAE7C0,?,00000000,6BD61DEA), ref: 6BEAE4B9
                                              • GetLastError.KERNEL32(?,?,?,6BEAE36F,6BEAE7C0,?,00000000,6BD61DEA,?,6BEB7D8E,6BEAE7C0,000000FF,000000FF,00000002,00008000,6BEAE7C0), ref: 6BEAE4C3
                                              • __dosmaperr.LIBCMT ref: 6BEAE4CA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: ErrorFileLastPointer__dosmaperr
                                              • String ID: 8Q
                                              • API String ID: 2336955059-4022487301
                                              • Opcode ID: 21559f066febb092a380f8631fd39504295f1e0704d57233be082cf17a9d8a17
                                              • Instruction ID: 13530fa20e5a40ea17c0affc3dd2fa51ba206fae5109baf5b28131f7583a7cdb
                                              • Opcode Fuzzy Hash: 21559f066febb092a380f8631fd39504295f1e0704d57233be082cf17a9d8a17
                                              • Instruction Fuzzy Hash: 5C01FC72624515AFCB059F69CC45C9D3B2DEF86734B340249E821AF280EB79D9518750
                                              Function 6BEEED0E Relevance: 6.4, Strings: 5, Instructions: 105COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: <J$DJ$HJ$TJ$]
                                              • API String ID: 0-686860805
                                              • Opcode ID: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                              • Instruction ID: 3e3a462aec2e541a7ea0bdc6a46c782b6d56f71c92b4564ba936ac11e357ec3c
                                              • Opcode Fuzzy Hash: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                              • Instruction Fuzzy Hash: 73418230C5464AABCF64DBB0D4918EEB770AF11208F30C1ADD03567664EB3EE65ACB61
                                              Function 6BEE9331 Relevance: 6.1, APIs: 4, Instructions: 76COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: __aulldiv
                                              • String ID:
                                              • API String ID: 3732870572-0
                                              • Opcode ID: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                              • Instruction ID: 7e1b547b0cb9871d86f2800265aa6c31fbb69e096900e3c54bc96e42fd1ea68e
                                              • Opcode Fuzzy Hash: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                              • Instruction Fuzzy Hash: 1E119076604244BFEB214EA4CC81EAFBBFDEBC9744F10842DF641562A0DA75AC12D730
                                              Function 6BEA80A2 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetLastError.KERNEL32(?,?,?,6BEA2654,6BEC9DD0,0000000C), ref: 6BEA80A7
                                              • _free.LIBCMT ref: 6BEA8104
                                              • _free.LIBCMT ref: 6BEA813A
                                              • SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,6BEA2654,6BEC9DD0,0000000C), ref: 6BEA8145
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: ErrorLast_free
                                              • String ID:
                                              • API String ID: 2283115069-0
                                              • Opcode ID: 762130240d3e2e2463e811015fe8a6327372fa509ac5638485f7d581d26ea797
                                              • Instruction ID: 401cca1399ae66c58a835b12a83771d9c981954b316f0043fe067ae03c777ee8
                                              • Opcode Fuzzy Hash: 762130240d3e2e2463e811015fe8a6327372fa509ac5638485f7d581d26ea797
                                              • Instruction Fuzzy Hash: CA11A3726442416BEB156A748CC5E1A3B6DAFC36BDB31063CF1259E2D0EF2DCC164220
                                              Function 6BEB95AA Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • WriteConsoleW.KERNEL32(00000000,?,6BEB7DDC,00000000,00000000,?,6BEB8241,00000000,00000001,00000000,6BEAE7C0,?,6BEAF976,?,?,6BEAE7C0), ref: 6BEB95C1
                                              • GetLastError.KERNEL32(?,6BEB8241,00000000,00000001,00000000,6BEAE7C0,?,6BEAF976,?,?,6BEAE7C0,?,6BEAE7C0,?,6BEAF40C,6BEB91A6), ref: 6BEB95CD
                                                • Part of subcall function 6BEB961E: CloseHandle.KERNEL32(FFFFFFFE,6BEB95DD,?,6BEB8241,00000000,00000001,00000000,6BEAE7C0,?,6BEAF976,?,?,6BEAE7C0,?,6BEAE7C0), ref: 6BEB962E
                                              • ___initconout.LIBCMT ref: 6BEB95DD
                                                • Part of subcall function 6BEB95FF: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6BEB959B,6BEB822E,6BEAE7C0,?,6BEAF976,?,?,6BEAE7C0,?), ref: 6BEB9612
                                              • WriteConsoleW.KERNEL32(00000000,?,6BEB7DDC,00000000,?,6BEB8241,00000000,00000001,00000000,6BEAE7C0,?,6BEAF976,?,?,6BEAE7C0,?), ref: 6BEB95F2
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                              • String ID:
                                              • API String ID: 2744216297-0
                                              • Opcode ID: 096f18c112217a40a076af210d1950938e1222fcd9d4af82d7a4f2c8e1806eb9
                                              • Instruction ID: b6278ac9825693b10c7c588ea5ce2a2c87943e39c5da022ba198804949e58fcf
                                              • Opcode Fuzzy Hash: 096f18c112217a40a076af210d1950938e1222fcd9d4af82d7a4f2c8e1806eb9
                                              • Instruction Fuzzy Hash: A8F01C3A442119BBCF122FA1CC48E893F26FB0A7A1F114064FE1995221DB32C860DB91
                                              Function 6BED1072 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 398COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 6BED1077
                                                • Part of subcall function 6BED0FF5: __EH_prolog.LIBCMT ref: 6BED0FFA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: :$\
                                              • API String ID: 3519838083-1166558509
                                              • Opcode ID: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                                              • Instruction ID: 396ebbd4719bed8ed3153f31d3dde5b52bbaa7aa35e6a8b38f62d47568e64b56
                                              • Opcode Fuzzy Hash: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                                              • Instruction Fuzzy Hash: A0E1FF30904219DACB10DFE8C991BDEB7B1AF15318F30815DD8666B290DBBDA95BCB42
                                              Function 6BF1D354 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 234COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: H_prolog__aullrem
                                              • String ID: d%K
                                              • API String ID: 3415659256-3110269457
                                              • Opcode ID: edd8db3a4067630c511c1f9d0118cc4b792e07b2613ebc31a4b030f5161dda76
                                              • Instruction ID: 8192ddc3d8dbd57b75e9dddb6cee7c1efd09fb71c7ff1c4da03529b26fdbfd89
                                              • Opcode Fuzzy Hash: edd8db3a4067630c511c1f9d0118cc4b792e07b2613ebc31a4b030f5161dda76
                                              • Instruction Fuzzy Hash: F181F877A442199FDF00CFA8C590BDEB7F5EF44348F108899D818AB261DB79E905CBA1
                                              Function 6BEA6814 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 230COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: H_prolog3_
                                              • String ID: 8Q
                                              • API String ID: 2427045233-4022487301
                                              • Opcode ID: 0f0bf8c3463e2b97abdbf99de1fbffbe97fe800eeec715d373ca3f27081c465c
                                              • Instruction ID: eabee6075e78aaceb68e49343215b3f2aa11a83eb5440759baf645c789648a48
                                              • Opcode Fuzzy Hash: 0f0bf8c3463e2b97abdbf99de1fbffbe97fe800eeec715d373ca3f27081c465c
                                              • Instruction Fuzzy Hash: 9E71A675D042169FDB118FACC880AEEBB7DAF46318F3481A9E8206F350DB7D9951C761
                                              Function 6BEF6C20 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 224COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: @$hfJ
                                              • API String ID: 3519838083-1391159562
                                              • Opcode ID: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                              • Instruction ID: 3df4f80bb0601b8cc64ce372726e6948e9c66b23d571c58a830a3cb74e9b1d91
                                              • Opcode Fuzzy Hash: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                              • Instruction Fuzzy Hash: 6B915A71910249EFCB20DFA9C8909DEFBF8FF18308F60456EE456A7290D779AA45CB11
                                              Function 6BEEBC58 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 213COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 6BEEBC5D
                                                • Part of subcall function 6BEEA61A: __EH_prolog.LIBCMT ref: 6BEEA61F
                                                • Part of subcall function 6BEEAA2E: __EH_prolog.LIBCMT ref: 6BEEAA33
                                                • Part of subcall function 6BEEBEA5: __EH_prolog.LIBCMT ref: 6BEEBEAA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: WZJ
                                              • API String ID: 3519838083-1089469559
                                              • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                              • Instruction ID: afa1c759945c54be9bffca3098e87364ead183faf1e5f3837d5d6b784b1c04c4
                                              • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                              • Instruction Fuzzy Hash: 51817D35D00259DFCF15DFB8D591ADEBBB4AF08308F20409DE516672A0DB38AE46CBA1
                                              Function 6BD628E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 176COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___std_exception_destroy.LIBVCRUNTIME ref: 6BD62A76
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: ___std_exception_destroy
                                              • String ID: Jbx$Jbx
                                              • API String ID: 4194217158-1161259238
                                              • Opcode ID: 7c9506f69a455f127d319a0db8be1380b612f187765ef7e38ca6ba35d660a184
                                              • Instruction ID: f4050fac1fa77be7542a93f2e1f0f5aa5d3cdbb1defa626a2d85d4225f053d14
                                              • Opcode Fuzzy Hash: 7c9506f69a455f127d319a0db8be1380b612f187765ef7e38ca6ba35d660a184
                                              • Instruction Fuzzy Hash: 3651E3B1900204CBCB14CF68D88169EBBB5EF89368F24856EE849DF341E339D985CB91
                                              Function 6BEF2F9C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: <dJ$Q
                                              • API String ID: 3519838083-2252229148
                                              • Opcode ID: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                              • Instruction ID: d90193e619a3eca90a244c726865f3c0885ad082549cfe9cf198ff27cd2b214c
                                              • Opcode Fuzzy Hash: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                              • Instruction Fuzzy Hash: DF517171E04249EFCF10DFA8C8808EDB7B5FF44318F20856EE526A7250D7799956CB52
                                              Function 6BEEE9B9 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: $D^J
                                              • API String ID: 3519838083-3977321784
                                              • Opcode ID: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                                              • Instruction ID: 45d3f15334d0335a0dc3503caa6edd5980dffc8aad864a7eea3be30adfe86b97
                                              • Opcode Fuzzy Hash: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                                              • Instruction Fuzzy Hash: D0413B20A24DA0AED7769F78C4507ADBBA1AF16348F3481DCC49607381EB6C5997C3F1
                                              Function 6BEB05EE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,6BEB7DC6), ref: 6BEB070B
                                              • __dosmaperr.LIBCMT ref: 6BEB0712
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: ErrorLast__dosmaperr
                                              • String ID: 8Q
                                              • API String ID: 1659562826-4022487301
                                              • Opcode ID: bac4a5257d9c6e8f0e8843e451257aa48fb7227f4757830df1541cd8833f0388
                                              • Instruction ID: 48510ea938b7c925b7dcce113a4950891df31914c1d22a09f3703c7da88354b6
                                              • Opcode Fuzzy Hash: bac4a5257d9c6e8f0e8843e451257aa48fb7227f4757830df1541cd8833f0388
                                              • Instruction Fuzzy Hash: D8418B70614154AFD711DF28CB80BA9BFA5EB86354F34429DE8809B257D339EC228B90
                                              Function 6BF0812C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 102COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: X&L$p|J
                                              • API String ID: 3519838083-2944591232
                                              • Opcode ID: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                                              • Instruction ID: 5585d6f8ceba507258bce29993e626ba48b19e641892d1b2555903653445e296
                                              • Opcode Fuzzy Hash: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                                              • Instruction Fuzzy Hash: 26314033B84905DBDB00DB6CDD25BAE7B71EF12724F20006AD510E66F1CF6C8582EA95
                                              Function 6BF07C24 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 100COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: 0|J$`)L
                                              • API String ID: 3519838083-117937767
                                              • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                              • Instruction ID: 4e85285c780cd61cd93fdc2279499dfc54c1ebc90aeb786cb5648e1dd45e9d3a
                                              • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                              • Instruction Fuzzy Hash: FE41A432605785DFCB118F74C9A07AFBBA2FF45204F0044AEE46A57230CB796940EB92
                                              Function 6BF0ACB6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: __aulldiv
                                              • String ID: 3333
                                              • API String ID: 3732870572-2924271548
                                              • Opcode ID: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                              • Instruction ID: cb15f798094f53c120be44ef992000cefc96b88a6a110f8253a2410fd4118079
                                              • Opcode Fuzzy Hash: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                              • Instruction Fuzzy Hash: B521F4B29407046FD730CFB98881B5BFAFDEB88755F10892FA186D3660DB74E8008B65
                                              Function 6BF03906 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: @$LuJ
                                              • API String ID: 3519838083-205571748
                                              • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                              • Instruction ID: f4bb8da5e2921b737804b770303aeb49f9827707043e52da729c0fcce7894d2a
                                              • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                              • Instruction Fuzzy Hash: 5601C072E01309DACB20CFA9C4909AEF7B4FF59704F40C42EE469E3261C7789904CB99
                                              Function 6BEDF0AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: @$xMJ
                                              • API String ID: 3519838083-951924499
                                              • Opcode ID: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                                              • Instruction ID: 547383f0d685d8107c4016fd70d694e605d7f983b87ca7f16d2a991b9a601f03
                                              • Opcode Fuzzy Hash: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                                              • Instruction Fuzzy Hash: A9113C71E00249DBCB00CFE9C49059EB7B4FF58308BA0C86ED469E7251D77C9A16CB95
                                              Function 6BEB1418 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _free.LIBCMT ref: 6BEB1439
                                              • HeapReAlloc.KERNEL32(00000000,?,?,00000004,00000000,?,6BEADD2A,?,00000004,?,4B42FCB6,?,?,6BEA2E7C,4B42FCB6,?), ref: 6BEB1475
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1961666875.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                                              • Associated: 00000006.00000002.1961644593.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962924840.000000006BEBB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1964388737.000000006C087000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: AllocHeap_free
                                              • String ID: 8Q
                                              • API String ID: 1080816511-4022487301
                                              • Opcode ID: 9845ebc47871ca3d1421433493d59f90a1719117bf652eeaf5cf6b45d2bd796a
                                              • Instruction ID: cffdb43335da6c84dd462ba7e8a9d931aeee8c55fcf8e6ecc691e2c625bb84bd
                                              • Opcode Fuzzy Hash: 9845ebc47871ca3d1421433493d59f90a1719117bf652eeaf5cf6b45d2bd796a
                                              • Instruction Fuzzy Hash: 09F0FC31520131A6DB195BF59D41B4B376D9FC3FB9B31816DE8145A290DF3CD4128193
                                              Function 6BEFD143 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: H_prologctype
                                              • String ID: <oJ
                                              • API String ID: 3037903784-2791053824
                                              • Opcode ID: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                                              • Instruction ID: 995c8649d1778cac91d5196e0ff4ab229fb74859b7ca9205c994977b2b644492
                                              • Opcode Fuzzy Hash: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                                              • Instruction Fuzzy Hash: 5FE0ED33A005219BDB089F48C811B9EFBA8EF44B24F21805EA025A3362CBB9A811C6C0
                                              Function 6BF06431 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID: H_prologctype
                                              • String ID: |zJ
                                              • API String ID: 3037903784-3782439380
                                              • Opcode ID: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                                              • Instruction ID: 96d1ae834a2a4325fc662d72860b30dd6c404cc2c301a56bd5f4ac6bba36dc47
                                              • Opcode Fuzzy Hash: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                                              • Instruction Fuzzy Hash: 40E0E533600521ABE714CF48C81179EF3A4FF54B14F00405FA412A3275CFB8A8408681
                                              Function 6BF324AB Relevance: 5.2, Strings: 4, Instructions: 237COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @ K$DJ$T)K$X/K
                                              • API String ID: 0-3815299647
                                              • Opcode ID: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                                              • Instruction ID: 1046f7f891fbb15d51e568acbf7183a77d96ab1f09e98b0affec9b56d1230dce
                                              • Opcode Fuzzy Hash: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                                              • Instruction Fuzzy Hash: B091C236A043159BCB04DE74C5A07EF77A2BF41308F20485DD8665B3A1CB7EA949CBD2
                                              Function 6BF27E19 Relevance: 5.2, Strings: 4, Instructions: 161COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.1962980977.000000006BECB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BECB000, based on PE: true
                                              • Associated: 00000006.00000002.1963666615.000000006BF96000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000006.00000002.1963698579.000000006BF9C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U7a0b#U5e8f_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: D)K$H)K$P)K$T)K
                                              • API String ID: 0-2262112463
                                              • Opcode ID: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                                              • Instruction ID: 6013cdea7e2570145f70535c2a3c3908d154f2c8c7e6597e66ae88093dd4873c
                                              • Opcode Fuzzy Hash: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                                              • Instruction Fuzzy Hash: FF517E32A082099BCF04DFE8D941ADFB771EF15318F204459E861672A0DB7DA945CBE6

                                              Execution Graph

                                              Execution Coverage:4%
                                              Dynamic/Decrypted Code Coverage:0%
                                              Signature Coverage:0.4%
                                              Total number of Nodes:2000
                                              Total number of Limit Nodes:37
                                              execution_graph 73122 44a7c5 73139 44a7e9 73122->73139 73171 44a96b 73122->73171 73123 44ade3 73233 421e40 free 73123->73233 73125 44a952 73125->73171 73214 44e0b0 6 API calls 73125->73214 73126 44adeb 73234 421e40 free 73126->73234 73130 44ac1e 73220 421e40 free 73130->73220 73131 44ae99 73235 421e0c 73131->73235 73135 4604d2 malloc _CxxThrowException free _CxxThrowException memcpy 73136 44adf3 73135->73136 73136->73131 73136->73135 73138 44ac26 73221 421e40 free 73138->73221 73139->73125 73207 44e0b0 6 API calls 73139->73207 73208 4604d2 73139->73208 73140 44aedd 73240 421e40 free 73140->73240 73144 44aee5 73241 421e40 free 73144->73241 73148 44aef0 73242 421e40 free 73148->73242 73152 44c430 73244 421e40 free 73152->73244 73154 44ac6c 73222 421e40 free 73154->73222 73155 44c438 73245 421e40 free 73155->73245 73159 44c443 73246 421e40 free 73159->73246 73160 44ac85 73223 421e40 free 73160->73223 73163 44c44e 73247 421e40 free 73163->73247 73164 44ac2e 73243 421e40 free 73164->73243 73166 44c459 73168 44ad88 73230 448125 free ctype 73168->73230 73171->73123 73171->73130 73171->73154 73171->73168 73173 44ad17 73171->73173 73175 44acbc 73171->73175 73189 43101c 73171->73189 73192 4498f2 73171->73192 73198 44cc6f 73171->73198 73215 449531 5 API calls __EH_prolog 73171->73215 73216 4480c1 malloc _CxxThrowException __EH_prolog 73171->73216 73217 44c820 5 API calls 2 library calls 73171->73217 73218 44814d 6 API calls 73171->73218 73219 448125 free ctype 73171->73219 73227 448125 free ctype 73173->73227 73174 44ad93 73231 421e40 free 73174->73231 73224 448125 free ctype 73175->73224 73179 44adac 73232 421e40 free 73179->73232 73180 44acc7 73225 421e40 free 73180->73225 73181 44ad3c 73228 421e40 free 73181->73228 73185 44ad55 73229 421e40 free 73185->73229 73186 44ace0 73226 421e40 free 73186->73226 73248 42b95a 73189->73248 73193 4498fc __EH_prolog 73192->73193 73264 449987 73193->73264 73195 449911 73197 449970 73195->73197 73268 44ef8d 12 API calls 2 library calls 73195->73268 73197->73171 73311 465505 73198->73311 73315 46cf91 73198->73315 73323 46f445 73198->73323 73199 44cc8b 73203 44cccb 73199->73203 73329 44979e VariantClear __EH_prolog 73199->73329 73201 44ccb1 73201->73203 73330 44cae9 VariantClear 73201->73330 73203->73171 73207->73139 73209 460513 73208->73209 73210 4604df 73208->73210 73209->73139 73211 4604e8 _CxxThrowException 73210->73211 73212 4604fd 73210->73212 73211->73212 74003 460551 malloc _CxxThrowException free memcpy ctype 73212->74003 73214->73171 73215->73171 73216->73171 73217->73171 73218->73171 73219->73171 73220->73138 73221->73164 73222->73160 73223->73164 73224->73180 73225->73186 73226->73164 73227->73181 73228->73185 73229->73164 73230->73174 73231->73179 73232->73164 73233->73126 73234->73136 73236 421e15 73235->73236 73237 421e1c malloc 73235->73237 73236->73237 73238 421e2a _CxxThrowException 73237->73238 73239 421e3e memset memset 73237->73239 73238->73239 73239->73140 73240->73144 73241->73148 73242->73164 73243->73152 73244->73155 73245->73159 73246->73163 73247->73166 73249 42b969 73248->73249 73250 42b97d 73248->73250 73249->73250 73254 427731 73249->73254 73250->73171 73252 42b9ee 73252->73250 73262 42b8ec GetLastError 73252->73262 73255 42775c SetFilePointer 73254->73255 73256 427740 73254->73256 73257 427780 GetLastError 73255->73257 73260 4277a1 73255->73260 73256->73255 73258 42778c 73257->73258 73257->73260 73263 4276d6 SetFilePointer GetLastError 73258->73263 73260->73252 73261 427796 SetLastError 73261->73260 73262->73250 73263->73261 73265 449991 __EH_prolog 73264->73265 73269 4780aa 73265->73269 73266 4499a8 73266->73195 73268->73197 73270 4780b4 __EH_prolog 73269->73270 73271 421e0c ctype 2 API calls 73270->73271 73272 4780bf 73271->73272 73273 4780d3 73272->73273 73275 46bdb5 73272->73275 73273->73266 73276 46bdbf __EH_prolog 73275->73276 73281 46be69 73276->73281 73278 46bdef 73285 422e04 73278->73285 73282 46be73 __EH_prolog 73281->73282 73288 465e2b 73282->73288 73284 46be7f 73284->73278 73286 421e0c ctype 2 API calls 73285->73286 73287 422e11 73286->73287 73287->73273 73289 465e35 __EH_prolog 73288->73289 73294 4608b6 73289->73294 73291 465e41 73299 43dfc9 malloc _CxxThrowException __EH_prolog 73291->73299 73293 465e57 73293->73284 73300 429c60 73294->73300 73296 4608c4 73305 429c8f GetModuleHandleA GetProcAddress 73296->73305 73298 4608f3 __aulldiv 73298->73291 73299->73293 73310 429c4d GetCurrentProcess GetProcessAffinityMask 73300->73310 73302 429c6e 73303 429c80 GetSystemInfo 73302->73303 73304 429c79 73302->73304 73303->73296 73304->73296 73306 429cc4 GlobalMemoryStatusEx 73305->73306 73307 429cef GlobalMemoryStatus 73305->73307 73306->73307 73309 429cce 73306->73309 73308 429d08 73307->73308 73308->73309 73309->73298 73310->73302 73312 46550f __EH_prolog 73311->73312 73331 464e8a 73312->73331 73316 46cf9b __EH_prolog 73315->73316 73317 46f445 14 API calls 73316->73317 73318 46d018 73317->73318 73320 46d01f 73318->73320 73588 471511 73318->73588 73320->73199 73321 46d08b 73321->73320 73594 472c5d 11 API calls 2 library calls 73321->73594 73324 46f455 73323->73324 73990 431092 73324->73990 73326 46f478 73326->73199 73329->73201 73330->73203 73332 464e94 __EH_prolog 73331->73332 73333 422e04 2 API calls 73332->73333 73349 464f1d 73332->73349 73334 464ed7 73333->73334 73463 437fc5 73334->73463 73336 464f37 73338 464f63 73336->73338 73339 464f41 73336->73339 73337 464f0a 73484 42965d 73337->73484 73490 422f88 73338->73490 73341 42965d VariantClear 73339->73341 73344 464f4c 73341->73344 73489 421e40 free 73344->73489 73348 42965d VariantClear 73350 464f80 73348->73350 73349->73199 73496 435bcf malloc _CxxThrowException 73350->73496 73352 464f9a 73497 422e47 73352->73497 73356 464fbd 73357 422e04 2 API calls 73356->73357 73358 464fd1 73357->73358 73359 422e04 2 API calls 73358->73359 73366 464fdd 73359->73366 73360 465404 73557 421e40 free 73360->73557 73362 46540c 73558 421e40 free 73362->73558 73364 465414 73559 421e40 free 73364->73559 73366->73360 73504 435bcf malloc _CxxThrowException 73366->73504 73368 465099 73505 422da9 73368->73505 73369 46541c 73560 421e40 free 73369->73560 73373 465424 73561 421e40 free 73373->73561 73377 46542c 73562 421e40 free 73377->73562 73380 4650be 73515 421e40 free 73380->73515 73382 4650cd 73383 422f88 3 API calls 73382->73383 73384 4650e3 73383->73384 73385 465100 73384->73385 73386 4650f1 73384->73386 73522 423044 malloc _CxxThrowException free ctype 73385->73522 73516 4230ea 73386->73516 73389 4650fe 73523 431029 6 API calls 73389->73523 73391 46511a 73392 465120 73391->73392 73393 46516b 73391->73393 73524 421e40 free 73392->73524 73530 43089e malloc _CxxThrowException free _CxxThrowException memcpy 73393->73530 73396 465128 73525 421e40 free 73396->73525 73397 465187 73400 4604d2 5 API calls 73397->73400 73399 465130 73526 421e40 free 73399->73526 73402 4651ba 73400->73402 73531 460516 malloc _CxxThrowException ctype 73402->73531 73403 465138 73527 421e40 free 73403->73527 73406 4651c5 73410 4651f5 73406->73410 73411 46522d 73406->73411 73407 465140 73528 421e40 free 73407->73528 73409 465148 73529 421e40 free 73409->73529 73532 421e40 free 73410->73532 73413 422e04 2 API calls 73411->73413 73461 465235 73413->73461 73415 4651fd 73533 421e40 free 73415->73533 73418 465205 73534 421e40 free 73418->73534 73421 46520d 73535 421e40 free 73421->73535 73422 465347 73422->73360 73424 465358 73422->73424 73544 421e40 free 73424->73544 73425 46532e 73543 421e40 free 73425->73543 73428 4653a3 73550 421e40 free 73428->73550 73438 4653bc 73551 421e40 free 73438->73551 73443 4653c4 73444 4604d2 5 API calls 73444->73461 73460 422e04 2 API calls 73460->73461 73461->73425 73461->73428 73461->73444 73461->73460 73538 46545c 5 API calls 2 library calls 73461->73538 73539 431029 6 API calls 73461->73539 73540 43089e malloc _CxxThrowException free _CxxThrowException memcpy 73461->73540 73541 460516 malloc _CxxThrowException ctype 73461->73541 73542 421e40 free 73461->73542 73464 437fcf __EH_prolog 73463->73464 73465 437ff4 73464->73465 73466 438061 73464->73466 73468 438019 73464->73468 73469 43805c 73464->73469 73475 43800a 73465->73475 73563 42950d 73465->73563 73466->73469 73482 438025 73466->73482 73468->73465 73472 43801e 73468->73472 73571 429630 VariantClear 73469->73571 73471 4380b8 73474 42965d VariantClear 73471->73474 73476 438042 73472->73476 73477 438022 73472->73477 73479 4380c0 73474->73479 73572 429736 VariantClear 73475->73572 73569 429597 VariantClear 73476->73569 73480 438032 73477->73480 73477->73482 73479->73336 73479->73337 73568 429604 VariantClear 73480->73568 73482->73475 73570 4295df VariantClear 73482->73570 73485 429685 73484->73485 73486 429665 73484->73486 73488 421e40 free 73485->73488 73486->73485 73487 42967e VariantClear 73486->73487 73487->73485 73488->73349 73489->73349 73491 422f9a 73490->73491 73492 421e0c ctype 2 API calls 73491->73492 73493 422fbe 73491->73493 73494 422fb4 73492->73494 73493->73348 73579 421e40 free 73494->73579 73496->73352 73498 422e57 73497->73498 73580 422ba6 73498->73580 73501 422f1c 73502 422ba6 2 API calls 73501->73502 73503 422f2c 73502->73503 73503->73356 73504->73368 73583 422d4d 73505->73583 73507 422dc6 73508 422fec 73507->73508 73509 422ff8 73508->73509 73510 422ffc 73508->73510 73514 421e40 free 73509->73514 73510->73509 73511 421e0c ctype 2 API calls 73510->73511 73512 423010 73511->73512 73586 421e40 free 73512->73586 73514->73380 73515->73382 73517 4230fd 73516->73517 73517->73517 73518 421e0c ctype 2 API calls 73517->73518 73520 42311d 73517->73520 73519 423113 73518->73519 73587 421e40 free 73519->73587 73520->73389 73522->73389 73523->73391 73524->73396 73525->73399 73526->73403 73527->73407 73528->73409 73529->73349 73530->73397 73531->73406 73532->73415 73533->73418 73534->73421 73538->73461 73539->73461 73540->73461 73541->73461 73542->73461 73543->73422 73550->73438 73551->73443 73557->73362 73558->73364 73559->73369 73560->73373 73561->73377 73562->73349 73573 429767 73563->73573 73565 429518 SysAllocStringLen 73566 429539 _CxxThrowException 73565->73566 73567 42954f 73565->73567 73566->73567 73567->73475 73568->73475 73569->73475 73570->73475 73571->73475 73572->73471 73574 429770 73573->73574 73575 429779 73573->73575 73574->73565 73578 429686 VariantClear 73575->73578 73577 429780 73577->73565 73578->73577 73579->73493 73581 421e0c ctype 2 API calls 73580->73581 73582 422bbb 73581->73582 73582->73501 73584 422ba6 2 API calls 73583->73584 73585 422d68 73584->73585 73585->73507 73585->73585 73586->73509 73587->73520 73589 47151b __EH_prolog 73588->73589 73595 4710d3 73589->73595 73592 471552 _CxxThrowException 73592->73321 73593 471589 73593->73321 73594->73320 73596 4710dd __EH_prolog 73595->73596 73627 46d1b7 73596->73627 73598 4712ef 73598->73592 73598->73593 73599 47139e 73599->73598 73600 4713c4 73599->73600 73602 421e0c ctype 2 API calls 73599->73602 73634 431168 73600->73634 73602->73600 73604 431168 10 API calls 73608 4711f4 73604->73608 73606 4713da 73609 4713f9 73606->73609 73619 4713de 73606->73619 73672 46ef67 _CxxThrowException 73606->73672 73608->73598 73626 42b95a 6 API calls 73608->73626 73637 46f047 73609->73637 73612 4714ba 73676 470943 50 API calls 2 library calls 73612->73676 73613 471450 73641 4706ae 73613->73641 73617 4714e7 73677 452db9 free ctype 73617->73677 73678 421e40 free 73619->73678 73626->73599 73679 46d23c 73627->73679 73629 46d1ed 73686 421e40 free 73629->73686 73631 46d209 73687 421e40 free 73631->73687 73633 46d21c 73633->73598 73633->73604 73633->73608 73715 43111c 73634->73715 73638 46f063 73637->73638 73639 46f072 73638->73639 73751 46ef67 _CxxThrowException 73638->73751 73639->73612 73639->73613 73673 46ef67 _CxxThrowException 73639->73673 73642 4706b8 __EH_prolog 73641->73642 73752 4703f4 73642->73752 73644 470877 73879 46b8dc 73644->73879 73648 4708e3 _CxxThrowException 73651 4708f7 73648->73651 73650 4708ae 73655 46b8dc ctype free 73651->73655 73657 470914 73655->73657 73889 421e40 free 73657->73889 73658 421e0c ctype 2 API calls 73670 470715 73658->73670 73661 47091c 73890 421e40 free 73661->73890 73665 470924 73891 421e40 free 73665->73891 73668 47092c 73670->73644 73670->73648 73670->73651 73670->73658 73671 46ef67 _CxxThrowException 73670->73671 73782 4312a5 73670->73782 73787 42429a 73670->73787 73793 4681ec 73670->73793 73671->73670 73672->73609 73673->73613 73676->73617 73677->73619 73678->73598 73688 46d2b8 73679->73688 73682 46d25e 73705 421e40 free 73682->73705 73685 46d275 73685->73629 73686->73631 73687->73633 73707 421e40 free 73688->73707 73690 46d2c8 73708 421e40 free 73690->73708 73692 46d2dc 73709 421e40 free 73692->73709 73694 46d2e7 73710 421e40 free 73694->73710 73696 46d2f2 73711 421e40 free 73696->73711 73698 46d2fd 73712 421e40 free 73698->73712 73700 46d308 73713 421e40 free 73700->73713 73702 46d313 73703 46d246 73702->73703 73714 421e40 free 73702->73714 73703->73682 73706 421e40 free 73703->73706 73705->73685 73706->73682 73707->73690 73708->73692 73709->73694 73710->73696 73711->73698 73712->73700 73713->73702 73714->73703 73716 431130 73715->73716 73717 43115f 73716->73717 73720 42b668 73716->73720 73739 42d331 73716->73739 73717->73606 73723 42b675 73720->73723 73725 427731 5 API calls 73723->73725 73726 42b81b 73723->73726 73728 42b7e7 73723->73728 73729 42b7ad 73723->73729 73730 42b6aa 73723->73730 73731 42b811 73723->73731 73737 42b864 73723->73737 73748 427b4f ReadFile 73723->73748 73724 42b8aa GetLastError 73724->73730 73725->73723 73727 42b839 memcpy 73726->73727 73726->73730 73727->73730 73732 427731 5 API calls 73728->73732 73728->73737 73729->73723 73738 42b8c7 73729->73738 73747 4a6a20 VirtualAlloc 73729->73747 73730->73716 73749 42b8ec GetLastError 73731->73749 73736 42b80d 73732->73736 73736->73731 73736->73737 73743 427b7c 73737->73743 73738->73730 73740 42d355 73739->73740 73741 42d374 73740->73741 73742 42b668 10 API calls 73740->73742 73741->73716 73742->73741 73744 427b89 73743->73744 73750 427b4f ReadFile 73744->73750 73746 427b9a 73746->73724 73746->73730 73747->73729 73748->73723 73749->73730 73750->73746 73751->73639 73753 46f047 _CxxThrowException 73752->73753 73754 470407 73753->73754 73755 46f047 _CxxThrowException 73754->73755 73756 470475 73754->73756 73760 470421 73755->73760 73757 47049a 73756->73757 73896 46fa3f 22 API calls 2 library calls 73756->73896 73758 4704b8 73757->73758 73897 47159a malloc _CxxThrowException free ctype 73757->73897 73759 4704e8 73758->73759 73763 4704cd 73758->73763 73899 477c4a malloc _CxxThrowException free ctype 73759->73899 73764 47043e 73760->73764 73893 46ef67 _CxxThrowException 73760->73893 73898 46fff0 9 API calls 2 library calls 73763->73898 73894 46f93c 7 API calls 2 library calls 73764->73894 73766 470492 73768 46f047 _CxxThrowException 73766->73768 73768->73757 73770 470446 73774 47046d 73770->73774 73895 46ef67 _CxxThrowException 73770->73895 73771 4704db 73775 46f047 _CxxThrowException 73771->73775 73773 4704e3 73778 47054a 73773->73778 73901 46ef67 _CxxThrowException 73773->73901 73777 46f047 _CxxThrowException 73774->73777 73775->73773 73776 4704f3 73776->73773 73900 43089e malloc _CxxThrowException free _CxxThrowException memcpy 73776->73900 73777->73756 73778->73670 73783 4604d2 5 API calls 73782->73783 73784 4312ad 73783->73784 73785 421e0c ctype 2 API calls 73784->73785 73786 4312b4 73785->73786 73786->73670 73788 4242a7 73787->73788 73789 4242c5 73787->73789 73790 4242b3 73788->73790 73902 421e40 free 73788->73902 73789->73670 73790->73789 73792 421e0c ctype 2 API calls 73790->73792 73792->73789 73794 4681f6 __EH_prolog 73793->73794 73903 46f749 73794->73903 73796 46824e 73965 4691cc free ctype 73796->73965 73797 46823b 73797->73796 73907 468f58 73797->73907 73863 468667 73863->73670 73880 46b8e6 __EH_prolog 73879->73880 73988 421e40 free 73880->73988 73882 46b90d 73989 45e647 free ctype 73882->73989 73884 46b915 73885 421e40 free 73884->73885 73885->73650 73889->73661 73890->73665 73891->73668 73893->73764 73894->73770 73895->73774 73896->73766 73897->73758 73898->73771 73899->73776 73900->73776 73901->73778 73902->73790 73904 46f779 73903->73904 73905 46f797 73904->73905 73906 46f782 _CxxThrowException 73904->73906 73905->73797 73906->73905 73908 468f6a 73907->73908 73966 437cec 73908->73966 73965->73863 73988->73882 73989->73884 73992 42b95a 6 API calls 73990->73992 73991 4310aa 73991->73326 73993 46f1b2 73991->73993 73992->73991 73994 46f1bc __EH_prolog 73993->73994 73995 431168 10 API calls 73994->73995 73997 46f1d3 73995->73997 73996 46f1e6 73996->73326 73997->73996 73998 46f231 memcpy 73997->73998 73999 46f21c _CxxThrowException 73997->73999 74002 46f24c 73998->74002 73999->73998 74000 46f2f0 memmove 74000->74002 74001 46f31a memcpy 74001->73996 74002->73996 74002->74000 74002->74001 74003->73209 74004 460343 74009 46035f 74004->74009 74007 460358 74010 460369 __EH_prolog 74009->74010 74026 43139e 74010->74026 74015 460143 ctype free 74016 46039a 74015->74016 74036 421e40 free 74016->74036 74018 4603a2 74037 421e40 free 74018->74037 74020 4603aa 74038 4603d8 74020->74038 74025 421e40 free 74025->74007 74027 4313b3 74026->74027 74028 4313ae 74026->74028 74030 4601c4 74027->74030 74054 4b7ea0 SetEvent GetLastError 74028->74054 74034 4601ce __EH_prolog 74030->74034 74031 460203 74055 421e40 free 74031->74055 74033 46020b 74033->74015 74034->74031 74056 421e40 free 74034->74056 74036->74018 74037->74020 74039 4603e2 __EH_prolog 74038->74039 74040 43139e ctype 2 API calls 74039->74040 74041 4603fb 74040->74041 74057 4b7d50 74041->74057 74043 460403 74044 4b7d50 ctype 2 API calls 74043->74044 74045 46040b 74044->74045 74046 4b7d50 ctype 2 API calls 74045->74046 74047 4603b7 74046->74047 74048 46004a 74047->74048 74049 460054 __EH_prolog 74048->74049 74063 421e40 free 74049->74063 74051 460067 74064 421e40 free 74051->74064 74053 46006f 74053->74007 74053->74025 74054->74027 74055->74033 74056->74034 74058 4b7d7b 74057->74058 74059 4b7d59 CloseHandle 74057->74059 74058->74043 74060 4b7d75 74059->74060 74061 4b7d64 GetLastError 74059->74061 74060->74058 74061->74058 74062 4b7d6e 74061->74062 74062->74043 74063->74051 74064->74053 74065 42b144 74066 42b153 74065->74066 74068 42b159 74065->74068 74069 4311b4 74066->74069 74070 4311c1 74069->74070 74071 4311eb 74070->74071 74074 46ae7c 74070->74074 74079 46af27 74070->74079 74071->74068 74075 46ae86 74074->74075 74086 437190 74075->74086 74099 437140 74075->74099 74076 46aebb 74076->74070 74080 46af36 74079->74080 74083 46b010 74080->74083 74084 46aeeb 107 API calls 74080->74084 74184 42bd0c 74080->74184 74189 46ad3a 74080->74189 74193 46aebf 107 API calls 74080->74193 74083->74070 74084->74080 74087 43719a __EH_prolog 74086->74087 74088 4371b0 74087->74088 74091 4371dd 74087->74091 74129 434d78 74088->74129 74103 436fc5 74091->74103 74092 4372b4 74093 434d78 VariantClear 74092->74093 74094 4372c0 74092->74094 74093->74094 74095 4371b7 74094->74095 74096 437140 7 API calls 74094->74096 74095->74076 74096->74095 74097 4372a3 SetFileSecurityW 74097->74092 74098 437236 74098->74092 74098->74095 74098->74097 74100 43718d 74099->74100 74101 43714b 74099->74101 74100->74076 74101->74100 74183 434dff 7 API calls 2 library calls 74101->74183 74104 436fcf __EH_prolog 74103->74104 74132 4344a6 74104->74132 74106 43706a 74135 4368ac 74106->74135 74110 43709e 74159 421e40 free 74110->74159 74112 437029 74112->74106 74154 434dff 7 API calls 2 library calls 74112->74154 74113 437051 74113->74106 74117 4311b4 107 API calls 74113->74117 74116 4370c0 74155 426096 15 API calls 2 library calls 74116->74155 74117->74106 74118 43712e 74118->74098 74120 4370d1 74121 4370e2 74120->74121 74156 434dff 7 API calls 2 library calls 74120->74156 74126 4370e6 74121->74126 74157 436b5e 69 API calls 2 library calls 74121->74157 74124 4370fd 74125 437103 74124->74125 74124->74126 74158 421e40 free 74125->74158 74126->74110 74128 43710b 74128->74118 74176 449262 74129->74176 74133 422e04 2 API calls 74132->74133 74134 4344be 74133->74134 74134->74106 74134->74112 74153 436e71 12 API calls 2 library calls 74134->74153 74136 4368b6 __EH_prolog 74135->74136 74137 436921 74136->74137 74152 4368c5 74136->74152 74161 427d4b 74136->74161 74139 436962 74137->74139 74142 436998 74137->74142 74167 436a17 6 API calls 2 library calls 74137->74167 74139->74142 74168 422dcd malloc _CxxThrowException 74139->74168 74143 4369e1 74142->74143 74160 427c3b SetFileTime 74142->74160 74171 42bcf8 CloseHandle 74143->74171 74145 43697a 74169 436b09 13 API calls __EH_prolog 74145->74169 74150 43698c 74170 421e40 free 74150->74170 74152->74110 74152->74116 74153->74112 74154->74113 74155->74120 74156->74121 74157->74124 74158->74128 74159->74118 74160->74143 74172 4277c8 74161->74172 74163 427d76 74163->74137 74166 434dff 7 API calls 2 library calls 74163->74166 74166->74137 74167->74139 74168->74145 74169->74150 74170->74142 74171->74152 74173 427731 5 API calls 74172->74173 74174 4277db 74173->74174 74174->74163 74175 427d3c SetEndOfFile 74174->74175 74175->74163 74177 44926c __EH_prolog 74176->74177 74178 4492fc 74177->74178 74182 4492a4 74177->74182 74179 42965d VariantClear 74178->74179 74181 434d91 74179->74181 74180 42965d VariantClear 74180->74181 74181->74095 74182->74180 74183->74100 74194 427ca2 74184->74194 74187 42bd3d 74187->74080 74190 46ad44 __EH_prolog 74189->74190 74202 436305 74190->74202 74191 46adbf 74191->74080 74193->74080 74195 427caf 74194->74195 74197 427cdb 74195->74197 74199 427c68 74195->74199 74197->74187 74198 42b8ec GetLastError 74197->74198 74198->74187 74200 427c76 74199->74200 74201 427c79 WriteFile 74199->74201 74200->74201 74201->74195 74203 43630f __EH_prolog 74202->74203 74239 4362b9 74203->74239 74205 436427 74208 42965d VariantClear 74205->74208 74207 43644a 74209 42965d VariantClear 74207->74209 74231 436445 74208->74231 74210 43646b 74209->74210 74243 435126 74210->74243 74215 434d78 VariantClear 74216 436499 74215->74216 74216->74231 74235 4364ca 74216->74235 74399 435110 9 API calls 74216->74399 74218 4365de 74219 4365e7 74218->74219 74220 43669e 74218->74220 74224 421e0c ctype 2 API calls 74219->74224 74227 4365f6 74219->74227 74225 436754 74220->74225 74226 4366b8 74220->74226 74220->74231 74221 4364da 74221->74218 74221->74231 74401 43789c free memmove ctype 74221->74401 74224->74227 74289 435bea 74225->74289 74229 421e0c ctype 2 API calls 74226->74229 74402 4436ea 74227->74402 74228 43666b 74415 421e40 free 74228->74415 74229->74231 74231->74191 74232 43665c 74414 4231e5 malloc _CxxThrowException free _CxxThrowException 74232->74414 74235->74221 74235->74231 74400 4242e3 CharUpperW 74235->74400 74240 4362c9 74239->74240 74416 448fa4 74240->74416 74244 435130 __EH_prolog 74243->74244 74245 4351b4 74244->74245 74250 43518e 74244->74250 74464 423097 malloc _CxxThrowException free SysStringLen ctype 74244->74464 74248 42965d VariantClear 74245->74248 74245->74250 74247 42965d VariantClear 74256 43527f 74247->74256 74249 4351bc 74248->74249 74249->74250 74251 435206 74249->74251 74252 435289 74249->74252 74250->74247 74465 423097 malloc _CxxThrowException free SysStringLen ctype 74251->74465 74252->74250 74253 435221 74252->74253 74255 42965d VariantClear 74253->74255 74257 43522d 74255->74257 74256->74231 74285 448b05 74256->74285 74257->74256 74258 435351 74257->74258 74466 435459 malloc _CxxThrowException __EH_prolog 74257->74466 74258->74256 74265 4353a1 74258->74265 74471 4235e7 memmove 74258->74471 74261 4352ba 74467 428011 5 API calls ctype 74261->74467 74263 4352cf 74276 4352fd 74263->74276 74468 42823d 10 API calls 2 library calls 74263->74468 74265->74256 74472 4243b7 5 API calls 2 library calls 74265->74472 74268 4352e5 74269 422fec 3 API calls 74268->74269 74271 4352f5 74269->74271 74270 43540e 74474 43789c free memmove ctype 74270->74474 74469 421e40 free 74271->74469 74275 4353df 74275->74270 74277 43541c 74275->74277 74473 4242e3 CharUpperW 74275->74473 74470 4354a0 free ctype 74276->74470 74278 4436ea 5 API calls 74277->74278 74279 435427 74278->74279 74280 422fec 3 API calls 74279->74280 74281 435433 74280->74281 74475 421e40 free 74281->74475 74283 43543b 74476 452db9 free ctype 74283->74476 74286 448b2e 74285->74286 74287 42965d VariantClear 74286->74287 74288 43648a 74287->74288 74288->74215 74288->74231 74290 435bf4 __EH_prolog 74289->74290 74477 4354c0 74290->74477 74293 448b05 VariantClear 74294 435c34 74293->74294 74339 435e17 74294->74339 74492 435630 74294->74492 74297 4436ea 5 API calls 74299 435c51 74297->74299 74298 435c60 74301 422f1c 2 API calls 74298->74301 74299->74298 74592 4357c1 53 API calls 2 library calls 74299->74592 74302 435c6c 74301->74302 74305 435caa 74302->74305 74593 436217 4 API calls 2 library calls 74302->74593 74304 435c91 74306 422fec 3 API calls 74304->74306 74308 435d49 74305->74308 74313 422e04 2 API calls 74305->74313 74307 435c9e 74306->74307 74594 421e40 free 74307->74594 74310 435d91 74308->74310 74311 435d55 74308->74311 74319 435da6 74310->74319 74513 4358be 74310->74513 74312 422fec 3 API calls 74311->74312 74314 435d66 74312->74314 74315 435cd2 74313->74315 74317 435d73 74314->74317 74600 425b2d 11 API calls 2 library calls 74314->74600 74595 421e40 free 74315->74595 74317->74319 74322 435d7b 74317->74322 74318 422fec 3 API calls 74321 435dd1 74318->74321 74319->74318 74378 435d8c 74319->74378 74324 435de7 74321->74324 74336 435e41 74321->74336 74321->74378 74325 437140 7 API calls 74322->74325 74322->74378 74601 436b5e 69 API calls 2 library calls 74324->74601 74325->74378 74327 435cf5 74327->74308 74332 422fec 3 API calls 74327->74332 74328 435eb0 74331 421e0c ctype 2 API calls 74328->74331 74330 4361fa 74616 421e40 free 74330->74616 74346 435eb7 74331->74346 74335 435d0c 74332->74335 74333 435e01 74337 435e20 74333->74337 74338 435e07 74333->74338 74596 421089 malloc _CxxThrowException free _CxxThrowException 74335->74596 74336->74328 74604 434115 VariantClear _CxxThrowException __EH_prolog 74336->74604 74343 437140 7 API calls 74337->74343 74337->74378 74602 421e40 free 74338->74602 74339->74231 74343->74378 74344 435d16 74347 422f1c 2 API calls 74344->74347 74345 435e0f 74603 421e40 free 74345->74603 74586 427c0d 74346->74586 74349 435d25 74347->74349 74597 443333 malloc _CxxThrowException free 74349->74597 74352 435e6e 74352->74328 74360 435ea5 74352->74360 74361 435ece 74352->74361 74352->74378 74354 435d31 74598 4231e5 malloc _CxxThrowException free _CxxThrowException 74354->74598 74358 435d3d 74599 421e40 free 74358->74599 74364 422fec 3 API calls 74360->74364 74605 425c7e 11 API calls 2 library calls 74361->74605 74364->74328 74365 435ed8 74369 435f01 74365->74369 74370 435edc 74365->74370 74374 437140 7 API calls 74369->74374 74606 42757d GetLastError 74370->74606 74375 435f08 74374->74375 74608 421e40 free 74375->74608 74615 421e40 free 74378->74615 74379 435ee1 74607 434e95 6 API calls 2 library calls 74379->74607 74390 435ef4 74390->74378 74399->74235 74400->74235 74401->74218 74403 4436f4 __EH_prolog 74402->74403 74404 422e04 2 API calls 74403->74404 74405 44370a 74404->74405 74406 443736 74405->74406 74924 421089 malloc _CxxThrowException free _CxxThrowException 74405->74924 74925 4231e5 malloc _CxxThrowException free _CxxThrowException 74405->74925 74407 422f1c 2 API calls 74406->74407 74409 443742 74407->74409 74923 421e40 free 74409->74923 74412 436633 74412->74228 74412->74232 74413 421089 malloc _CxxThrowException free _CxxThrowException 74412->74413 74413->74232 74414->74228 74415->74231 74417 448fae __EH_prolog 74416->74417 74450 447ebb 74417->74450 74423 449020 74424 422fec 3 API calls 74423->74424 74432 436302 74423->74432 74425 44903a 74424->74425 74435 44904d 74425->74435 74458 448b80 VariantClear 74425->74458 74427 449244 74463 4243b7 5 API calls 2 library calls 74427->74463 74428 4491b0 74461 448b9c 10 API calls 2 library calls 74428->74461 74429 449144 74433 422f88 3 API calls 74429->74433 74437 44917b 74429->74437 74432->74205 74432->74207 74432->74231 74433->74437 74434 449100 74438 42965d VariantClear 74434->74438 74435->74429 74435->74432 74435->74434 74436 4490d6 74435->74436 74459 423097 malloc _CxxThrowException free SysStringLen ctype 74435->74459 74436->74434 74441 4490e7 74436->74441 74460 448f2e 9 API calls 74436->74460 74437->74427 74437->74428 74438->74432 74439 4491c0 74439->74432 74443 422f88 3 API calls 74439->74443 74445 42965d VariantClear 74441->74445 74448 4491ff 74443->74448 74444 449112 74444->74434 74446 448b64 VariantClear 74444->74446 74445->74429 74447 449123 74446->74447 74447->74434 74447->74441 74448->74432 74462 4250ff free ctype 74448->74462 74451 447ee4 74450->74451 74452 447ec6 74450->74452 74454 448b64 74451->74454 74452->74451 74453 421e40 free ctype 74452->74453 74453->74452 74455 448b05 VariantClear 74454->74455 74456 448b6f 74455->74456 74456->74432 74457 448f2e 9 API calls 74456->74457 74457->74423 74458->74435 74459->74436 74460->74444 74461->74439 74462->74432 74463->74432 74464->74245 74465->74253 74466->74261 74467->74263 74468->74268 74469->74276 74470->74258 74471->74258 74472->74275 74473->74275 74474->74277 74475->74283 74476->74256 74478 4354ca __EH_prolog 74477->74478 74480 42965d VariantClear 74478->74480 74482 435507 74478->74482 74479 42965d VariantClear 74481 435567 74479->74481 74484 435528 74480->74484 74481->74293 74481->74339 74482->74479 74483 435572 74485 42965d VariantClear 74483->74485 74484->74482 74484->74483 74486 43558e 74485->74486 74617 434cac VariantClear __EH_prolog 74486->74617 74488 4355a1 74488->74481 74618 434cac VariantClear __EH_prolog 74488->74618 74490 4355b8 74490->74481 74619 434cac VariantClear __EH_prolog 74490->74619 74493 43563a __EH_prolog 74492->74493 74495 435679 74493->74495 74620 443558 10 API calls 2 library calls 74493->74620 74496 422f1c 2 API calls 74495->74496 74512 43571a 74495->74512 74497 435696 74496->74497 74621 443333 malloc _CxxThrowException free 74497->74621 74499 4356a2 74500 4356c5 74499->74500 74501 4356ad 74499->74501 74503 4356b4 74500->74503 74623 424adf wcscmp 74500->74623 74622 437853 5 API calls 2 library calls 74501->74622 74505 435707 74503->74505 74625 421089 malloc _CxxThrowException free _CxxThrowException 74503->74625 74626 4231e5 malloc _CxxThrowException free _CxxThrowException 74505->74626 74508 435712 74627 421e40 free 74508->74627 74509 4356d2 74509->74503 74624 437853 5 API calls 2 library calls 74509->74624 74512->74297 74514 4358c8 __EH_prolog 74513->74514 74515 422e04 2 API calls 74514->74515 74516 4358e9 74515->74516 74628 426c72 74516->74628 74519 435b2d 74528 422f1c 2 API calls 74519->74528 74576 435a38 74519->74576 74520 435905 74550 435a23 74520->74550 74580 435a01 74520->74580 74743 435bcf malloc _CxxThrowException 74520->74743 74521 435a44 74524 435a49 74521->74524 74525 435ab8 74521->74525 74522 435a0a 74748 42b382 44 API calls 2 library calls 74522->74748 74552 435b4c 74528->74552 74530 4359ce 74530->74319 74538 43592d 74543 422da9 2 API calls 74538->74543 74760 421e40 free 74550->74760 74557 422e04 2 API calls 74552->74557 74763 421e40 free 74576->74763 74580->74521 74580->74522 74905 427bf0 74586->74905 74592->74298 74593->74304 74594->74305 74595->74327 74596->74344 74597->74354 74598->74358 74599->74308 74600->74317 74601->74333 74602->74345 74603->74339 74604->74352 74605->74365 74606->74379 74607->74390 74615->74330 74616->74339 74617->74488 74618->74490 74619->74481 74620->74495 74621->74499 74622->74503 74623->74509 74624->74503 74625->74505 74626->74508 74627->74512 74630 426c7c __EH_prolog 74628->74630 74629 426cd3 74632 426ce2 74629->74632 74635 426d87 74629->74635 74630->74629 74631 426cb7 74630->74631 74633 422f88 3 API calls 74631->74633 74634 422f88 3 API calls 74632->74634 74636 426cc7 74633->74636 74639 426cf5 74634->74639 74637 422e47 2 API calls 74635->74637 74645 426f4a 74635->74645 74636->74519 74636->74520 74638 426db0 74637->74638 74641 422e47 2 API calls 74638->74641 74640 426d4a 74639->74640 74642 426d0b 74639->74642 74781 427b41 28 API calls 74640->74781 74650 426dc0 74641->74650 74780 429252 GetModuleHandleW GetProcAddress GetDiskFreeSpaceW 74642->74780 74644 426fd1 74651 4270e5 74644->74651 74653 426fed 74644->74653 74671 42701d 74644->74671 74645->74644 74648 426f7e 74645->74648 74647 426d5f 74799 426bf5 11 API calls 2 library calls 74648->74799 74649 426d36 74649->74640 74663 426dfe 74650->74663 74785 423221 malloc _CxxThrowException free _CxxThrowException 74650->74785 74764 426868 74651->74764 74801 426bf5 11 API calls 2 library calls 74653->74801 74658 426f85 74658->74651 74660 426f99 74658->74660 74670 422f88 3 API calls 74660->74670 74662 426e43 74663->74662 74677 426e1e 74663->74677 74664 427006 74671->74651 74802 42717b 13 API calls 74671->74802 74678 427052 74727 426ff2 74727->74651 74727->74664 74743->74538 74760->74530 74763->74530 74765 426872 __EH_prolog 74764->74765 74766 426848 FindClose 74765->74766 74780->74649 74781->74647 74785->74663 74799->74658 74801->74727 74802->74678 74908 42759a 74905->74908 74909 4275a4 __EH_prolog 74908->74909 74910 42764c CloseHandle 74909->74910 74911 4275af 74910->74911 74923->74412 74924->74405 74925->74405 74926 44d3c2 74927 44d3e9 74926->74927 74928 42965d VariantClear 74927->74928 74929 44d42a 74928->74929 74930 44d883 2 API calls 74929->74930 74931 44d4b1 74930->74931 75017 448d4a 74931->75017 74934 448b05 VariantClear 74935 44d4e3 74934->74935 75034 442a72 74935->75034 74938 422fec 3 API calls 74939 44d594 74938->74939 74940 44d742 74939->74940 74941 44d5cd 74939->74941 75065 44cd49 malloc _CxxThrowException free 74940->75065 74943 44d7d9 74941->74943 75038 449317 74941->75038 75068 421e40 free 74943->75068 74944 44d754 74947 422fec 3 API calls 74944->74947 74950 44d763 74947->74950 74948 44d7e1 75069 421e40 free 74948->75069 75066 421e40 free 74950->75066 74952 44d5f1 74955 4604d2 5 API calls 74952->74955 74954 44d7e9 74957 44326b free 74954->74957 74958 44d5f9 74955->74958 74956 44d76b 75067 421e40 free 74956->75067 74968 44d69a 74957->74968 75044 44e332 74958->75044 74962 44d773 74964 44326b free 74962->74964 74964->74968 74965 44d610 75051 421e40 free 74965->75051 74967 44d618 75052 44326b 74967->75052 74970 44d2a8 74970->74968 74992 44d883 74970->74992 74973 422fec 3 API calls 74974 44d361 74973->74974 74975 422fec 3 API calls 74974->74975 74976 44d36d 74975->74976 75004 44d0e1 74976->75004 74993 44d88d __EH_prolog 74992->74993 74994 422e04 2 API calls 74993->74994 74995 44d8c6 74994->74995 74996 422e04 2 API calls 74995->74996 74997 44d8d2 74996->74997 74998 422e04 2 API calls 74997->74998 74999 44d8de 74998->74999 75070 442b63 74999->75070 75002 442b63 2 API calls 75003 44d34f 75002->75003 75003->74973 75005 44d0eb __EH_prolog 75004->75005 75025 448d54 __EH_prolog 75017->75025 75018 448e15 75020 448e2d 75018->75020 75022 448e21 75018->75022 75023 448e5e 75018->75023 75019 448e09 75021 42965d VariantClear 75019->75021 75020->75023 75024 448e2b 75020->75024 75026 448e11 75021->75026 75079 423097 malloc _CxxThrowException free SysStringLen ctype 75022->75079 75028 42965d VariantClear 75023->75028 75030 42965d VariantClear 75024->75030 75032 448da4 75025->75032 75078 422b55 malloc _CxxThrowException free _CxxThrowException ctype 75025->75078 75026->74934 75028->75026 75031 448e47 75030->75031 75031->75026 75080 448e7c 6 API calls __EH_prolog 75031->75080 75032->75018 75032->75019 75032->75026 75035 442a82 75034->75035 75036 422e04 2 API calls 75035->75036 75037 442a9f 75036->75037 75037->74938 75041 449321 __EH_prolog 75038->75041 75039 42965d VariantClear 75040 4493d0 75039->75040 75040->74943 75040->74952 75043 449360 75041->75043 75081 429686 VariantClear 75041->75081 75043->75039 75045 44e33c __EH_prolog 75044->75045 75046 421e0c ctype 2 API calls 75045->75046 75047 44e34a 75046->75047 75048 44d608 75047->75048 75082 44e3d1 malloc _CxxThrowException __EH_prolog 75047->75082 75050 421e40 free 75048->75050 75050->74965 75051->74967 75053 443275 __EH_prolog 75052->75053 75083 442c0b 75053->75083 75056 442c0b ctype free 75057 443296 75056->75057 75088 421e40 free 75057->75088 75059 44329e 75089 421e40 free 75059->75089 75061 4432a6 75090 421e40 free 75061->75090 75063 4432ae 75063->74970 75065->74944 75066->74956 75067->74962 75068->74948 75069->74954 75071 442b6d __EH_prolog 75070->75071 75072 422e04 2 API calls 75071->75072 75073 442b9a 75072->75073 75074 422e04 2 API calls 75073->75074 75075 442ba5 75074->75075 75075->75002 75078->75032 75079->75024 75080->75026 75081->75043 75082->75048 75091 421e40 free 75083->75091 75085 442c16 75092 421e40 free 75085->75092 75087 442c1e 75087->75056 75088->75059 75089->75061 75090->75063 75091->75085 75092->75087 75093 44d948 75123 44dac7 75093->75123 75095 44d94f 75096 422e04 2 API calls 75095->75096 75097 44d97b 75096->75097 75098 422e04 2 API calls 75097->75098 75099 44d987 75098->75099 75102 44d9e7 75099->75102 75131 426404 75099->75131 75104 44da36 75102->75104 75105 44da0f 75102->75105 75109 44da94 75104->75109 75116 422da9 2 API calls 75104->75116 75120 4604d2 5 API calls 75104->75120 75158 421524 malloc _CxxThrowException __EH_prolog ctype 75104->75158 75159 421e40 free 75104->75159 75156 421e40 free 75105->75156 75108 44d9bf 75154 421e40 free 75108->75154 75160 421e40 free 75109->75160 75110 44da17 75157 421e40 free 75110->75157 75114 44d9c7 75155 421e40 free 75114->75155 75115 44da9c 75161 421e40 free 75115->75161 75116->75104 75119 44d9cf 75120->75104 75124 44dad1 __EH_prolog 75123->75124 75125 422e04 2 API calls 75124->75125 75126 44db33 75125->75126 75127 422e04 2 API calls 75126->75127 75128 44db3f 75127->75128 75129 422e04 2 API calls 75128->75129 75130 44db55 75129->75130 75130->75095 75162 42631f 75131->75162 75134 426423 75136 422f88 3 API calls 75134->75136 75135 422f88 3 API calls 75135->75134 75137 42643d 75136->75137 75138 437e5a 75137->75138 75139 437e64 __EH_prolog 75138->75139 75218 438179 75139->75218 75142 447ebb free 75143 437e7f 75142->75143 75144 422fec 3 API calls 75143->75144 75145 437e9a 75144->75145 75146 422da9 2 API calls 75145->75146 75147 437ea7 75146->75147 75148 426c72 44 API calls 75147->75148 75149 437eb7 75148->75149 75223 421e40 free 75149->75223 75151 437ecb 75153 437ed8 75151->75153 75224 42757d GetLastError 75151->75224 75153->75102 75153->75108 75154->75114 75155->75119 75156->75110 75157->75119 75158->75104 75159->75104 75160->75115 75161->75119 75163 429245 75162->75163 75166 4290da 75163->75166 75167 4290e4 __EH_prolog 75166->75167 75168 422f88 3 API calls 75167->75168 75169 4290f7 75168->75169 75170 42915d 75169->75170 75176 429109 75169->75176 75171 422e04 2 API calls 75170->75171 75172 429165 75171->75172 75173 4291be 75172->75173 75177 429174 75172->75177 75212 426332 6 API calls 2 library calls 75173->75212 75175 426414 75175->75134 75175->75135 75176->75175 75179 422e47 2 API calls 75176->75179 75180 422f88 3 API calls 75177->75180 75178 42917d 75205 4291ca 75178->75205 75210 42859e malloc _CxxThrowException free _CxxThrowException 75178->75210 75181 429122 75179->75181 75180->75178 75207 428f57 memmove 75181->75207 75184 42912e 75187 42914d 75184->75187 75208 4231e5 malloc _CxxThrowException free _CxxThrowException 75184->75208 75186 429185 75190 422e04 2 API calls 75186->75190 75209 421e40 free 75187->75209 75191 429197 75190->75191 75192 4291ce 75191->75192 75193 42919f 75191->75193 75195 422f88 3 API calls 75192->75195 75194 4291b9 75193->75194 75211 421089 malloc _CxxThrowException free _CxxThrowException 75193->75211 75213 423199 malloc _CxxThrowException free _CxxThrowException 75194->75213 75195->75194 75198 4291e6 75214 428f57 memmove 75198->75214 75200 4291ee 75201 4291f2 75200->75201 75202 422fec 3 API calls 75200->75202 75216 421e40 free 75201->75216 75204 429212 75202->75204 75215 4231e5 malloc _CxxThrowException free _CxxThrowException 75204->75215 75217 421e40 free 75205->75217 75207->75184 75208->75187 75209->75175 75210->75186 75211->75194 75212->75178 75213->75198 75214->75200 75215->75201 75216->75205 75217->75175 75221 438906 75218->75221 75219 437e77 75219->75142 75221->75219 75225 438804 free ctype 75221->75225 75226 421e40 free 75221->75226 75223->75151 75224->75153 75225->75221 75226->75221 75227 4a6bc6 75228 4a6bca 75227->75228 75229 4a6bcd 75227->75229 75229->75228 75230 4a6bd1 malloc 75229->75230 75230->75228 75231 4242d1 75232 4242bd 75231->75232 75233 4242c5 75232->75233 75234 421e0c ctype 2 API calls 75232->75234 75234->75233 75235 45acd3 75236 45acf1 75235->75236 75237 45ace0 75235->75237 75237->75236 75241 45acf8 75237->75241 75242 45c0b3 __EH_prolog 75241->75242 75243 45c0ed 75242->75243 75249 447193 75242->75249 75257 421e40 free 75242->75257 75258 421e40 free 75243->75258 75245 45aceb 75248 421e40 free 75245->75248 75248->75236 75250 44719d __EH_prolog 75249->75250 75259 452db9 free ctype 75250->75259 75252 4471b3 75260 4471d5 free __EH_prolog ctype 75252->75260 75254 4471bf 75261 421e40 free 75254->75261 75256 4471c7 75256->75242 75257->75242 75258->75245 75259->75252 75260->75254 75261->75256 75262 49f190 75263 421e0c ctype 2 API calls 75262->75263 75264 49f1b0 75263->75264 75266 4a69d0 75267 4a69d7 malloc 75266->75267 75268 4a69d4 75266->75268 75269 42b5d9 75270 42b5e6 75269->75270 75271 42b5f7 75269->75271 75270->75271 75275 42b5fe 75270->75275 75276 42b608 __EH_prolog 75275->75276 75282 4a6a40 VirtualFree 75276->75282 75278 42b63d 75279 42764c CloseHandle 75278->75279 75280 42b5f1 75279->75280 75281 421e40 free 75280->75281 75281->75271 75282->75278 75283 431ade 75284 431ae8 __EH_prolog 75283->75284 75334 4213f5 75284->75334 75287 431b32 6 API calls 75289 431b8d 75287->75289 75297 431bf8 75289->75297 75352 431ea4 9 API calls 75289->75352 75290 431b24 _CxxThrowException 75290->75287 75292 431bdf 75353 4227bb 75292->75353 75296 431c89 75348 431eb9 75296->75348 75297->75296 75360 441d73 5 API calls __EH_prolog 75297->75360 75302 431cb2 _CxxThrowException 75302->75296 75335 4213ff __EH_prolog 75334->75335 75336 447ebb free 75335->75336 75337 42142b 75336->75337 75338 421438 75337->75338 75361 421212 free ctype 75337->75361 75340 421e0c ctype 2 API calls 75338->75340 75342 42144d 75340->75342 75341 4604d2 5 API calls 75341->75342 75342->75341 75345 421507 75342->75345 75347 4214f4 75342->75347 75362 421265 5 API calls 2 library calls 75342->75362 75363 421524 malloc _CxxThrowException __EH_prolog ctype 75342->75363 75346 422fec 3 API calls 75345->75346 75346->75347 75347->75287 75351 441d73 5 API calls __EH_prolog 75347->75351 75364 429313 GetCurrentProcess OpenProcessToken 75348->75364 75351->75290 75352->75292 75354 4227c7 75353->75354 75356 4227e3 75353->75356 75355 421e0c ctype 2 API calls 75354->75355 75354->75356 75357 4227da 75355->75357 75359 421e40 free 75356->75359 75371 421e40 free 75357->75371 75359->75297 75360->75302 75361->75338 75362->75342 75363->75342 75365 429390 75364->75365 75366 42933a LookupPrivilegeValueW 75364->75366 75367 429382 75366->75367 75368 42934c AdjustTokenPrivileges 75366->75368 75370 429385 CloseHandle 75367->75370 75368->75367 75369 429372 GetLastError 75368->75369 75369->75370 75370->75365 75371->75356 75372 43459e 75373 4345ab 75372->75373 75374 4345bc 75372->75374 75373->75374 75378 4345c3 75373->75378 75379 4345cd __EH_prolog 75378->75379 75407 4379b2 free ctype 75379->75407 75381 4345e8 75408 421e40 free 75381->75408 75383 4345f3 75409 452db9 free ctype 75383->75409 75385 434609 75410 421e40 free 75385->75410 75387 434610 75411 421e40 free 75387->75411 75389 43461b 75412 421e40 free 75389->75412 75391 434626 75413 43794c free ctype 75391->75413 75393 434638 75414 452db9 free ctype 75393->75414 75395 43465b 75415 421e40 free 75395->75415 75397 43468e 75416 421e40 free 75397->75416 75399 4346ae 75417 434733 free __EH_prolog ctype 75399->75417 75401 4346be 75418 421e40 free 75401->75418 75403 4346e8 75419 421e40 free 75403->75419 75405 4345b6 75406 421e40 free 75405->75406 75406->75374 75407->75381 75408->75383 75409->75385 75410->75387 75411->75389 75412->75391 75413->75393 75414->75395 75415->75397 75416->75399 75417->75401 75418->75403 75419->75405 75420 46bf67 75421 46bf74 75420->75421 75425 46bf85 75420->75425 75421->75425 75426 46bf8c 75421->75426 75427 46bf96 __EH_prolog 75426->75427 75443 46d144 75427->75443 75431 46bfd0 75450 421e40 free 75431->75450 75433 46bfdb 75451 421e40 free 75433->75451 75435 46bfe6 75452 46c072 free ctype 75435->75452 75437 46bff4 75453 43aafa free VariantClear ctype 75437->75453 75439 46c023 75454 4473d2 free VariantClear __EH_prolog ctype 75439->75454 75441 46bf7f 75442 421e40 free 75441->75442 75442->75425 75444 46d14e __EH_prolog 75443->75444 75445 46d1b7 free 75444->75445 75446 46d180 75445->75446 75455 468e04 memset 75446->75455 75448 46bfc5 75449 421e40 free 75448->75449 75449->75431 75450->75433 75451->75435 75452->75437 75453->75439 75454->75441 75455->75448 75456 427b20 75459 427ab2 75456->75459 75460 427ac5 75459->75460 75461 42759a 12 API calls 75460->75461 75462 427ade 75461->75462 75463 427b03 75462->75463 75464 427aeb SetFileTime 75462->75464 75467 427919 75463->75467 75464->75463 75468 427aac 75467->75468 75469 42793c 75467->75469 75469->75468 75470 427945 DeviceIoControl 75469->75470 75471 4279e6 75470->75471 75472 427969 75470->75472 75473 4279ef DeviceIoControl 75471->75473 75476 427a14 75471->75476 75472->75471 75478 4279a7 75472->75478 75474 427a22 DeviceIoControl 75473->75474 75473->75476 75475 427a44 DeviceIoControl 75474->75475 75474->75476 75475->75476 75476->75468 75484 42780d 8 API calls ctype 75476->75484 75483 429252 GetModuleHandleW GetProcAddress GetDiskFreeSpaceW 75478->75483 75479 427aa5 75481 4277de 5 API calls 75479->75481 75481->75468 75482 4279d0 75482->75471 75483->75482 75484->75479 75485 45c2e6 75486 45c52f 75485->75486 75489 45544f SetConsoleCtrlHandler 75486->75489 75488 45c53b 75489->75488 75490 45a42c 75491 45a435 fputs 75490->75491 75492 45a449 75490->75492 75648 421fa0 fputc 75491->75648 75649 45545d 75492->75649 75496 422e04 2 API calls 75497 45a4a1 75496->75497 75653 441858 75497->75653 75499 45a4c9 75715 421e40 free 75499->75715 75501 45a4d8 75502 45a4ee 75501->75502 75716 45c7d7 75501->75716 75504 45a50e 75502->75504 75724 4557fb 75502->75724 75734 45c73e 75504->75734 75508 45aae5 75911 452db9 free ctype 75508->75911 75510 45ac17 75912 452db9 free ctype 75510->75912 75511 421e0c ctype 2 API calls 75513 45a53a 75511->75513 75515 45a54d 75513->75515 75870 45b0fa malloc _CxxThrowException __EH_prolog 75513->75870 75514 45ac23 75516 45ac3a 75514->75516 75518 45ac35 75514->75518 75522 422fec 3 API calls 75515->75522 75914 45b96d _CxxThrowException 75516->75914 75913 45b988 33 API calls __aulldiv 75518->75913 75521 45ac42 75915 421e40 free 75521->75915 75527 45a586 75522->75527 75524 45ac4d 75916 443247 75524->75916 75752 45ad06 75527->75752 75531 45ac7d 75923 4211c2 free __EH_prolog ctype 75531->75923 75535 45ac89 75924 45be0c free __EH_prolog ctype 75535->75924 75539 45ac98 75925 452db9 free ctype 75539->75925 75540 422e04 2 API calls 75542 45a636 75540->75542 75770 444345 75542->75770 75543 45aca4 75648->75492 75650 455466 75649->75650 75651 455473 75649->75651 75926 42275e malloc _CxxThrowException free ctype 75650->75926 75651->75496 75654 441862 __EH_prolog 75653->75654 75927 44021a 75654->75927 75659 4418b9 75941 441aa5 free __EH_prolog ctype 75659->75941 75661 441935 75946 441aa5 free __EH_prolog ctype 75661->75946 75662 4418c7 75942 452db9 free ctype 75662->75942 75665 441944 75686 441966 75665->75686 75947 441d73 5 API calls __EH_prolog 75665->75947 75667 4418d3 75667->75499 75669 4604d2 5 API calls 75675 4418db 75669->75675 75670 441958 _CxxThrowException 75670->75686 75671 4419be 75950 44f1f1 malloc _CxxThrowException free _CxxThrowException 75671->75950 75674 422e04 2 API calls 75674->75686 75675->75661 75675->75669 75943 440144 malloc _CxxThrowException free _CxxThrowException 75675->75943 75944 421524 malloc _CxxThrowException __EH_prolog ctype 75675->75944 75945 421e40 free 75675->75945 75676 4419d6 75678 447ebb free 75676->75678 75680 4419e1 75678->75680 75679 42631f 9 API calls 75679->75686 75682 4312d4 4 API calls 75680->75682 75681 4604d2 5 API calls 75681->75686 75683 4419ea 75682->75683 75685 447ebb free 75683->75685 75687 4419f7 75685->75687 75686->75671 75686->75674 75686->75679 75686->75681 75948 421524 malloc _CxxThrowException __EH_prolog ctype 75686->75948 75949 421e40 free 75686->75949 75689 4312d4 4 API calls 75687->75689 75696 4419ff 75689->75696 75690 441a4f 75952 421e40 free 75690->75952 75691 421524 malloc _CxxThrowException 75691->75696 75693 441a57 75953 452db9 free ctype 75693->75953 75695 441a64 75954 452db9 free ctype 75695->75954 75696->75690 75696->75691 75699 441a83 75696->75699 75951 4242e3 CharUpperW 75696->75951 75955 441d73 5 API calls __EH_prolog 75699->75955 75701 441a97 _CxxThrowException 75702 441aa5 __EH_prolog 75701->75702 75956 421e40 free 75702->75956 75704 441ac8 75957 4402e8 free ctype 75704->75957 75706 441ad1 75958 441eab free __EH_prolog ctype 75706->75958 75708 441add 75959 421e40 free 75708->75959 75710 441ae5 75960 421e40 free 75710->75960 75712 441aed 75961 452db9 free ctype 75712->75961 75714 441afa 75714->75499 75715->75501 75717 45c849 75716->75717 75718 45c7ea 75716->75718 75720 45c85a 75717->75720 76090 421f91 fflush 75717->76090 75719 45c7fe fputs 75718->75719 76089 4225cb malloc _CxxThrowException free _CxxThrowException ctype 75718->76089 75719->75717 75720->75502 75725 455805 __EH_prolog 75724->75725 75726 455847 75725->75726 76091 4226dd 75725->76091 75726->75504 75732 45583f 76111 421e40 free 75732->76111 75735 45c748 __EH_prolog 75734->75735 75736 45c7d7 ctype 6 API calls 75735->75736 75737 45c75d 75736->75737 76150 421e40 free 75737->76150 75739 45c768 75740 442c0b ctype free 75739->75740 75741 45c775 75740->75741 76151 421e40 free 75741->76151 75743 45c77d 76152 421e40 free 75743->76152 75745 45c785 76153 421e40 free 75745->76153 75747 45c78d 76154 421e40 free 75747->76154 75749 45c795 75750 442c0b ctype free 75749->75750 75751 45a51d 75750->75751 75751->75508 75751->75511 76155 45ad29 75752->76155 75755 45bf3e 75756 422fec 3 API calls 75755->75756 75757 45bf85 75756->75757 75758 422fec 3 API calls 75757->75758 75759 45a5ee 75758->75759 75760 433a29 75759->75760 75761 433a3b 75760->75761 75762 433a37 75760->75762 76161 433bd9 free ctype 75761->76161 75762->75540 75764 433a42 75765 433a6f 75764->75765 75766 433a52 _CxxThrowException 75764->75766 75767 433a67 75764->75767 75765->75762 76163 433b76 malloc _CxxThrowException __EH_prolog ctype 75765->76163 75766->75767 76162 460551 malloc _CxxThrowException free memcpy ctype 75767->76162 75771 44434f __EH_prolog 75770->75771 75772 422e04 2 API calls 75771->75772 75870->75515 75911->75510 75912->75514 75913->75516 75914->75521 75915->75524 75920 44324e 75916->75920 75917 443260 76872 421e40 free 75917->76872 75920->75917 76873 421e40 free 75920->76873 75921 443267 75922 421e40 free 75921->75922 75922->75531 75923->75535 75924->75539 75925->75543 75926->75651 75928 440224 __EH_prolog 75927->75928 75962 433d66 75928->75962 75931 44062e 75932 440638 __EH_prolog 75931->75932 75933 4406de 75932->75933 75936 4401bc malloc _CxxThrowException free _CxxThrowException memcpy 75932->75936 75938 4406ee 75932->75938 75978 440703 75932->75978 76048 452db9 free ctype 75932->76048 76049 44019a malloc _CxxThrowException free memcpy 75933->76049 75935 4406e6 76050 441453 26 API calls 2 library calls 75935->76050 75936->75932 75938->75659 75938->75675 75941->75662 75942->75667 75943->75675 75944->75675 75945->75675 75946->75665 75947->75670 75948->75686 75949->75686 75950->75676 75951->75696 75952->75693 75953->75695 75954->75667 75955->75701 75956->75704 75957->75706 75958->75708 75959->75710 75960->75712 75961->75714 75973 4bfb10 75962->75973 75964 433d70 GetCurrentProcess 75974 433e04 75964->75974 75966 433d8d OpenProcessToken 75967 433de3 75966->75967 75968 433d9e LookupPrivilegeValueW 75966->75968 75970 433e04 CloseHandle 75967->75970 75968->75967 75969 433dc0 AdjustTokenPrivileges 75968->75969 75969->75967 75971 433dd5 GetLastError 75969->75971 75972 433def 75970->75972 75971->75967 75972->75931 75973->75964 75975 433e11 CloseHandle 75974->75975 75976 433e0d 75974->75976 75977 433e21 75975->75977 75976->75966 75977->75966 76000 44070d __EH_prolog 75978->76000 75979 440e1d 76086 440416 18 API calls 2 library calls 75979->76086 75981 440ea6 76088 46ec78 free ctype 75981->76088 75982 440d11 76080 427496 7 API calls 2 library calls 75982->76080 75985 440c13 76077 421e40 free 75985->76077 75987 422da9 2 API calls 75987->76000 75989 440b40 75989->75932 75990 440de0 76082 452db9 free ctype 75990->76082 75991 422da9 2 API calls 75996 440ab5 75991->75996 75992 440e47 75992->75981 76087 44117d 68 API calls 2 library calls 75992->76087 75993 440c83 75993->75979 75993->75982 75994 422f1c 2 API calls 76002 440d29 75994->76002 75996->75985 75996->75991 75999 422e04 2 API calls 75996->75999 76013 422fec 3 API calls 75996->76013 76017 44050b 44 API calls 75996->76017 76026 440c79 75996->76026 76033 421e40 free ctype 75996->76033 76068 422f4a malloc _CxxThrowException free ctype 75996->76068 76073 421089 malloc _CxxThrowException free _CxxThrowException 75996->76073 76074 4413eb 5 API calls 2 library calls 75996->76074 76075 440ef4 68 API calls 2 library calls 75996->76075 76076 452db9 free ctype 75996->76076 76078 440021 GetLastError 75996->76078 75998 422e04 2 API calls 75998->76000 75999->75996 76000->75987 76000->75989 76000->75993 76000->75996 76000->75998 76008 422fec 3 API calls 76000->76008 76020 440b26 76000->76020 76035 452db9 free ctype 76000->76035 76040 4604d2 malloc _CxxThrowException free _CxxThrowException memcpy 76000->76040 76043 440b48 76000->76043 76045 421e40 free ctype 76000->76045 76046 421524 malloc _CxxThrowException 76000->76046 76051 422f4a malloc _CxxThrowException free ctype 76000->76051 76052 421089 malloc _CxxThrowException free _CxxThrowException 76000->76052 76053 4413eb 5 API calls 2 library calls 76000->76053 76054 44050b 76000->76054 76059 440021 GetLastError 76000->76059 76060 4249bd 9 API calls 2 library calls 76000->76060 76061 440306 12 API calls 76000->76061 76062 43ff00 5 API calls 2 library calls 76000->76062 76063 44057d 16 API calls 2 library calls 76000->76063 76064 440f8e 24 API calls 2 library calls 76000->76064 76065 42472e CharUpperW 76000->76065 76066 438984 malloc _CxxThrowException free _CxxThrowException memcpy 76000->76066 76067 440ef4 68 API calls 2 library calls 76000->76067 76002->75990 76002->75994 76007 422e04 2 API calls 76002->76007 76011 422fec 3 API calls 76002->76011 76019 440df3 76002->76019 76021 421e40 free ctype 76002->76021 76025 440df8 76002->76025 76081 44117d 68 API calls 2 library calls 76002->76081 76004 440e02 76085 452db9 free ctype 76004->76085 76007->76002 76008->76000 76011->76002 76013->75996 76017->75996 76083 421e40 free 76019->76083 76069 421e40 free 76020->76069 76021->76002 76084 421e40 free 76025->76084 76079 421e40 free 76026->76079 76027 440b30 76070 421e40 free 76027->76070 76031 440b38 76071 421e40 free 76031->76071 76033->75996 76035->76000 76040->76000 76072 452db9 free ctype 76043->76072 76045->76000 76046->76000 76048->75932 76049->75935 76050->75938 76051->76000 76052->76000 76053->76000 76055 426c72 44 API calls 76054->76055 76056 44051e 76055->76056 76057 440575 76056->76057 76058 422f88 3 API calls 76056->76058 76057->76000 76058->76057 76059->76000 76060->76000 76061->76000 76062->76000 76063->76000 76064->76000 76065->76000 76066->76000 76067->76000 76068->75996 76069->76027 76070->76031 76071->75989 76072->76020 76073->75996 76074->75996 76075->75996 76076->75996 76077->75989 76078->75996 76079->75993 76080->76002 76081->76002 76082->75989 76083->76025 76084->76004 76085->75989 76086->75992 76087->75992 76088->75989 76089->75719 76090->75720 76092 421e0c ctype 2 API calls 76091->76092 76093 4226ea 76092->76093 76094 455678 76093->76094 76095 4556b1 76094->76095 76096 455689 76094->76096 76112 455593 76095->76112 76097 455593 6 API calls 76096->76097 76100 4556a5 76097->76100 76126 4228a1 76100->76126 76104 45570e fputs 76110 421fa0 fputc 76104->76110 76106 4556ef 76107 455593 6 API calls 76106->76107 76108 455701 76107->76108 76109 455711 6 API calls 76108->76109 76109->76104 76110->75732 76111->75726 76113 4555ad 76112->76113 76114 4228a1 5 API calls 76113->76114 76115 4555b8 76114->76115 76131 42286d 76115->76131 76118 4228a1 5 API calls 76119 4555c7 76118->76119 76120 455711 76119->76120 76121 455721 76120->76121 76122 4556e0 76120->76122 76123 4228a1 5 API calls 76121->76123 76122->76104 76130 422881 malloc _CxxThrowException free memcpy _CxxThrowException 76122->76130 76124 45572b 76123->76124 76139 4555cd 6 API calls 76124->76139 76127 4228b0 76126->76127 76127->76127 76140 42267f 76127->76140 76129 4228bf 76129->76095 76130->76106 76134 421e9d 76131->76134 76135 421ea8 76134->76135 76136 421ead 76134->76136 76138 42263c malloc _CxxThrowException free memcpy _CxxThrowException 76135->76138 76136->76118 76138->76136 76139->76122 76141 4226c2 76140->76141 76142 422693 76140->76142 76141->76129 76143 4226c8 _CxxThrowException 76142->76143 76144 4226bc 76142->76144 76145 4226dd 76143->76145 76149 422595 malloc _CxxThrowException free memcpy ctype 76144->76149 76147 421e0c ctype 2 API calls 76145->76147 76148 4226ea 76147->76148 76148->76129 76149->76141 76150->75739 76151->75743 76152->75745 76153->75747 76154->75749 76156 45ad33 __EH_prolog 76155->76156 76157 422e04 2 API calls 76156->76157 76158 45ad5f 76157->76158 76159 422e04 2 API calls 76158->76159 76160 45a5d8 76159->76160 76160->75755 76161->75764 76162->75765 76163->75765 76872->75921 76873->75920 76874 4a6ba3 VirtualFree 76875 431368 76878 43136d 76875->76878 76877 43138c 76878->76877 76881 4b7d80 WaitForSingleObject 76878->76881 76884 45f745 76878->76884 76888 4b7ea0 SetEvent GetLastError 76878->76888 76882 4b7d98 76881->76882 76883 4b7d8e GetLastError 76881->76883 76882->76878 76883->76882 76885 45f74f __EH_prolog 76884->76885 76889 45f784 76885->76889 76887 45f765 76887->76878 76888->76878 76890 45f78e __EH_prolog 76889->76890 76891 4312d4 4 API calls 76890->76891 76892 45f7c7 76891->76892 76893 4312d4 4 API calls 76892->76893 76894 45f7d4 76893->76894 76895 45f871 76894->76895 76898 4a6b23 VirtualAlloc 76894->76898 76899 42c4d6 76894->76899 76895->76887 76898->76895 76903 42c4e9 76899->76903 76900 42c6f3 76900->76895 76901 43111c 10 API calls 76901->76903 76902 4311b4 107 API calls 76902->76903 76903->76900 76903->76901 76903->76902 76904 42c695 memmove 76903->76904 76904->76903 76905 4b7da0 WaitForSingleObject 76906 4b7dbb GetLastError 76905->76906 76907 4b7dc1 76905->76907 76906->76907 76908 4b7dce CloseHandle 76907->76908 76909 4b7ddf 76907->76909 76908->76909 76910 4b7dd9 GetLastError 76908->76910 76910->76909 76911 455475 76912 422fec 3 API calls 76911->76912 76913 4554b4 76912->76913 76914 45c911 24 API calls 76913->76914 76915 4554bb 76914->76915 76916 45adb7 76917 45adc1 __EH_prolog 76916->76917 76918 4226dd 2 API calls 76917->76918 76919 45ae1d 76918->76919 76920 422e04 2 API calls 76919->76920 76921 45ae38 76920->76921 76922 422e04 2 API calls 76921->76922 76923 45ae44 76922->76923 76924 422e04 2 API calls 76923->76924 76925 45ae68 76924->76925 76926 45ad29 2 API calls 76925->76926 76927 45ae85 76926->76927 76932 45af2d 76927->76932 76929 45ae94 76930 422e04 2 API calls 76929->76930 76931 45aeb2 76930->76931 76933 45af37 __EH_prolog 76932->76933 76944 4334f4 malloc _CxxThrowException __EH_prolog 76933->76944 76935 45afac 76936 422e04 2 API calls 76935->76936 76937 45afbb 76936->76937 76938 422e04 2 API calls 76937->76938 76939 45afca 76938->76939 76940 422e04 2 API calls 76939->76940 76941 45afd9 76940->76941 76942 422e04 2 API calls 76941->76942 76943 45afe8 76942->76943 76943->76929 76944->76935 76945 468eb1 76950 468ed1 76945->76950 76948 468ec9 76951 468edb __EH_prolog 76950->76951 76959 469267 76951->76959 76955 468efd 76964 45e5f1 free ctype 76955->76964 76957 468eb9 76957->76948 76958 421e40 free 76957->76958 76958->76948 76960 469271 __EH_prolog 76959->76960 76965 421e40 free 76960->76965 76962 468ef1 76963 46922b free CloseHandle GetLastError ctype 76962->76963 76963->76955 76964->76957 76965->76962 76966 45993d 77050 45b5b1 76966->77050 76969 459963 77056 431f33 76969->77056 76970 421fb3 11 API calls 76970->76969 76972 459975 76973 4599ce 76972->76973 76974 4599b7 GetStdHandle GetConsoleScreenBufferInfo 76972->76974 76975 421e0c ctype 2 API calls 76973->76975 76974->76973 76976 4599dc 76975->76976 77177 447b48 76976->77177 76978 459a29 77194 45b96d _CxxThrowException 76978->77194 76980 459a30 77195 447018 8 API calls 2 library calls 76980->77195 76982 459a7c 77196 44ddb5 6 API calls 2 library calls 76982->77196 76983 459a66 _CxxThrowException 76983->76982 76985 459aa6 76987 459aaa _CxxThrowException 76985->76987 76995 459ac0 76985->76995 76986 459a37 76986->76982 76986->76983 76987->76995 76988 459b3a 77200 421fa0 fputc 76988->77200 76990 459bfa _CxxThrowException 77006 459be6 76990->77006 76992 459b63 fputs 77201 421fa0 fputc 76992->77201 76995->76988 76995->76990 77197 447dd7 7 API calls 2 library calls 76995->77197 77198 45c077 6 API calls 76995->77198 77199 421e40 free 76995->77199 76996 459b79 strlen strlen 76998 459e25 76996->76998 76999 459baa fputs fputc 76996->76999 77209 421fa0 fputc 76998->77209 76999->77006 77001 459e2c fputs 77210 421fa0 fputc 77001->77210 77003 459f0c 77215 421fa0 fputc 77003->77215 77006->76998 77006->76999 77008 45b67d 12 API calls 77006->77008 77014 422e04 2 API calls 77006->77014 77026 459d2a fputs 77006->77026 77033 459d5f fputs 77006->77033 77035 4231e5 malloc _CxxThrowException free _CxxThrowException 77006->77035 77202 4221d8 fputs 77006->77202 77203 42315e malloc _CxxThrowException free _CxxThrowException 77006->77203 77204 423221 malloc _CxxThrowException free _CxxThrowException 77006->77204 77205 421089 malloc _CxxThrowException free _CxxThrowException 77006->77205 77207 421fa0 fputc 77006->77207 77208 421e40 free 77006->77208 77008->77006 77009 459f13 fputs 77216 421fa0 fputc 77009->77216 77012 459f9f 77013 45ac3a 77012->77013 77016 45ac35 77012->77016 77222 45b96d _CxxThrowException 77013->77222 77014->77006 77221 45b988 33 API calls __aulldiv 77016->77221 77019 45ac42 77223 421e40 free 77019->77223 77023 45ac4d 77024 443247 free 77023->77024 77206 4221d8 fputs 77026->77206 77031 459f29 77031->77012 77038 459f77 fputs 77031->77038 77217 45b650 fputc fputs fputs fputc 77031->77217 77218 45b5e9 fputc fputs 77031->77218 77219 45bde4 fputc fputs 77031->77219 77033->77006 77035->77006 77220 421fa0 fputc 77038->77220 77044 459ee0 fputs 77214 421fa0 fputc 77044->77214 77048 459e42 77048->77003 77048->77044 77211 45b650 fputc fputs fputs fputc 77048->77211 77212 4221d8 fputs 77048->77212 77213 45bde4 fputc fputs 77048->77213 77051 45994a 77050->77051 77052 45b5bc fputs 77050->77052 77051->76969 77051->76970 77228 421fa0 fputc 77052->77228 77054 45b5d5 77054->77051 77055 45b5d9 fputs 77054->77055 77055->77051 77057 431f4f 77056->77057 77058 431f6c 77056->77058 77261 441d73 5 API calls __EH_prolog 77057->77261 77229 4329eb 77058->77229 77062 431f5e _CxxThrowException 77062->77058 77063 431fa3 77065 431fbc 77063->77065 77067 424fc0 5 API calls 77063->77067 77068 431fda 77065->77068 77069 422fec 3 API calls 77065->77069 77066 431f95 _CxxThrowException 77066->77063 77067->77065 77070 432022 wcscmp 77068->77070 77079 432036 77068->77079 77069->77068 77071 4320af 77070->77071 77070->77079 77263 441d73 5 API calls __EH_prolog 77071->77263 77073 4320a9 77264 43393c 6 API calls 2 library calls 77073->77264 77074 4320be _CxxThrowException 77074->77079 77076 4320f4 77265 43393c 6 API calls 2 library calls 77076->77265 77078 432108 77080 432135 77078->77080 77266 432e04 62 API calls 2 library calls 77078->77266 77079->77073 77082 43219a 77079->77082 77089 432159 77080->77089 77267 432e04 62 API calls 2 library calls 77080->77267 77268 441d73 5 API calls __EH_prolog 77082->77268 77085 4321a9 _CxxThrowException 77085->77089 77086 43227f 77234 432aa9 77086->77234 77088 432245 77091 422fec 3 API calls 77088->77091 77089->77086 77089->77088 77269 441d73 5 API calls __EH_prolog 77089->77269 77094 43225c 77091->77094 77093 432237 _CxxThrowException 77093->77088 77094->77086 77270 441d73 5 API calls __EH_prolog 77094->77270 77095 4322d9 77097 432302 77095->77097 77100 422fec 3 API calls 77095->77100 77096 422fec 3 API calls 77096->77095 77098 424fc0 5 API calls 77097->77098 77101 432315 77098->77101 77100->77097 77252 43384c 77101->77252 77102 432271 _CxxThrowException 77102->77086 77104 432322 77107 4326c6 77104->77107 77117 4323a1 77104->77117 77105 4328ce 77106 43293a 77105->77106 77123 4328d5 77105->77123 77111 4329a5 77106->77111 77112 43293f 77106->77112 77107->77105 77108 432700 77107->77108 77283 441d73 5 API calls __EH_prolog 77107->77283 77284 4332ec 14 API calls 2 library calls 77108->77284 77114 4329ae _CxxThrowException 77111->77114 77132 43264d 77111->77132 77291 424eec 16 API calls 77112->77291 77113 4326f2 _CxxThrowException 77113->77108 77115 432713 77119 433a29 5 API calls 77115->77119 77121 43247a wcscmp 77117->77121 77139 43248e 77117->77139 77133 432722 77119->77133 77120 43294c 77292 424ea1 8 API calls 77120->77292 77122 4324cf wcscmp 77121->77122 77121->77139 77127 4324ef wcscmp 77122->77127 77122->77139 77123->77132 77290 441d73 5 API calls __EH_prolog 77123->77290 77131 43250f 77127->77131 77127->77139 77128 432953 77129 424fc0 5 API calls 77128->77129 77129->77132 77130 432920 _CxxThrowException 77130->77132 77274 441d73 5 API calls __EH_prolog 77131->77274 77132->76972 77136 4327cf 77133->77136 77138 422fec 3 API calls 77133->77138 77135 43251e _CxxThrowException 77137 43252c 77135->77137 77140 432880 77136->77140 77144 43281f 77136->77144 77286 441d73 5 API calls __EH_prolog 77136->77286 77141 432569 77137->77141 77275 432e04 62 API calls 2 library calls 77137->77275 77142 4327a9 77138->77142 77139->77137 77271 424eec 16 API calls 77139->77271 77272 424ea1 8 API calls 77139->77272 77273 441d73 5 API calls __EH_prolog 77139->77273 77145 43289b 77140->77145 77148 422fec 3 API calls 77140->77148 77147 43258c 77141->77147 77276 432e04 62 API calls 2 library calls 77141->77276 77142->77136 77285 423563 memmove 77142->77285 77144->77140 77155 432847 77144->77155 77287 441d73 5 API calls __EH_prolog 77144->77287 77145->77132 77289 441d73 5 API calls __EH_prolog 77145->77289 77152 4325a4 77147->77152 77277 432a61 malloc _CxxThrowException free _CxxThrowException memcpy 77147->77277 77148->77145 77149 4324c1 _CxxThrowException 77149->77122 77278 424eec 16 API calls 77152->77278 77153 432811 _CxxThrowException 77153->77144 77155->77140 77288 441d73 5 API calls __EH_prolog 77155->77288 77160 4328c0 _CxxThrowException 77160->77105 77161 432839 _CxxThrowException 77161->77155 77163 4325ad 77279 441b07 49 API calls 77163->77279 77164 432872 _CxxThrowException 77164->77140 77166 4325b4 77280 424ea1 8 API calls 77166->77280 77168 4325bb 77169 422fec 3 API calls 77168->77169 77171 4325d6 77168->77171 77169->77171 77170 43261f 77170->77132 77173 422fec 3 API calls 77170->77173 77171->77132 77171->77170 77281 441d73 5 API calls __EH_prolog 77171->77281 77174 43263f 77173->77174 77282 42859e malloc _CxxThrowException free _CxxThrowException 77174->77282 77175 432611 _CxxThrowException 77175->77170 77178 447b52 __EH_prolog 77177->77178 77302 447eec 77178->77302 77180 447ca4 77180->76978 77182 422e04 malloc _CxxThrowException 77189 447b63 77182->77189 77183 4230ea malloc _CxxThrowException free 77183->77189 77185 421e40 free ctype 77185->77189 77187 4312a5 5 API calls 77187->77189 77188 4604d2 5 API calls 77188->77189 77189->77180 77189->77182 77189->77183 77189->77185 77189->77187 77189->77188 77191 42429a 3 API calls 77189->77191 77192 447193 free 77189->77192 77193 447c61 memcpy 77189->77193 77307 4470ea 77189->77307 77310 447a40 77189->77310 77328 447cc3 6 API calls 77189->77328 77329 4474eb malloc _CxxThrowException memcpy __EH_prolog ctype 77189->77329 77191->77189 77192->77189 77193->77189 77194->76980 77195->76986 77196->76985 77197->76995 77198->76995 77199->76995 77200->76992 77201->76996 77202->77006 77203->77006 77204->77006 77205->77006 77206->77006 77207->77006 77208->77006 77209->77001 77210->77048 77211->77048 77212->77048 77213->77048 77214->77048 77215->77009 77216->77031 77217->77031 77218->77031 77219->77031 77220->77031 77221->77013 77222->77019 77223->77023 77228->77054 77230 422f1c 2 API calls 77229->77230 77233 4329fe 77230->77233 77232 431f7e 77232->77063 77262 441d73 5 API calls __EH_prolog 77232->77262 77293 421e40 free 77233->77293 77235 432ab3 __EH_prolog 77234->77235 77236 422e8a 2 API calls 77235->77236 77247 432b0f 77235->77247 77238 432af4 77236->77238 77237 4322ad 77237->77095 77237->77096 77294 432a61 malloc _CxxThrowException free _CxxThrowException memcpy 77238->77294 77240 432bc6 77300 441d73 5 API calls __EH_prolog 77240->77300 77241 432b04 77295 421e40 free 77241->77295 77244 432bd6 _CxxThrowException 77244->77237 77247->77237 77247->77240 77249 432b9f 77247->77249 77296 432cb4 48 API calls 2 library calls 77247->77296 77297 432bf5 8 API calls __EH_prolog 77247->77297 77298 432a61 malloc _CxxThrowException free _CxxThrowException memcpy 77247->77298 77249->77237 77299 441d73 5 API calls __EH_prolog 77249->77299 77251 432bb8 _CxxThrowException 77251->77240 77258 433856 __EH_prolog 77252->77258 77253 422e04 malloc _CxxThrowException 77253->77258 77254 422fec 3 API calls 77254->77258 77255 422f88 3 API calls 77255->77258 77256 4604d2 5 API calls 77256->77258 77258->77253 77258->77254 77258->77255 77258->77256 77259 421e40 free ctype 77258->77259 77260 433917 77258->77260 77301 433b76 malloc _CxxThrowException __EH_prolog ctype 77258->77301 77259->77258 77260->77104 77261->77062 77262->77066 77263->77074 77264->77076 77265->77078 77266->77080 77267->77089 77268->77085 77269->77093 77270->77102 77271->77139 77272->77139 77273->77149 77274->77135 77275->77141 77276->77147 77277->77152 77278->77163 77279->77166 77280->77168 77281->77175 77282->77132 77283->77113 77284->77115 77285->77136 77286->77153 77287->77161 77288->77164 77289->77160 77290->77130 77291->77120 77292->77128 77293->77232 77294->77241 77295->77247 77296->77247 77297->77247 77298->77247 77299->77251 77300->77244 77301->77258 77304 447f14 77302->77304 77306 447ef7 77302->77306 77303 447193 free 77303->77306 77304->77189 77306->77303 77306->77304 77330 421e40 free 77306->77330 77308 422e04 2 API calls 77307->77308 77309 447103 77308->77309 77309->77189 77311 447a4a __EH_prolog 77310->77311 77331 42361b 6 API calls 2 library calls 77311->77331 77313 447a78 77332 42361b 6 API calls 2 library calls 77313->77332 77315 447b20 77334 452db9 free ctype 77315->77334 77317 422e04 malloc _CxxThrowException 77327 447a83 77317->77327 77318 447b2b 77335 452db9 free ctype 77318->77335 77320 447b37 77320->77189 77321 422fec 3 API calls 77321->77327 77322 422fec 3 API calls 77324 447aca wcscmp 77322->77324 77323 4604d2 5 API calls 77323->77327 77324->77327 77326 421e40 free ctype 77326->77327 77327->77315 77327->77317 77327->77321 77327->77322 77327->77323 77327->77326 77333 447955 malloc _CxxThrowException __EH_prolog ctype 77327->77333 77328->77189 77329->77189 77330->77306 77331->77313 77332->77327 77333->77327 77334->77318 77335->77320 77339 4a69f0 free 77340 4bffb1 __setusermatherr 77341 4bffbd 77340->77341 77345 4c0068 _controlfp 77341->77345 77343 4bffc2 _initterm __getmainargs _initterm __p___initenv 77344 45c27c 77343->77344 77345->77343 77346 44cefb 77347 44d0cc 77346->77347 77348 44cf03 77346->77348 77348->77347 77393 44cae9 VariantClear 77348->77393 77350 44cf59 77350->77347 77394 44cae9 VariantClear 77350->77394 77352 44cf71 77352->77347 77395 44cae9 VariantClear 77352->77395 77354 44cf87 77354->77347 77396 44cae9 VariantClear 77354->77396 77356 44cf9d 77356->77347 77397 44cae9 VariantClear 77356->77397 77358 44cfb3 77358->77347 77398 44cae9 VariantClear 77358->77398 77360 44cfc9 77360->77347 77399 424504 malloc _CxxThrowException 77360->77399 77362 44cfdc 77363 422e04 2 API calls 77362->77363 77365 44cfe7 77363->77365 77364 44d009 77367 44d07b 77364->77367 77369 44d080 77364->77369 77370 44d030 77364->77370 77365->77364 77366 422f88 3 API calls 77365->77366 77366->77364 77407 421e40 free 77367->77407 77404 447a0c CharUpperW 77369->77404 77373 422e04 2 API calls 77370->77373 77371 44d0c4 77408 421e40 free 77371->77408 77376 44d038 77373->77376 77375 44d08b 77405 43fdbc 4 API calls 2 library calls 77375->77405 77377 422e04 2 API calls 77376->77377 77379 44d046 77377->77379 77400 43fdbc 4 API calls 2 library calls 77379->77400 77380 44d0a7 77382 422fec 3 API calls 77380->77382 77384 44d0b3 77382->77384 77383 44d057 77385 422fec 3 API calls 77383->77385 77406 421e40 free 77384->77406 77387 44d063 77385->77387 77401 421e40 free 77387->77401 77389 44d06b 77402 421e40 free 77389->77402 77391 44d073 77403 421e40 free 77391->77403 77393->77350 77394->77352 77395->77354 77396->77356 77397->77358 77398->77360 77399->77362 77400->77383 77401->77389 77402->77391 77403->77367 77404->77375 77405->77380 77406->77367 77407->77371 77408->77347 77409 42c3bd 77410 42c3ca 77409->77410 77412 42c3db 77409->77412 77410->77412 77413 421e40 free 77410->77413 77413->77412

                                              Executed Functions

                                              Function 00429313 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 55COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1073 429313-429338 GetCurrentProcess OpenProcessToken 1074 429390 1073->1074 1075 42933a-42934a LookupPrivilegeValueW 1073->1075 1078 429393-429398 1074->1078 1076 429382 1075->1076 1077 42934c-429370 AdjustTokenPrivileges 1075->1077 1080 429385-42938e CloseHandle 1076->1080 1077->1076 1079 429372-429380 GetLastError 1077->1079 1079->1080 1080->1078
                                              APIs
                                              • GetCurrentProcess.KERNEL32(00000020,00431EC5,?,7597AB50,?,?,?,?,00431EC5,00431CEF), ref: 00429329
                                              • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,00431EC5,00431CEF), ref: 00429330
                                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeRestorePrivilege,?), ref: 00429342
                                              • AdjustTokenPrivileges.KERNELBASE(00431EC5,00000000,?,00000000,00000000,00000000), ref: 00429368
                                              • GetLastError.KERNEL32 ref: 00429372
                                              • CloseHandle.KERNELBASE(00431EC5,?,?,?,?,00431EC5,00431CEF), ref: 00429388
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                                              • String ID: SeRestorePrivilege
                                              • API String ID: 3398352648-1684392131
                                              • Opcode ID: 84816b861b733beb82bbf3747af2a60ac1d910141342659451114bc5a17eca9f
                                              • Instruction ID: ffa43ba585747d193c22933d77856265ef00b9846ec8717d166adc96fce43cfd
                                              • Opcode Fuzzy Hash: 84816b861b733beb82bbf3747af2a60ac1d910141342659451114bc5a17eca9f
                                              • Instruction Fuzzy Hash: 65018076A45228AFDB509FF2AC89FDF7F7CBF05340F040165E945E2190D6748A09DBA8
                                              Function 00433D66 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 53COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1081 433d66-433d9c call 4bfb10 GetCurrentProcess call 433e04 OpenProcessToken 1086 433de3-433dfe call 433e04 1081->1086 1087 433d9e-433dbe LookupPrivilegeValueW 1081->1087 1087->1086 1088 433dc0-433dd3 AdjustTokenPrivileges 1087->1088 1088->1086 1090 433dd5-433de1 GetLastError 1088->1090 1090->1086
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00433D6B
                                              • GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00433D7D
                                              • OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00433D94
                                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeSecurityPrivilege,?), ref: 00433DB6
                                              • AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00433DCB
                                              • GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00433DD5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: ProcessToken$AdjustCurrentErrorH_prologLastLookupOpenPrivilegePrivilegesValue
                                              • String ID: SeSecurityPrivilege
                                              • API String ID: 3475889169-2333288578
                                              • Opcode ID: 64b3c53a904f53d72097d6baf98dc1a33b641f531edc97f03f358bfca1305d18
                                              • Instruction ID: be87b80a23db593227f8724ce4610bab40b6388707846773561299f66bd0021a
                                              • Opcode Fuzzy Hash: 64b3c53a904f53d72097d6baf98dc1a33b641f531edc97f03f358bfca1305d18
                                              • Instruction Fuzzy Hash: B11130B5940119AFDB109FE6CCC5EFEBB7CFB08345F00553AE416E2590D7348A098A64
                                              Function 004681EC Relevance: 8.0, APIs: 3, Strings: 1, Instructions: 995COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 004681F1
                                                • Part of subcall function 0046F749: _CxxThrowException.MSVCRT(?,004D4A58), ref: 0046F792
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: ExceptionH_prologThrow
                                              • String ID:
                                              • API String ID: 461045715-3916222277
                                              • Opcode ID: 0e06be7ddc0fe70e6799b273761a9888449077743443b079868f5d6e84ab128b
                                              • Instruction ID: 74e89f0e3d7a95ab093fcaeac0ac5496d809e2f2e13b948192b530818417b744
                                              • Opcode Fuzzy Hash: 0e06be7ddc0fe70e6799b273761a9888449077743443b079868f5d6e84ab128b
                                              • Instruction Fuzzy Hash: 6392B270900259DFDF14DFA4C844BAEBBB1BF18304F24419EE805AB392EB799D45CB66
                                              Function 00426868 Relevance: 4.6, APIs: 3, Instructions: 60fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 0042686D
                                                • Part of subcall function 00426848: FindClose.KERNELBASE(00000000,?,00426880), ref: 00426853
                                              • FindFirstFileW.KERNELBASE(?,-00000268,?,00000000), ref: 004268A5
                                              • FindFirstFileW.KERNELBASE(?,-00000268,00000000,?,00000000), ref: 004268DE
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: Find$FileFirst$CloseH_prolog
                                              • String ID:
                                              • API String ID: 3371352514-0
                                              • Opcode ID: 0d641506166b3bc45da21b2bad90ca1b0ca1e5639a18a752d14a3a528ae5cf5b
                                              • Instruction ID: cff4b96a7d6e6531abddb4851756971ef171b530ae1d2d8901a07da08ecaa744
                                              • Opcode Fuzzy Hash: 0d641506166b3bc45da21b2bad90ca1b0ca1e5639a18a752d14a3a528ae5cf5b
                                              • Instruction Fuzzy Hash: AB11E631600229DFCF10FF65E8519EEB778EF50324F51422EE96057291DB398E85DB44
                                              Function 0045A013 Relevance: 60.2, APIs: 15, Strings: 19, Instructions: 690COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 0 45a013-45a01a 1 45a020-45a02d call 431ac8 0->1 2 45a37a-45a544 call 4604d2 call 421524 call 4604d2 call 421524 call 421e0c 0->2 7 45a033-45a03a 1->7 8 45a22e-45a235 1->8 62 45a546-45a54f call 45b0fa 2->62 63 45a551 2->63 12 45a054-45a089 call 4592d3 7->12 13 45a03c-45a042 7->13 10 45a367-45a375 call 45b55f 8->10 11 45a23b-45a24d call 45b4f6 8->11 28 45ac23-45ac2a 10->28 29 45a24f-45a253 11->29 30 45a259-45a2fb call 447ebb call 4227bb call 4226dd call 443d70 call 45ad99 call 4227bb 11->30 26 45a099 12->26 27 45a08b-45a091 12->27 13->12 18 45a044-45a04f call 4230ea 13->18 18->12 33 45a09d-45a0de call 422fec call 45b369 26->33 27->26 32 45a093-45a097 27->32 34 45ac2c-45ac33 28->34 35 45ac3a-45ac66 call 45b96d call 421e40 call 443247 28->35 29->30 94 45a303-45a362 call 45b6ab call 452db9 call 421e40 * 2 call 45bff8 30->94 95 45a2fd 30->95 32->33 57 45a0e0-45a0e4 33->57 58 45a0ea-45a0fa 33->58 34->35 39 45ac35 34->39 67 45ac6e-45acb5 call 421e40 call 4211c2 call 45be0c call 452db9 35->67 68 45ac68-45ac6a 35->68 45 45ac35 call 45b988 39->45 45->35 57->58 64 45a10d 58->64 65 45a0fc-45a102 58->65 71 45a553-45a55c 62->71 63->71 66 45a114-45a19e call 422fec call 447ebb call 45ad99 64->66 65->64 72 45a104-45a10b 65->72 102 45a1a2 call 44f8e0 66->102 68->67 77 45a564-45a5c1 call 422fec call 45b277 71->77 78 45a55e-45a560 71->78 72->66 96 45a5c3-45a5c7 77->96 97 45a5cd-45a652 call 45ad06 call 45bf3e call 433a29 call 422e04 call 444345 77->97 78->77 94->28 95->94 96->97 137 45a654-45a671 call 44375c call 45b96d 97->137 138 45a676-45a6c8 call 442096 97->138 106 45a1a7-45a1b1 102->106 110 45a1c0-45a1c9 106->110 111 45a1b3-45a1bb call 45c7d7 106->111 117 45a1d1-45a229 call 45b6ab call 452db9 call 421e40 call 45bfa4 call 45940b 110->117 118 45a1cb 110->118 111->110 117->28 118->117 137->138 143 45a6cd-45a6d6 138->143 146 45a6e2-45a6e5 143->146 147 45a6d8-45a6dd call 45c7d7 143->147 150 45a6e7-45a6ee 146->150 151 45a72e-45a73a 146->151 147->146 154 45a6f0-45a71d call 421fa0 fputs call 421fa0 call 421fb3 call 421fa0 150->154 155 45a722-45a725 150->155 152 45a73c-45a74a call 421fa0 151->152 153 45a79e-45a7aa 151->153 167 45a755-45a799 fputs call 422201 call 421fa0 fputs call 422201 call 421fa0 152->167 168 45a74c-45a753 152->168 156 45a7ac-45a7b2 153->156 157 45a7d9-45a7e5 153->157 154->155 155->151 158 45a727 155->158 156->157 161 45a7b4-45a7d4 fputs call 422201 call 421fa0 156->161 163 45a7e7-45a7ed 157->163 164 45a818-45a81a 157->164 158->151 161->157 169 45a7f3-45a813 fputs call 422201 call 421fa0 163->169 170 45a899-45a8a5 163->170 164->170 172 45a81c-45a82b 164->172 167->153 168->153 168->167 169->164 176 45a8a7-45a8ad 170->176 177 45a8e9-45a8ed 170->177 179 45a851-45a85d 172->179 180 45a82d-45a84c fputs call 422201 call 421fa0 172->180 184 45a8ef 176->184 188 45a8af-45a8c2 call 421fa0 176->188 183 45a8f6-45a8f8 177->183 177->184 179->170 182 45a85f-45a872 call 421fa0 179->182 180->179 182->170 208 45a874-45a894 fputs call 422201 call 421fa0 182->208 193 45aaaf-45aaeb call 4443b3 call 421e40 call 45c104 call 45ad82 183->193 194 45a8fe-45a90a 183->194 184->183 188->184 207 45a8c4-45a8e4 fputs call 422201 call 421fa0 188->207 248 45aaf1-45aaf7 193->248 249 45ac0b-45ac1e call 452db9 * 2 193->249 202 45a910-45a91f 194->202 203 45aa73-45aa89 call 421fa0 194->203 202->203 210 45a925-45a929 202->210 203->193 219 45aa8b-45aaaa fputs call 422201 call 421fa0 203->219 207->177 208->170 210->193 216 45a92f-45a93d 210->216 223 45a93f-45a964 fputs call 422201 call 421fa0 216->223 224 45a96a-45a971 216->224 219->193 223->224 225 45a973-45a97a 224->225 226 45a98f-45a9a8 fputs call 422201 224->226 225->226 232 45a97c-45a982 225->232 239 45a9ad-45a9bd call 421fa0 226->239 232->226 237 45a984-45a98d 232->237 237->226 242 45aa06-45aa1f fputs call 422201 237->242 239->242 252 45a9bf-45aa01 fputs call 422201 call 421fa0 fputs call 422201 call 421fa0 239->252 250 45aa24-45aa29 call 421fa0 242->250 248->249 249->28 257 45aa2e-45aa4b fputs call 422201 250->257 252->242 262 45aa50-45aa5b call 421fa0 257->262 262->193 269 45aa5d-45aa71 call 421fa0 call 45710e 262->269 269->193
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: fputs$ExceptionThrow
                                              • String ID: 7zCon.sfx$Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Size: $Sub items Errors: $Warnings: $`&N$p&N$N
                                              • API String ID: 3665150552-2769322578
                                              • Opcode ID: 5ee7efa096f8207390ca3c137d911af64d197041997ac7951c12e448996c5d61
                                              • Instruction ID: b060e775830f538371e27dc7a4d9a5cce2a95178eb11726809ea4a4ffbcef4be
                                              • Opcode Fuzzy Hash: 5ee7efa096f8207390ca3c137d911af64d197041997ac7951c12e448996c5d61
                                              • Instruction Fuzzy Hash: 5C52A130A00258DFCF26EBA4D985BDDBBB5AF54304F10419FE44967292DB786E88CF19
                                              Function 0045A42C Relevance: 60.0, APIs: 15, Strings: 19, Instructions: 503COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 274 45a42c-45a433 275 45a435-45a444 fputs call 421fa0 274->275 276 45a449-45a4df call 45545d call 422e04 call 441858 call 421e40 274->276 275->276 286 45a4e1-45a4e9 call 45c7d7 276->286 287 45a4ee-45a4f1 276->287 286->287 289 45a4f3-45a4fa 287->289 290 45a50e-45a520 call 45c73e 287->290 289->290 291 45a4fc-45a509 call 4557fb 289->291 295 45a526-45a544 call 421e0c 290->295 296 45ac0b-45ac2a call 452db9 * 2 290->296 291->290 304 45a546-45a54f call 45b0fa 295->304 305 45a551 295->305 306 45ac2c-45ac33 296->306 307 45ac3a-45ac66 call 45b96d call 421e40 call 443247 296->307 309 45a553-45a55c 304->309 305->309 306->307 310 45ac35 call 45b988 306->310 327 45ac6e-45acb5 call 421e40 call 4211c2 call 45be0c call 452db9 307->327 328 45ac68-45ac6a 307->328 313 45a564-45a5c1 call 422fec call 45b277 309->313 314 45a55e-45a560 309->314 310->307 325 45a5c3-45a5c7 313->325 326 45a5cd-45a652 call 45ad06 call 45bf3e call 433a29 call 422e04 call 444345 313->326 314->313 325->326 348 45a654-45a671 call 44375c call 45b96d 326->348 349 45a676-45a6d6 call 442096 326->349 328->327 348->349 355 45a6e2-45a6e5 349->355 356 45a6d8-45a6dd call 45c7d7 349->356 358 45a6e7-45a6ee 355->358 359 45a72e-45a73a 355->359 356->355 362 45a6f0-45a71d call 421fa0 fputs call 421fa0 call 421fb3 call 421fa0 358->362 363 45a722-45a725 358->363 360 45a73c-45a74a call 421fa0 359->360 361 45a79e-45a7aa 359->361 375 45a755-45a799 fputs call 422201 call 421fa0 fputs call 422201 call 421fa0 360->375 376 45a74c-45a753 360->376 364 45a7ac-45a7b2 361->364 365 45a7d9-45a7e5 361->365 362->363 363->359 366 45a727 363->366 364->365 369 45a7b4-45a7d4 fputs call 422201 call 421fa0 364->369 371 45a7e7-45a7ed 365->371 372 45a818-45a81a 365->372 366->359 369->365 377 45a7f3-45a813 fputs call 422201 call 421fa0 371->377 378 45a899-45a8a5 371->378 372->378 380 45a81c-45a82b 372->380 375->361 376->361 376->375 377->372 384 45a8a7-45a8ad 378->384 385 45a8e9-45a8ed 378->385 387 45a851-45a85d 380->387 388 45a82d-45a84c fputs call 422201 call 421fa0 380->388 392 45a8ef 384->392 396 45a8af-45a8c2 call 421fa0 384->396 391 45a8f6-45a8f8 385->391 385->392 387->378 390 45a85f-45a872 call 421fa0 387->390 388->387 390->378 416 45a874-45a894 fputs call 422201 call 421fa0 390->416 401 45aaaf-45aaeb call 4443b3 call 421e40 call 45c104 call 45ad82 391->401 402 45a8fe-45a90a 391->402 392->391 396->392 415 45a8c4-45a8e4 fputs call 422201 call 421fa0 396->415 401->296 456 45aaf1-45aaf7 401->456 410 45a910-45a91f 402->410 411 45aa73-45aa89 call 421fa0 402->411 410->411 418 45a925-45a929 410->418 411->401 427 45aa8b-45aaaa fputs call 422201 call 421fa0 411->427 415->385 416->378 418->401 424 45a92f-45a93d 418->424 431 45a93f-45a964 fputs call 422201 call 421fa0 424->431 432 45a96a-45a971 424->432 427->401 431->432 433 45a973-45a97a 432->433 434 45a98f-45a9a8 fputs call 422201 432->434 433->434 440 45a97c-45a982 433->440 447 45a9ad-45a9bd call 421fa0 434->447 440->434 445 45a984-45a98d 440->445 445->434 450 45aa06-45aa4b fputs call 422201 call 421fa0 fputs call 422201 445->450 447->450 458 45a9bf-45aa01 fputs call 422201 call 421fa0 fputs call 422201 call 421fa0 447->458 466 45aa50-45aa5b call 421fa0 450->466 456->296 458->450 466->401 473 45aa5d-45aa71 call 421fa0 call 45710e 466->473 473->401
                                              APIs
                                              • fputs.MSVCRT(Scanning the drive for archives:), ref: 0045A43E
                                                • Part of subcall function 00421FA0: fputc.MSVCRT ref: 00421FA7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: fputcfputs
                                              • String ID: Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Scanning the drive for archives:$Size: $Warnings: $`&N$p&N$!"$N
                                              • API String ID: 269475090-2246690364
                                              • Opcode ID: e000eec553b5196ef5077d465af77d293ad4c24d31675ca1396468b03849deff
                                              • Instruction ID: 390de64d6e8d2405dabef1bf26484a1d3efe77d63d658880e7e4a6e5aaa77a1e
                                              • Opcode Fuzzy Hash: e000eec553b5196ef5077d465af77d293ad4c24d31675ca1396468b03849deff
                                              • Instruction Fuzzy Hash: FC22B230A00258DFDF26EBA1D945BDDBBB1AF54304F10418FE859632A2DB786E48CF19
                                              Function 0045993D Relevance: 47.8, APIs: 16, Strings: 11, Instructions: 569COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 478 45993d-459950 call 45b5b1 481 459963-45997e call 431f33 478->481 482 459952-45995e call 421fb3 478->482 486 459980-45998a 481->486 487 45998f-459998 481->487 482->481 486->487 488 4599a8 487->488 489 45999a-4599a6 487->489 490 4599ab-4599b5 488->490 489->488 489->490 491 4599d5-459a04 call 421e0c call 45acb6 490->491 492 4599b7-4599cc GetStdHandle GetConsoleScreenBufferInfo 490->492 500 459a06-459a08 491->500 501 459a0c-459a24 call 447b48 491->501 492->491 494 4599ce-4599d2 492->494 494->491 500->501 503 459a29-459a48 call 45b96d call 447018 call 431aa4 501->503 510 459a7c-459aa8 call 44ddb5 503->510 511 459a4a-459a4c 503->511 518 459ac0-459ade 510->518 519 459aaa-459abb _CxxThrowException 510->519 512 459a66-459a77 _CxxThrowException 511->512 513 459a4e-459a55 511->513 512->510 513->512 515 459a57-459a64 call 431ac8 513->515 515->510 515->512 521 459ae0-459b04 call 447dd7 518->521 522 459b3a-459b55 518->522 519->518 528 459bfa-459c0b _CxxThrowException 521->528 529 459b0a-459b0e 521->529 525 459b57 522->525 526 459b5c-459ba4 call 421fa0 fputs call 421fa0 strlen * 2 522->526 525->526 541 459e25-459e4d call 421fa0 fputs call 421fa0 526->541 542 459baa-459be4 fputs fputc 526->542 532 459c10 528->532 529->528 531 459b14-459b38 call 45c077 call 421e40 529->531 531->521 531->522 535 459c12-459c25 532->535 545 459c27-459c33 535->545 546 459be6-459bf0 535->546 554 459e53 541->554 555 459f0c-459f34 call 421fa0 fputs call 421fa0 541->555 542->545 542->546 552 459c35-459c3d 545->552 553 459c81-459cb1 call 45b67d call 422e04 545->553 546->532 547 459bf2-459bf8 546->547 547->535 556 459c3f-459c4a 552->556 557 459c6b-459c80 call 4221d8 552->557 595 459d10-459d28 call 45b67d 553->595 596 459cb3-459cb7 553->596 559 459e5a-459e6f call 45b650 554->559 577 45ac23-45ac2a 555->577 578 459f3a 555->578 561 459c54 556->561 562 459c4c-459c52 556->562 557->553 574 459e71-459e79 559->574 575 459e7b-459e7e call 4221d8 559->575 567 459c56-459c69 561->567 562->567 567->556 567->557 586 459e83-459f06 call 45bde4 fputs call 421fa0 574->586 575->586 582 45ac2c-45ac33 577->582 583 45ac3a-45ac66 call 45b96d call 421e40 call 443247 577->583 581 459f41-459f9d call 45b650 call 45b5e9 call 45bde4 fputs call 421fa0 578->581 658 459f9f 581->658 582->583 588 45ac35 call 45b988 582->588 618 45ac6e-45acb5 call 421e40 call 4211c2 call 45be0c call 452db9 583->618 619 45ac68-45ac6a 583->619 586->555 586->559 588->583 616 459d4b-459d53 595->616 617 459d2a-459d4a fputs call 4221d8 595->617 600 459cc1-459cdd call 4231e5 596->600 601 459cb9-459cbc call 42315e 596->601 612 459d05-459d0e 600->612 613 459cdf-459d00 call 423221 call 4231e5 call 421089 600->613 601->600 612->595 612->596 613->612 624 459dff-459e1f call 421fa0 call 421e40 616->624 625 459d59-459d5d 616->625 617->616 619->618 624->541 624->542 631 459d5f-459d6d fputs 625->631 632 459d6e-459d82 625->632 631->632 639 459d84-459d88 632->639 640 459df0-459df9 632->640 646 459d95-459d9f 639->646 647 459d8a-459d94 639->647 640->624 640->625 652 459da5-459db1 646->652 653 459da1-459da3 646->653 647->646 656 459db3-459db6 652->656 657 459db8 652->657 653->652 662 459dd8-459dee 653->662 663 459dbb-459dce 656->663 657->663 658->577 662->639 662->640 670 459dd5 663->670 671 459dd0-459dd3 663->671 670->662 671->662
                                              APIs
                                                • Part of subcall function 0045B5B1: fputs.MSVCRT ref: 0045B5CA
                                                • Part of subcall function 0045B5B1: fputs.MSVCRT ref: 0045B5E1
                                              • GetStdHandle.KERNEL32(000000F5,?,?,?,?,?,?,?), ref: 004599BD
                                              • GetConsoleScreenBufferInfo.KERNELBASE(00000000,?,?,?,?,?,?), ref: 004599C4
                                              • _CxxThrowException.MSVCRT(?,004D55B8), ref: 00459A77
                                              • _CxxThrowException.MSVCRT(?,004D55B8), ref: 00459ABB
                                                • Part of subcall function 00421FB3: __EH_prolog.LIBCMT ref: 00421FB8
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: ExceptionThrowfputs$BufferConsoleH_prologHandleInfoScreen
                                              • String ID: $ || $Codecs:$Formats:$Hashers:$KSNFMGOPBELHXCc+a+m+r+$P$offset=$p&N$p&N$N
                                              • API String ID: 377453556-3968541448
                                              • Opcode ID: 7bafd0918da6e21034498d3ded0347d3b96816908374e66452350e71581c850a
                                              • Instruction ID: 78ca564cd87fb8e7a53af22e078aeea4349d634a40f8fcd88759e3a39ef4a6ec
                                              • Opcode Fuzzy Hash: 7bafd0918da6e21034498d3ded0347d3b96816908374e66452350e71581c850a
                                              • Instruction Fuzzy Hash: 40228F71900218DBDF15EFA5D985BADBBB1EF48305F60005FE844A7292CB385E89CF69
                                              Function 00431ADE Relevance: 40.5, APIs: 16, Strings: 7, Instructions: 288COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 672 431ade-431b14 call 4bfb10 call 4213f5 677 431b32-431b8b _fileno _isatty _fileno _isatty _fileno _isatty 672->677 678 431b16-431b2d call 441d73 _CxxThrowException 672->678 680 431b9d-431b9f 677->680 681 431b8d-431b91 677->681 678->677 684 431ba0-431bcd 680->684 681->680 683 431b93-431b97 681->683 683->680 685 431b99-431b9b 683->685 686 431bf9-431c12 684->686 687 431bcf-431bf8 call 431ea4 call 4227bb call 421e40 684->687 685->684 688 431c20 686->688 689 431c14-431c18 686->689 687->686 692 431c27-431c2b 688->692 689->688 691 431c1a-431c1e 689->691 691->688 691->692 695 431c34-431c3e 692->695 696 431c2d 692->696 698 431c40-431c43 695->698 699 431c49-431c53 695->699 696->695 698->699 701 431c55-431c58 699->701 702 431c5e-431c68 699->702 701->702 704 431c73-431c79 702->704 705 431c6a-431c6d 702->705 706 431c7b-431c87 704->706 707 431cc9-431cd2 704->707 705->704 708 431c95-431ca1 call 431ed1 706->708 709 431c89-431c93 706->709 710 431cd4-431ce6 707->710 711 431cea call 431eb9 707->711 716 431ca3-431cbb call 441d73 _CxxThrowException 708->716 717 431cc0-431cc3 708->717 709->707 710->711 715 431cef-431cf8 711->715 718 431d37-431d40 715->718 719 431cfa-431d0a 715->719 716->717 717->707 723 431e93-431ea1 718->723 724 431d46-431d52 718->724 720 431dc2-431dd4 wcscmp 719->720 721 431d10 719->721 725 431d17-431d1f call 429399 720->725 727 431dda-431de6 call 431ed1 720->727 721->725 724->723 728 431d58-431d93 call 4226dd call 42280c call 423221 call 423bbf 724->728 725->718 735 431d21-431d32 call 4a6a60 call 429313 725->735 727->725 736 431dec-431e04 call 441d73 _CxxThrowException 727->736 756 431d95-431d9c 728->756 757 431d9f-431da3 728->757 735->718 744 431e09-431e0c 736->744 747 431e31-431e4a call 431f0c GetCurrentProcess SetProcessAffinityMask 744->747 748 431e0e 744->748 761 431e83-431e92 call 423172 call 421e40 747->761 762 431e4c-431e82 GetLastError call 423221 call 4258a9 call 4231e5 call 421e40 747->762 751 431e10-431e12 748->751 752 431e14-431e2c call 441d73 _CxxThrowException 748->752 751->747 751->752 752->747 756->757 757->744 760 431da5-431dbd call 441d73 _CxxThrowException 757->760 760->720 761->723 762->761
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00431AE3
                                                • Part of subcall function 004213F5: __EH_prolog.LIBCMT ref: 004213FA
                                              • _CxxThrowException.MSVCRT(?,004D6010), ref: 00431B2D
                                              • _fileno.MSVCRT ref: 00431B3E
                                              • _isatty.MSVCRT ref: 00431B47
                                              • _fileno.MSVCRT ref: 00431B5D
                                              • _isatty.MSVCRT ref: 00431B60
                                              • _fileno.MSVCRT ref: 00431B73
                                              • _CxxThrowException.MSVCRT(?,004D6010), ref: 00431CBB
                                              • _CxxThrowException.MSVCRT(?,004D6010), ref: 00431DBD
                                              • wcscmp.MSVCRT ref: 00431DCA
                                              • _CxxThrowException.MSVCRT(?,004D6010), ref: 00431E04
                                              • _isatty.MSVCRT ref: 00431B76
                                                • Part of subcall function 00441D73: __EH_prolog.LIBCMT ref: 00441D78
                                              • _CxxThrowException.MSVCRT(?,004D6010), ref: 00431E2C
                                              • GetCurrentProcess.KERNEL32(00000000,00000000,?,Set process affinity mask: ,?), ref: 00431E3B
                                              • SetProcessAffinityMask.KERNEL32(00000000), ref: 00431E42
                                              • GetLastError.KERNEL32(?,Set process affinity mask: ,?), ref: 00431E4C
                                              Strings
                                              • Unsupported switch postfix -stm, xrefs: 00431DAA
                                              • Set process affinity mask: , xrefs: 00431D74
                                              • SeLockMemoryPrivilege, xrefs: 00431D28
                                              • Unsupported switch postfix for -slp, xrefs: 00431DF1
                                              • Unsupported switch postfix -bb, xrefs: 00431CA8
                                              • unsupported value -stm, xrefs: 00431E19
                                              • : ERROR : , xrefs: 00431E52
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: ExceptionThrow$H_prolog_fileno_isatty$Process$AffinityCurrentErrorLastMaskwcscmp
                                              • String ID: : ERROR : $SeLockMemoryPrivilege$Set process affinity mask: $Unsupported switch postfix -bb$Unsupported switch postfix -stm$Unsupported switch postfix for -slp$unsupported value -stm
                                              • API String ID: 1826148334-1115009270
                                              • Opcode ID: c48da54314a32325feb062f064b570ddf2e090f5ec6059bf302295ca598fe030
                                              • Instruction ID: e44486c9abb5d80881f2eb8097684cf95fa270eac726a6d4a24126cbc05bace0
                                              • Opcode Fuzzy Hash: c48da54314a32325feb062f064b570ddf2e090f5ec6059bf302295ca598fe030
                                              • Instruction Fuzzy Hash: 7EC1D3319002449FDB11DFB9C885BDABBF1AF19304F14946FE499973A2C77CA944CB28
                                              Function 00458012 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 240COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 777 458012-458032 call 4bfb10 780 458285 777->780 781 458038-45806c fputs call 458341 777->781 783 458287-458295 780->783 785 45806e-458071 781->785 786 4580c8-4580cd 781->786 789 458073-458089 fputs call 421fa0 785->789 790 45808b-45808d 785->790 787 4580d6-4580df 786->787 788 4580cf-4580d4 786->788 791 4580e2-458110 call 458341 call 458622 787->791 788->791 789->786 793 458096-45809f 790->793 794 45808f-458094 790->794 804 458112-458119 call 45831f 791->804 805 45811e-45812f call 458565 791->805 797 4580a2-4580c7 call 422e47 call 4585c6 call 421e40 793->797 794->797 797->786 804->805 805->783 812 458135-45813f 805->812 813 458141-458148 call 4582bb 812->813 814 45814d-45815b 812->814 813->814 814->783 817 458161-458164 814->817 818 4581b6-4581c0 817->818 819 458166-458186 817->819 820 458276-45827f 818->820 821 4581c6-4581e1 fputs 818->821 823 45818c-458196 call 458565 819->823 824 458298-45829d 819->824 820->780 820->781 821->820 826 4581e7-4581fb 821->826 831 45819b-45819d 823->831 827 4582b1-4582b9 SysFreeString 824->827 829 458273 826->829 830 4581fd-45821f 826->830 827->783 829->820 834 458221-458245 830->834 835 45829f-4582a1 830->835 831->824 832 4581a3-4581b4 SysFreeString 831->832 832->818 832->819 838 458247-458271 call 4584a7 call 42965d SysFreeString 834->838 839 4582a3-4582ab call 42965d 834->839 836 4582ae 835->836 836->827 838->829 838->830 839->836
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00458017
                                              • fputs.MSVCRT ref: 0045804D
                                                • Part of subcall function 00458341: __EH_prolog.LIBCMT ref: 00458346
                                                • Part of subcall function 00458341: fputs.MSVCRT ref: 0045835B
                                                • Part of subcall function 00458341: fputs.MSVCRT ref: 00458364
                                              • fputs.MSVCRT ref: 0045807A
                                                • Part of subcall function 00421FA0: fputc.MSVCRT ref: 00421FA7
                                                • Part of subcall function 0042965D: VariantClear.OLEAUT32(?), ref: 0042967F
                                              • SysFreeString.OLEAUT32(00000000), ref: 004581AA
                                              • fputs.MSVCRT ref: 004581CD
                                              • SysFreeString.OLEAUT32(00000000), ref: 00458267
                                              • SysFreeString.OLEAUT32(00000000), ref: 004582B1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: fputs$FreeString$H_prolog$ClearVariantfputc
                                              • String ID: --$----$Path$Type$Warning: The archive is open with offset
                                              • API String ID: 2889736305-3797937567
                                              • Opcode ID: c66b7bf5f7c093c24911b168a34e9a0b600216f47934dc0b79d6760824e986b5
                                              • Instruction ID: 636ac5b190d3b4fa0d7e3c5b4a47273528e19504b6e95aac8ac0737941c0f965
                                              • Opcode Fuzzy Hash: c66b7bf5f7c093c24911b168a34e9a0b600216f47934dc0b79d6760824e986b5
                                              • Instruction Fuzzy Hash: 69916B31A00605AFCB14DFA5C985EAEB7B5FF48315F10416EE812B7292DF78A909CB58
                                              Function 00456766 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 135COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 846 456766-456792 call 4bfb10 EnterCriticalSection 849 456794-456799 call 45c7d7 846->849 850 4567af-4567b7 846->850 854 45679e-4567ac 849->854 852 4567be-4567c3 850->852 853 4567b9 call 421f91 850->853 856 456892-4568a8 852->856 857 4567c9-4567d5 852->857 853->852 854->850 860 456941 856->860 861 4568ae-4568b4 856->861 858 456817-45682f 857->858 859 4567d7-4567dd 857->859 862 456831-456842 call 421fa0 858->862 863 456873-45687b 858->863 859->858 865 4567df-4567eb 859->865 864 456943-45695a 860->864 861->860 866 4568ba-4568c2 861->866 862->863 880 456844-45686c fputs call 422201 862->880 868 456881-456887 863->868 869 456933-45693f call 45c5cd 863->869 870 4567f3-456801 865->870 871 4567ed 865->871 866->869 872 4568c4-4568e6 call 421fa0 fputs 866->872 868->869 875 45688d 868->875 869->864 870->863 877 456803-456815 fputs 870->877 871->870 884 4568e8-4568f9 fputs 872->884 885 4568fb-456917 call 434f2a call 421fb3 call 421e40 872->885 881 45692e call 421f91 875->881 883 45686e call 421fa0 877->883 880->883 881->869 883->863 889 45691c-456928 call 421fa0 884->889 885->889 889->881
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 0045676B
                                              • EnterCriticalSection.KERNEL32(004E2938), ref: 00456781
                                              • fputs.MSVCRT ref: 0045680B
                                              • LeaveCriticalSection.KERNEL32(004E2938), ref: 00456944
                                                • Part of subcall function 0045C7D7: fputs.MSVCRT ref: 0045C840
                                              • fputs.MSVCRT ref: 00456851
                                                • Part of subcall function 00422201: fputs.MSVCRT ref: 0042221E
                                              • fputs.MSVCRT ref: 004568D9
                                              • fputs.MSVCRT ref: 004568F6
                                                • Part of subcall function 00421FA0: fputc.MSVCRT ref: 00421FA7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: fputs$CriticalSection$EnterH_prologLeavefputc
                                              • String ID: v$8)N$8)N$Sub items Errors:
                                              • API String ID: 2670240366-1324075595
                                              • Opcode ID: 2752a1cc1aee476fc279c46f76de2c1aaf58580150eee09fb0ae80e7f5c6be4e
                                              • Instruction ID: 2431f6306339243f5db1737259b9d8e2e363f3fed991b4ebce12fa67fa91cd91
                                              • Opcode Fuzzy Hash: 2752a1cc1aee476fc279c46f76de2c1aaf58580150eee09fb0ae80e7f5c6be4e
                                              • Instruction Fuzzy Hash: 0251C331601600CFC724AF65D994AEAB7E2FF44315F95442FE99A87262CB397C48CF58
                                              Function 00456359 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 252COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 898 456359-456373 call 4bfb10 901 456375-456385 call 45c7d7 898->901 902 45639e-4563af call 455a4d 898->902 901->902 909 456387-45639b 901->909 907 4563b5-4563cd 902->907 908 4565ee-4565f1 902->908 910 4563d2-4563d4 907->910 911 4563cf 907->911 912 456624-45663c 908->912 913 4565f3-4565fb 908->913 909->902 916 4563d6-4563d9 910->916 917 4563df-4563e7 910->917 911->910 914 456643-45664b 912->914 915 45663e call 421f91 912->915 918 456601-456607 call 458012 913->918 919 4566ea call 45c5cd 913->919 914->919 922 456651-45668f fputs call 42211a call 421fa0 call 458685 914->922 915->914 916->917 921 4564b1-4564bc call 456700 916->921 923 456411-456413 917->923 924 4563e9-4563f2 call 421fa0 917->924 929 45660c-45660e 918->929 933 4566ef-4566fd 919->933 944 4564c7-4564cf 921->944 945 4564be-4564c1 921->945 922->933 987 456691-456697 922->987 927 456415-45641d 923->927 928 456442-456446 923->928 924->923 949 4563f4-45640c call 42210c call 421fa0 924->949 934 45641f-456425 call 456134 927->934 935 45642a-45643b 927->935 938 456497-45649f 928->938 939 456448-456450 928->939 929->933 936 456614-45661f call 421fa0 929->936 934->935 935->928 936->919 938->921 950 4564a1-4564ac call 421fa0 call 421f91 938->950 946 456452-45647a fputs call 421fa0 call 421fb3 call 421fa0 939->946 947 45647f-456490 939->947 953 4564d1-4564da call 421fa0 944->953 954 4564f9-4564fb 944->954 945->944 952 4565a2-4565a6 945->952 946->947 947->938 949->923 950->921 960 4565a8-4565b6 952->960 961 4565da-4565e6 952->961 953->954 984 4564dc-4564f4 call 42210c call 421fa0 953->984 966 4564fd-456505 954->966 967 45652a-45652e 954->967 971 4565d3 960->971 972 4565b8-4565ca call 456244 960->972 961->907 977 4565ec 961->977 968 456507-45650d call 456134 966->968 969 456512-456523 966->969 973 456530-456538 967->973 974 45657f-456587 967->974 968->969 969->967 971->961 972->971 997 4565cc-4565ce call 421f91 972->997 982 456567-456578 973->982 983 45653a-456562 fputs call 421fa0 call 421fb3 call 421fa0 973->983 974->952 986 456589-456595 call 421fa0 974->986 977->908 982->974 983->982 984->954 986->952 1002 456597-45659d call 421f91 986->1002 988 4566df-4566e5 call 421f91 987->988 989 456699-45669f 987->989 988->919 995 4566a1-4566b1 fputs 989->995 996 4566b3-4566ce call 434f2a call 421fb3 call 421e40 989->996 1003 4566d3-4566da call 421fa0 995->1003 996->1003 997->971 1002->952 1003->988
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 0045635E
                                              • fputs.MSVCRT ref: 0045645F
                                                • Part of subcall function 0045C7D7: fputs.MSVCRT ref: 0045C840
                                              • fputs.MSVCRT ref: 00456547
                                              • fputs.MSVCRT ref: 0045665F
                                              • fputs.MSVCRT ref: 004566AE
                                                • Part of subcall function 00421F91: fflush.MSVCRT ref: 00421F93
                                                • Part of subcall function 00421FB3: __EH_prolog.LIBCMT ref: 00421FB8
                                                • Part of subcall function 00421E40: free.MSVCRT ref: 00421E44
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: fputs$H_prolog$fflushfree
                                              • String ID: Can't allocate required memory$ERRORS:$WARNINGS:
                                              • API String ID: 1750297421-1898165966
                                              • Opcode ID: 79a59f5b5c410aa7f42799c3fdb94f7cf02c489ea7550ecd90ec136c732744cf
                                              • Instruction ID: 580fd8001f84589cd443bd07819b4a7fafe3d6b7e504ba2e9658946975af083d
                                              • Opcode Fuzzy Hash: 79a59f5b5c410aa7f42799c3fdb94f7cf02c489ea7550ecd90ec136c732744cf
                                              • Instruction Fuzzy Hash: DDB1BE306017019FDB24EF61D991BABB3A1BF44309F85452FE95A433A2CB38AC48CF58
                                              Function 00429C8F Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 47libraryloaderCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1016 429c8f-429cc2 GetModuleHandleA GetProcAddress 1017 429cc4-429ccc GlobalMemoryStatusEx 1016->1017 1018 429cef-429d06 GlobalMemoryStatus 1016->1018 1017->1018 1019 429cce-429cd7 1017->1019 1020 429d0b-429d0d 1018->1020 1021 429d08 1018->1021 1022 429ce5 1019->1022 1023 429cd9 1019->1023 1024 429d11-429d15 1020->1024 1021->1020 1027 429ce8-429ced 1022->1027 1025 429ce0-429ce3 1023->1025 1026 429cdb-429cde 1023->1026 1025->1027 1026->1022 1026->1025 1027->1024
                                              APIs
                                              • GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 00429CB3
                                              • GetProcAddress.KERNEL32(00000000), ref: 00429CBA
                                              • GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 00429CC8
                                              • GlobalMemoryStatus.KERNEL32(?), ref: 00429CFA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: GlobalMemoryStatus$AddressHandleModuleProc
                                              • String ID: $@$GlobalMemoryStatusEx$kernel32.dll
                                              • API String ID: 180289352-802862622
                                              • Opcode ID: 8c6d6ec15f08b460171a658b0506c795e681f8f3e3d8ec197fcfeb8d972cfeed
                                              • Instruction ID: 51c12534eb5b951309f57239650b263b64ac6eada8abe009807390508ba741e0
                                              • Opcode Fuzzy Hash: 8c6d6ec15f08b460171a658b0506c795e681f8f3e3d8ec197fcfeb8d972cfeed
                                              • Instruction Fuzzy Hash: 30115B74A0022A9BCF20DF95E989BAEB7F4BB04305F50041ED486A7240D77CAC40CF58
                                              Function 0046F1B2 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 168COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1028 46f1b2-46f1ce call 4bfb10 call 431168 1032 46f1d3-46f1d5 1028->1032 1033 46f36a-46f378 1032->1033 1034 46f1db-46f1e4 call 46f3e4 1032->1034 1037 46f1e6-46f1e8 1034->1037 1038 46f1ed-46f1f2 1034->1038 1037->1033 1039 46f1f4-46f1f9 1038->1039 1040 46f203-46f21a 1038->1040 1039->1040 1041 46f1fb-46f1fe 1039->1041 1043 46f231-46f248 memcpy 1040->1043 1044 46f21c-46f22c _CxxThrowException 1040->1044 1041->1033 1045 46f24c-46f257 1043->1045 1044->1043 1046 46f25c-46f25e 1045->1046 1047 46f259 1045->1047 1048 46f260-46f26f 1046->1048 1049 46f281-46f299 1046->1049 1047->1046 1050 46f271 1048->1050 1051 46f279-46f27b 1048->1051 1057 46f311-46f313 1049->1057 1058 46f29b-46f2a0 1049->1058 1052 46f277 1050->1052 1053 46f273-46f275 1050->1053 1051->1049 1054 46f315-46f318 1051->1054 1052->1051 1053->1051 1053->1052 1056 46f357-46f368 1054->1056 1056->1033 1057->1056 1058->1054 1059 46f2a2-46f2b5 call 46f37b 1058->1059 1063 46f2b7-46f2cf call 4be1a0 1059->1063 1064 46f2f0-46f30c memmove 1059->1064 1067 46f2d1-46f2eb call 46f37b 1063->1067 1068 46f31a-46f355 memcpy 1063->1068 1064->1045 1067->1063 1072 46f2ed 1067->1072 1068->1056 1072->1064
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: CM$CM
                                              • API String ID: 3519838083-4131767566
                                              • Opcode ID: dd01eae7b86d99f5a104e92f2b8d70ba2224c08a5e80341e3e1d89c7cff624c1
                                              • Instruction ID: dfe1fc45436101f660874d2d5f81bd18566fa50ee0a9657b8d34ec791368ce93
                                              • Opcode Fuzzy Hash: dd01eae7b86d99f5a104e92f2b8d70ba2224c08a5e80341e3e1d89c7cff624c1
                                              • Instruction Fuzzy Hash: A451C036A003059FCB10DFA4D8D0BAEB3B5FF88314F14842AE941AB341E779AD498B65
                                              Function 004BFF3A Relevance: 10.6, APIs: 7, Instructions: 57COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: _initterm$__getmainargs__p___initenv__p__commode__p__fmode__set_app_type
                                              • String ID:
                                              • API String ID: 4012487245-0
                                              • Opcode ID: 1e6482461a5e7ff22783ac42aa01eedc2c313b6d70f8a09662411995cf198db0
                                              • Instruction ID: 5134f03760a117f5b654f9cf6d338887c765bed791ac9faf31f310467ad415e5
                                              • Opcode Fuzzy Hash: 1e6482461a5e7ff22783ac42aa01eedc2c313b6d70f8a09662411995cf198db0
                                              • Instruction Fuzzy Hash: 42215E75900388EFCB409FA6DC85F997B78FB09725F14022AF915A62E2CBB85440CF28
                                              Function 004BFFB1 Relevance: 10.5, APIs: 7, Instructions: 43COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: _initterm$FilterXcpt__getmainargs__p___initenv__setusermatherr_controlfpexit
                                              • String ID:
                                              • API String ID: 279829931-0
                                              • Opcode ID: fcb8119539653f550c11783540db17672f318265317b9c691086d8ad3f841e2d
                                              • Instruction ID: 1e46713b1a1726b90e84bbff30aeae5c910ec1acf79ec398c1104140ce9c66cd
                                              • Opcode Fuzzy Hash: fcb8119539653f550c11783540db17672f318265317b9c691086d8ad3f841e2d
                                              • Instruction Fuzzy Hash: A2010075D40208EFDB449BE2DC85EED7779FB0C315B14001EFA05B62A2DA799540CF28
                                              Function 00441858 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 213COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • __EH_prolog.LIBCMT ref: 0044185D
                                                • Part of subcall function 0044021A: __EH_prolog.LIBCMT ref: 0044021F
                                                • Part of subcall function 0044062E: __EH_prolog.LIBCMT ref: 00440633
                                              • _CxxThrowException.MSVCRT(?,004D6010), ref: 00441961
                                                • Part of subcall function 00441AA5: __EH_prolog.LIBCMT ref: 00441AAA
                                              Strings
                                              • Duplicate archive path:, xrefs: 00441A8D
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog$ExceptionThrow
                                              • String ID: Duplicate archive path:
                                              • API String ID: 2366012087-4000988232
                                              • Opcode ID: eaa65515537c56c5e32402e49ce16c3461ccc3bb0e587d39944d698b2ca75a0c
                                              • Instruction ID: 44a6df4238218d30cb67988111867201616bd54001aad5a27bb081e66e9601d4
                                              • Opcode Fuzzy Hash: eaa65515537c56c5e32402e49ce16c3461ccc3bb0e587d39944d698b2ca75a0c
                                              • Instruction Fuzzy Hash: CF816A31E00158DBDF15EFA5D991ADDB7B0AF18314F1040AFE416732A2DB38AE45CB68
                                              Function 00426C72 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 398COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1563 426c72-426c8e call 4bfb10 1566 426c90-426c94 1563->1566 1567 426c96-426c9e 1563->1567 1566->1567 1568 426cd3-426cdc call 428664 1566->1568 1569 426ca0-426ca4 1567->1569 1570 426ca6-426cae 1567->1570 1576 426ce2-426d02 call 4267f0 call 422f88 call 4287df 1568->1576 1577 426d87-426d92 call 4288c6 1568->1577 1569->1568 1569->1570 1570->1568 1571 426cb0-426cb5 1570->1571 1571->1568 1573 426cb7-426cce call 4267f0 call 422f88 1571->1573 1590 42715d-42715f 1573->1590 1601 426d04-426d09 1576->1601 1602 426d4a-426d61 call 427b41 1576->1602 1585 426d98-426d9e 1577->1585 1586 426f4c-426f62 call 4287fa 1577->1586 1585->1586 1589 426da4-426dc7 call 422e47 * 2 1585->1589 1598 426f67-426f74 call 4285e2 1586->1598 1599 426f64-426f66 1586->1599 1612 426dd4-426dda 1589->1612 1613 426dc9-426dcf 1589->1613 1593 427118-427126 1590->1593 1608 426fd1-426fd8 1598->1608 1609 426f76-426f7c 1598->1609 1599->1598 1601->1602 1605 426d0b-426d38 call 429252 1601->1605 1618 426d63-426d65 1602->1618 1619 426d67-426d6b 1602->1619 1605->1602 1628 426d3a-426d45 1605->1628 1614 426fe4-426feb 1608->1614 1615 426fda-426fde 1608->1615 1609->1608 1616 426f7e-426f8a call 426bf5 1609->1616 1620 426df1-426df9 call 423221 1612->1620 1621 426ddc-426def call 422407 1612->1621 1613->1612 1625 42701d-427024 call 428782 1614->1625 1626 426fed-426ff7 call 426bf5 1614->1626 1615->1614 1623 4270e5-4270ea call 426868 1615->1623 1616->1623 1642 426f90-426f93 1616->1642 1629 426d7a-426d82 call 42764c 1618->1629 1630 426d78 1619->1630 1631 426d6d-426d75 1619->1631 1634 426dfe-426e0b call 4287df 1620->1634 1621->1620 1621->1634 1644 4270ef-4270f3 1623->1644 1625->1623 1649 42702a-427035 1625->1649 1626->1623 1647 426ffd-427000 1626->1647 1628->1590 1645 427116 1629->1645 1630->1629 1631->1630 1654 426e43-426e50 call 426c72 1634->1654 1655 426e0d-426e10 1634->1655 1642->1623 1648 426f99-426fb6 call 4267f0 call 422f88 1642->1648 1650 4270f5-4270f7 1644->1650 1651 42710c 1644->1651 1645->1593 1647->1623 1656 427006-42701b call 4267f0 1647->1656 1684 426fc2-426fc5 call 42717b 1648->1684 1685 426fb8-426fbd 1648->1685 1649->1623 1658 42703b-427044 call 428578 1649->1658 1650->1651 1652 4270f9-427102 1650->1652 1653 42710e-427111 call 426848 1651->1653 1652->1651 1660 427104-427107 call 42717b 1652->1660 1653->1645 1675 426e56 1654->1675 1676 426f3a-426f4b call 421e40 * 2 1654->1676 1663 426e12-426e15 1655->1663 1664 426e1e-426e36 call 4267f0 1655->1664 1677 426fca-426fcc 1656->1677 1658->1623 1674 42704a-427054 call 42717b 1658->1674 1660->1651 1663->1654 1670 426e17-426e1c 1663->1670 1681 426e58-426e7e call 422f1c call 422e04 1664->1681 1683 426e38-426e41 call 422fec 1664->1683 1670->1654 1670->1664 1691 427056-42705f call 422f88 1674->1691 1692 427064-427097 call 422e47 call 421089 * 2 call 426868 1674->1692 1675->1681 1676->1586 1677->1653 1701 426e83-426e99 call 426bb5 1681->1701 1683->1681 1684->1677 1685->1684 1703 427155-427158 call 426848 1691->1703 1722 427099-4270af wcscmp 1692->1722 1723 4270bf-4270cc call 426bf5 1692->1723 1709 426e9b-426e9f 1701->1709 1710 426ecf-426ed1 1701->1710 1703->1590 1713 426ea1-426eae call 4222bf 1709->1713 1714 426ec7-426ec9 SetLastError 1709->1714 1712 426f09-426f35 call 421e40 * 2 call 426848 call 421e40 * 2 1710->1712 1712->1645 1725 426ed3-426ed9 1713->1725 1726 426eb0-426ec5 call 421e40 call 422e04 1713->1726 1714->1710 1729 4270b1-4270b6 1722->1729 1730 4270bb 1722->1730 1742 427129-427133 call 4267f0 1723->1742 1743 4270ce-4270d1 1723->1743 1732 426edb-426ee0 1725->1732 1733 426eec-426f07 call 4231e5 1725->1733 1726->1701 1736 427147-427154 call 422f88 call 421e40 1729->1736 1730->1723 1732->1733 1738 426ee2-426ee8 1732->1738 1733->1712 1736->1703 1738->1733 1759 427135-427138 1742->1759 1760 42713a 1742->1760 1749 4270d3-4270d6 1743->1749 1750 4270d8-4270e4 call 421e40 1743->1750 1749->1742 1749->1750 1750->1623 1762 427141-427144 1759->1762 1760->1762 1762->1736
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00426C77
                                              • SetLastError.KERNEL32(00000002,-00000050,0000000F,-00000038,:$DATA,?,00000000,?), ref: 00426EC9
                                                • Part of subcall function 00426C72: wcscmp.MSVCRT ref: 004270A5
                                                • Part of subcall function 00426BF5: __EH_prolog.LIBCMT ref: 00426BFA
                                                • Part of subcall function 00426BF5: GetFileAttributesW.KERNEL32(?,?,?,00000000,?), ref: 00426C1A
                                                • Part of subcall function 00426BF5: GetFileAttributesW.KERNEL32(?,00000000,?,?,00000000,?), ref: 00426C49
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: AttributesFileH_prolog$ErrorLastwcscmp
                                              • String ID: :$DATA
                                              • API String ID: 3316598575-2587938151
                                              • Opcode ID: 4c01b3015e7d17f2914ef3d6b88687702c658b9157a35eccd51e304c50bee0af
                                              • Instruction ID: 487e52cb161620e942b047a088cad7c289574fd763c0dea1ee26ccb0c29c4c5d
                                              • Opcode Fuzzy Hash: 4c01b3015e7d17f2914ef3d6b88687702c658b9157a35eccd51e304c50bee0af
                                              • Instruction Fuzzy Hash: 04E13530B002289ACF21EFA5F981BEEB7B1AF14318F91401FE84567391DB7C6949CB19
                                              Function 00436FC5 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00436FCA
                                                • Part of subcall function 00436E71: __EH_prolog.LIBCMT ref: 00436E76
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: Incorrect reparse stream$Unknown reparse stream$can't delete file
                                              • API String ID: 3519838083-394804653
                                              • Opcode ID: c9269d190b0429f37f33bcd8b20f37b4adde07831d43b1cd87e833e6dc5032db
                                              • Instruction ID: fd8a6d4b1beb2905f6a2a65aa1b420833d1f94dd35e9347c2c58b889ca15f39d
                                              • Opcode Fuzzy Hash: c9269d190b0429f37f33bcd8b20f37b4adde07831d43b1cd87e833e6dc5032db
                                              • Instruction Fuzzy Hash: E141C2B29082849BCF35DFA58490AEFBBB5AF5D300F54546FD1C6A3301C6386E45CB69
                                              Function 004584A7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: fputs$H_prolog
                                              • String ID: =
                                              • API String ID: 2614055831-2525689732
                                              • Opcode ID: e2608886dca91fcc750cdadecb2b691287d9cf0cb9ff5222c23b4433a6ef807b
                                              • Instruction ID: bcf59c3a11a3680093803d6cbb59f1387af6913c68455a517da608d0a7d6dba7
                                              • Opcode Fuzzy Hash: e2608886dca91fcc750cdadecb2b691287d9cf0cb9ff5222c23b4433a6ef807b
                                              • Instruction Fuzzy Hash: C3216F32A04118EBCF05EB95E942BEEBBB5EF44314F20002FE401721A2DF791E45DA99
                                              Function 0046BDB5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 0046BDBA
                                                • Part of subcall function 0046BE69: __EH_prolog.LIBCMT ref: 0046BE6E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: L$0L$DL
                                              • API String ID: 3519838083-2444887888
                                              • Opcode ID: fa2c9ea51055887d97c1fd89625c558558481772205d5d1a2eccb4a18b752343
                                              • Instruction ID: d37cb3e59f3826a36eeb6ba3f26cc92b81632d4bfd57bc185bce5900f33100c0
                                              • Opcode Fuzzy Hash: fa2c9ea51055887d97c1fd89625c558558481772205d5d1a2eccb4a18b752343
                                              • Instruction Fuzzy Hash: 961104B4500740DFC320CF9AC598A86FBE4FB18304F54C86F94AA87712D7B8A948CB59
                                              Function 00458341 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00458346
                                              • fputs.MSVCRT ref: 0045835B
                                              • fputs.MSVCRT ref: 00458364
                                                • Part of subcall function 004583BF: __EH_prolog.LIBCMT ref: 004583C4
                                                • Part of subcall function 004583BF: fputs.MSVCRT ref: 00458401
                                                • Part of subcall function 004583BF: fputs.MSVCRT ref: 00458437
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: fputs$H_prolog
                                              • String ID: =
                                              • API String ID: 2614055831-2525689732
                                              • Opcode ID: 91639c6e5aa3342486208930b2a2756de1ca005304bc5f56d21c880e66d7303b
                                              • Instruction ID: 11071d1c50f675ddcb2e90b4fa5d4149ff85f71a45ddb3d38ba0c3ff919fb9ab
                                              • Opcode Fuzzy Hash: 91639c6e5aa3342486208930b2a2756de1ca005304bc5f56d21c880e66d7303b
                                              • Instruction Fuzzy Hash: E301A231B00014ABCB05BBA6D912BEEBB75AF84714F00401FF901A22A2CF7D4A55DBD9
                                              Function 004B7DA0 Relevance: 6.0, APIs: 4, Instructions: 38synchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,?,00000000,0043AB57), ref: 004B7DAA
                                              • GetLastError.KERNEL32(?,00000000,0043AB57), ref: 004B7DBB
                                              • CloseHandle.KERNELBASE(00000000,?,00000000,0043AB57), ref: 004B7DCF
                                              • GetLastError.KERNEL32(?,00000000,0043AB57), ref: 004B7DD9
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: ErrorLast$CloseHandleObjectSingleWait
                                              • String ID:
                                              • API String ID: 1796208289-0
                                              • Opcode ID: f6c88420f7dd12f9ded10783a43f95ab5a11fe1b5348e821d736d78eafe7189d
                                              • Instruction ID: b3f0b574ea9e0f01dd47c63aefb08adb58ebb93a33b83664507b65a950335f6f
                                              • Opcode Fuzzy Hash: f6c88420f7dd12f9ded10783a43f95ab5a11fe1b5348e821d736d78eafe7189d
                                              • Instruction Fuzzy Hash: D9F0F4713082015BDB605ABE9C84FF76A9C9F913F47240B3BE565D22D0DA68CC418639
                                              Function 00455883 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 22COMMON
                                              Download Yara Rule
                                              APIs
                                              • EnterCriticalSection.KERNEL32(004E2938), ref: 0045588B
                                              • LeaveCriticalSection.KERNEL32(004E2938), ref: 004558BC
                                                • Part of subcall function 0045C911: GetTickCount.KERNEL32 ref: 0045C926
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: CriticalSection$CountEnterLeaveTick
                                              • String ID: v$8)N
                                              • API String ID: 1056156058-2650726389
                                              • Opcode ID: b4410ad6bbb25c09f5f5eaa566b49df2f87c545055991012a262a8c895896531
                                              • Instruction ID: 29e299038838415b32ba1324dae69a2ccfa1ddfe94a2b616e284809db8971120
                                              • Opcode Fuzzy Hash: b4410ad6bbb25c09f5f5eaa566b49df2f87c545055991012a262a8c895896531
                                              • Instruction Fuzzy Hash: 68E06D75605210DFC304DF56D948E9A37E5AF98312F01047EF40987362C7388849CA69
                                              Function 00442096 Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 722COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 0044209B
                                                • Part of subcall function 0042757D: GetLastError.KERNEL32(0042D14C), ref: 0042757D
                                                • Part of subcall function 00442C6C: __EH_prolog.LIBCMT ref: 00442C71
                                                • Part of subcall function 00421E40: free.MSVCRT ref: 00421E44
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog$ErrorLastfree
                                              • String ID: Cannot find archive file$The item is a directory
                                              • API String ID: 683690243-1569138187
                                              • Opcode ID: 7ffe3c2aea911e5666449c8542f3d0898db50bbf452af6771218b0d19837e0d9
                                              • Instruction ID: 135eee395388d35c2ac37f32d7782ec44c744000823c7c4327942cc0a35843f0
                                              • Opcode Fuzzy Hash: 7ffe3c2aea911e5666449c8542f3d0898db50bbf452af6771218b0d19837e0d9
                                              • Instruction Fuzzy Hash: F4726770D00218DFDB21DF69CA80BDEBBB1AF58304F55409AE859A7352C7B89E81CF59
                                              Function 0045C911 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: CountTickfputs
                                              • String ID: .
                                              • API String ID: 290905099-4150638102
                                              • Opcode ID: 730d2753aa21e64eaa11df25e70e2da4452d6c47ea6509ef3f4a592e31abd98f
                                              • Instruction ID: 4361a3e55cbb0d10549cc26d7edb37f1547c3d8c5468c1a0cb5649a310b5a793
                                              • Opcode Fuzzy Hash: 730d2753aa21e64eaa11df25e70e2da4452d6c47ea6509ef3f4a592e31abd98f
                                              • Instruction Fuzzy Hash: 05716C30600B049FCB21EF65D5C1AABB7F5AF80305F40481EE88797652DBB8F949CB19
                                              Function 004608B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00429C8F: GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 00429CB3
                                                • Part of subcall function 00429C8F: GetProcAddress.KERNEL32(00000000), ref: 00429CBA
                                                • Part of subcall function 00429C8F: GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 00429CC8
                                              • __aulldiv.LIBCMT ref: 0046093F
                                              • __aulldiv.LIBCMT ref: 0046094B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: __aulldiv$AddressGlobalHandleMemoryModuleProcStatus
                                              • String ID: 3333
                                              • API String ID: 3520896023-2924271548
                                              • Opcode ID: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                                              • Instruction ID: d126ed06313c671c6b06b21582480d5e77ffe217c4cca9fd2d2da4c9851bb0d4
                                              • Opcode Fuzzy Hash: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                                              • Instruction Fuzzy Hash: 292188F19007046EE7309F6A8C81A5BBAF9FB84754F00892FA18AD3641D674ED448769
                                              Function 0044A7C5 Relevance: 5.1, APIs: 2, Strings: 1, Instructions: 606COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00421E40: free.MSVCRT ref: 00421E44
                                              • memset.MSVCRT ref: 0044AEBA
                                              • memset.MSVCRT ref: 0044AECD
                                                • Part of subcall function 004604D2: _CxxThrowException.MSVCRT(?,004D4A58), ref: 004604F8
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: memset$ExceptionThrowfree
                                              • String ID: Split
                                              • API String ID: 1404239998-1882502421
                                              • Opcode ID: 732a3f2920562282403d857a5404fa196291665cbf9eae503a03e4268a854e42
                                              • Instruction ID: 418cac2f47fb10490f0ea7294a8a4899f49bd0638d36271e1ed24ed7bd3d9d96
                                              • Opcode Fuzzy Hash: 732a3f2920562282403d857a5404fa196291665cbf9eae503a03e4268a854e42
                                              • Instruction Fuzzy Hash: F1428C70E00258DFEF25DBA5C984BEEB7B2BF15304F14409AE409A7251CB38AE95CF16
                                              Function 0042759A Relevance: 4.6, APIs: 3, Instructions: 64fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 0042759F
                                                • Part of subcall function 0042764C: CloseHandle.KERNELBASE(00000000,?,004275AF,00000002,?,00000000,00000000), ref: 00427657
                                              • CreateFileW.KERNELBASE(00000000,00000000,?,00000000,00000002,00000000,00000000,?,00000000,00000002,?,00000000,00000000), ref: 004275E5
                                              • CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,00000000,?,00000000,00000002), ref: 00427626
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: CreateFile$CloseH_prologHandle
                                              • String ID:
                                              • API String ID: 449569272-0
                                              • Opcode ID: fcf4895e6a39d6c676d13bfaeb22a7af9449081e0cc921d84f9eb5a6a23825c8
                                              • Instruction ID: 7b86b243bcf7178b837f2ba3a08f3e6ef7ea1c19080563a35839721818068707
                                              • Opcode Fuzzy Hash: fcf4895e6a39d6c676d13bfaeb22a7af9449081e0cc921d84f9eb5a6a23825c8
                                              • Instruction Fuzzy Hash: 9E11067290011AEFCF119FA5EC408EFBB7AFF44364B00852EF960522A1CB399D61DB54
                                              Function 004583BF Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                                              Download Yara Rule
                                              APIs
                                              • fputs.MSVCRT ref: 00458437
                                              • fputs.MSVCRT ref: 00458401
                                                • Part of subcall function 00421FB3: __EH_prolog.LIBCMT ref: 00421FB8
                                              • __EH_prolog.LIBCMT ref: 004583C4
                                                • Part of subcall function 00421FA0: fputc.MSVCRT ref: 00421FA7
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prologfputs$fputc
                                              • String ID:
                                              • API String ID: 678540050-0
                                              • Opcode ID: 0bb313cf9c4f4fa626146e396019d055fd0fbb2fb0028b53444377487e805f0e
                                              • Instruction ID: 4924b81a28c2bc825f1e92cc4be21f6ff5073a27ccde0beccddb88fa279006cc
                                              • Opcode Fuzzy Hash: 0bb313cf9c4f4fa626146e396019d055fd0fbb2fb0028b53444377487e805f0e
                                              • Instruction Fuzzy Hash: 8D11E331B041249BCB05B7A2E913AAEBB66DF84758F80002FF501A32A1DF6D1905CADC
                                              Function 00427731 Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetFilePointer.KERNELBASE(00000002,?,00000000,?,00000002,00000002,?,00000002,?,004277DB,?,?,00000000,?,00427832,?), ref: 00427773
                                              • GetLastError.KERNEL32(?,004277DB,?,?,00000000,?,00427832,?,?,?,?,00000000), ref: 00427780
                                              • SetLastError.KERNEL32(00000000,?,?,004277DB,?,?,00000000,?,00427832,?,?,?,?,00000000), ref: 00427797
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: ErrorLast$FilePointer
                                              • String ID:
                                              • API String ID: 1156039329-0
                                              • Opcode ID: 88e7576e0a1412a79b9e56fee97936ebd9d94f1f8a4056f1fe9974415da3f6ce
                                              • Instruction ID: be1aecff305ba1857ad1c315046fb1ae088daaa04491e2dee4fec85289cb8830
                                              • Opcode Fuzzy Hash: 88e7576e0a1412a79b9e56fee97936ebd9d94f1f8a4056f1fe9974415da3f6ce
                                              • Instruction Fuzzy Hash: 6011EF74300305AFEF118F68EC85BAF3BE5AF44364F14842AF81687391D7B8AD109B68
                                              Function 00425A8C Relevance: 4.6, APIs: 3, Instructions: 54COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00425A91
                                              • SetFileAttributesW.KERNELBASE(?,?,?,?,00000000), ref: 00425AB7
                                              • SetFileAttributesW.KERNEL32(?,?,00000000,?,?,00000000), ref: 00425AEC
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: AttributesFile$H_prolog
                                              • String ID:
                                              • API String ID: 3790360811-0
                                              • Opcode ID: 39018f6e833f9d8496ec24e666fada2c3ab1da68f00ceb488c68b4d620934b56
                                              • Instruction ID: 2ee368f8f5ff210793b2490d3e16b011fb737916864f6c23bf079d67062bd41d
                                              • Opcode Fuzzy Hash: 39018f6e833f9d8496ec24e666fada2c3ab1da68f00ceb488c68b4d620934b56
                                              • Instruction Fuzzy Hash: E601D232F00225ABCF05ABA5BC81ABEBB75EF50350F54442FEC1163251CB3D5D11EA58
                                              Function 00435BEA Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 481COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00435BEF
                                                • Part of subcall function 004354C0: __EH_prolog.LIBCMT ref: 004354C5
                                                • Part of subcall function 00435630: __EH_prolog.LIBCMT ref: 00435635
                                                • Part of subcall function 004436EA: __EH_prolog.LIBCMT ref: 004436EF
                                                • Part of subcall function 004357C1: __EH_prolog.LIBCMT ref: 004357C6
                                                • Part of subcall function 004358BE: __EH_prolog.LIBCMT ref: 004358C3
                                              Strings
                                              • Cannot seek to begin of file, xrefs: 0043610F
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: Cannot seek to begin of file
                                              • API String ID: 3519838083-2298593816
                                              • Opcode ID: 16c4f2077faa9d22632d36542e9e0684dc0a8c0b226e64f18aef5db566d1c570
                                              • Instruction ID: 65ab0947dbdb2e3379fd1333bd3edf3f585ce405d478d7e63a8e8185e971c696
                                              • Opcode Fuzzy Hash: 16c4f2077faa9d22632d36542e9e0684dc0a8c0b226e64f18aef5db566d1c570
                                              • Instruction Fuzzy Hash: A1124731904246AFDF25DFA4C885BEFBBF5AF08308F14905FE44657292CB78AA44CB59
                                              Function 00464E8A Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 468COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00464E8F
                                                • Part of subcall function 0042965D: VariantClear.OLEAUT32(?), ref: 0042967F
                                                • Part of subcall function 00421E40: free.MSVCRT ref: 00421E44
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: ClearH_prologVariantfree
                                              • String ID: file
                                              • API String ID: 904627215-2359244304
                                              • Opcode ID: 2aca021d74cfd9e191ae49d8b0fd5a5907dcb98fbc9796cc8913ce80776bf2c2
                                              • Instruction ID: 49bb1cffea452c5c66da843716360fb0d6b85516269379789f2db00cc1c1820c
                                              • Opcode Fuzzy Hash: 2aca021d74cfd9e191ae49d8b0fd5a5907dcb98fbc9796cc8913ce80776bf2c2
                                              • Instruction Fuzzy Hash: 9012C630A00218DFCF11EFA5DD41ADEBBB6BF54348F60406EE405A7262DB799E45CB19
                                              Function 00442CDB Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 388COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00442CE0
                                                • Part of subcall function 00425E10: __EH_prolog.LIBCMT ref: 00425E15
                                                • Part of subcall function 004341EC: _CxxThrowException.MSVCRT(?,004D4A58), ref: 0043421A
                                                • Part of subcall function 0042965D: VariantClear.OLEAUT32(?), ref: 0042967F
                                              Strings
                                              • Cannot create output directory, xrefs: 00443070
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog$ClearExceptionThrowVariant
                                              • String ID: Cannot create output directory
                                              • API String ID: 814188403-1181934277
                                              • Opcode ID: 4f58e6e0d1dc79baee954e16fd43fa012cdbace063928dd51a1fa0126545c57d
                                              • Instruction ID: 915411ab7f676b62370d8d9040d24d233351692adb8f53b6e830d9b6d10df2d2
                                              • Opcode Fuzzy Hash: 4f58e6e0d1dc79baee954e16fd43fa012cdbace063928dd51a1fa0126545c57d
                                              • Instruction Fuzzy Hash: 85F1C430900249EFDF25DFA4C990AEEBBB1BF18304F94405EF44563252D7786E49DB59
                                              Function 0045C7D7 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • fputs.MSVCRT ref: 0045C840
                                                • Part of subcall function 004225CB: _CxxThrowException.MSVCRT(?,004D4A58), ref: 004225ED
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: ExceptionThrowfputs
                                              • String ID:
                                              • API String ID: 1334390793-399585960
                                              • Opcode ID: cc75fd0e727a555667f9fcceb8ff6b6ae9c632ea9edb833bf9004a4ac4ce848a
                                              • Instruction ID: 173e38acdf91965bf26c8183cc2026059bab385ebc944d8c351b3d9f835ec278
                                              • Opcode Fuzzy Hash: cc75fd0e727a555667f9fcceb8ff6b6ae9c632ea9edb833bf9004a4ac4ce848a
                                              • Instruction Fuzzy Hash: C0110471604700AFDB15CF59C8C1BAAFBE6EF49305F04446EE5468B251CBB5BC04CB64
                                              Function 00456086 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: fputs
                                              • String ID: Open
                                              • API String ID: 1795875747-71445658
                                              • Opcode ID: 41cc3f06a3607fdf02c4874e477ce8d55cab97f7ad1ed7d2c54186e7cc015d96
                                              • Instruction ID: 5f40fbf9665986b51c580b450827421db8c4f55ad172e922a7e58f155d7e01a1
                                              • Opcode Fuzzy Hash: 41cc3f06a3607fdf02c4874e477ce8d55cab97f7ad1ed7d2c54186e7cc015d96
                                              • Instruction Fuzzy Hash: 561106321007049FC760DF35ED91ADABBE1EF14314F90842FE45A83212DB39A808CF58
                                              Function 004358BE Relevance: 3.3, APIs: 2, Instructions: 253COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 004358C3
                                                • Part of subcall function 00426C72: __EH_prolog.LIBCMT ref: 00426C77
                                                • Part of subcall function 00421E40: free.MSVCRT ref: 00421E44
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog$free
                                              • String ID:
                                              • API String ID: 2654054672-0
                                              • Opcode ID: 791aababacfa9f46eb75b43b4f0962dccaed48e7928b3301f6c59d13fd0b2fae
                                              • Instruction ID: 4cab2db68fec49c3aa1bf82d57de80e2b6b019dd321830aa87ec0bf79450eaaa
                                              • Opcode Fuzzy Hash: 791aababacfa9f46eb75b43b4f0962dccaed48e7928b3301f6c59d13fd0b2fae
                                              • Instruction Fuzzy Hash: 7F913431A00515DFCF25EBA5D881AEFBBB2EF48354F10006FE842A7251DB386D04DBA9
                                              Function 004706AE Relevance: 3.2, APIs: 2, Instructions: 206COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 004706B3
                                              • _CxxThrowException.MSVCRT(?,004DD480), ref: 004708F2
                                                • Part of subcall function 00421E0C: malloc.MSVCRT ref: 00421E1F
                                                • Part of subcall function 00421E0C: _CxxThrowException.MSVCRT(?,004D4B28), ref: 00421E39
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: ExceptionThrow$H_prologmalloc
                                              • String ID:
                                              • API String ID: 3044594480-0
                                              • Opcode ID: a353dae4d970a450461b5b35d8df4c5a2a2abf9f611003d20d6a544e6f4bd665
                                              • Instruction ID: 927cf1a96df5501cd4da7cb799596c4c3547905f0075ab5c00a74b36f0d7d84b
                                              • Opcode Fuzzy Hash: a353dae4d970a450461b5b35d8df4c5a2a2abf9f611003d20d6a544e6f4bd665
                                              • Instruction Fuzzy Hash: CC915B70901259DFCF21DFA9C881AEEBBB5AF09304F15809EE449A3252D738AE44CF65
                                              Function 00437190 Relevance: 3.1, APIs: 2, Instructions: 138COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID:
                                              • API String ID: 3519838083-0
                                              • Opcode ID: e0cd59607d8e834ba203e605f8a146bef917fe063c8a3f7f54d137548113a8ba
                                              • Instruction ID: 39d7d8fee54c1ee83170cdd9cc03e7bedb53140dcc101181442043d7a4dfb616
                                              • Opcode Fuzzy Hash: e0cd59607d8e834ba203e605f8a146bef917fe063c8a3f7f54d137548113a8ba
                                              • Instruction Fuzzy Hash: 05517CB1548B40AFDB35CF64C490AEBBBF1BF49304F18989EE4DA4B202C734A984DB55
                                              Function 00447B48 Relevance: 3.1, APIs: 2, Instructions: 122COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00447B4D
                                              • memcpy.MSVCRT(00000000,004E27DC,00000000,00000000,?,?,00000000,00000000,00000000,00000002), ref: 00447C65
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prologmemcpy
                                              • String ID:
                                              • API String ID: 2991061955-0
                                              • Opcode ID: b063179cbaa4b07cd6f2562611c89f2dc3296b032af728279973cb3b4f6573d2
                                              • Instruction ID: 2ab23c5ac0704c489b90a1ed1eec3b6921931de4b440ed315c21a40511324a06
                                              • Opcode Fuzzy Hash: b063179cbaa4b07cd6f2562611c89f2dc3296b032af728279973cb3b4f6573d2
                                              • Instruction Fuzzy Hash: 094191309042589BDF20EFA5D981ADEB7F4FF04308F10445EE446A7252DB78AE0ACB58
                                              Function 00471511 Relevance: 3.0, APIs: 2, Instructions: 39COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00471516
                                                • Part of subcall function 004710D3: __EH_prolog.LIBCMT ref: 004710D8
                                              • _CxxThrowException.MSVCRT(?,004DD480), ref: 00471561
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog$ExceptionThrow
                                              • String ID:
                                              • API String ID: 2366012087-0
                                              • Opcode ID: 89dbefbf83f85bb4317ed8a577ada5d2680cd8d3a55a962f51811c899d12334e
                                              • Instruction ID: f1523968c6a3a217b3c8bcffe54aceda0b1a9965477793ef6824de5cf1e3d6db
                                              • Opcode Fuzzy Hash: 89dbefbf83f85bb4317ed8a577ada5d2680cd8d3a55a962f51811c899d12334e
                                              • Instruction Fuzzy Hash: E601F232504288BEDF118F98C815BEF7FB8EF81354F04805FF4495A221C3B9A95587A4
                                              Function 004557FB Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00455800
                                              • fputs.MSVCRT ref: 00455830
                                                • Part of subcall function 00421FA0: fputc.MSVCRT ref: 00421FA7
                                                • Part of subcall function 00421E40: free.MSVCRT ref: 00421E44
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prologfputcfputsfree
                                              • String ID:
                                              • API String ID: 195749403-0
                                              • Opcode ID: 8ea537d7642000932112e4f2b9e12e65c6e5e5c3c6f1df1271e8afa9ca352229
                                              • Instruction ID: 1e9ca34c85a05351e86da9d26616b46be1f2c6693b12b168a553ff7607cf6558
                                              • Opcode Fuzzy Hash: 8ea537d7642000932112e4f2b9e12e65c6e5e5c3c6f1df1271e8afa9ca352229
                                              • Instruction Fuzzy Hash: 40F0BE32900014DBCB05BB95E912BEEBBB0EF04354F40442FE405A35A2CF386955CB88
                                              Function 0042950D Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SysAllocStringLen.OLEAUT32(?,?), ref: 0042952C
                                              • _CxxThrowException.MSVCRT(?,004D55B8), ref: 0042954A
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: AllocExceptionStringThrow
                                              • String ID:
                                              • API String ID: 3773818493-0
                                              • Opcode ID: 26d7608b8b50786c935eaebf6dc35b0a07093a615ad00bcb256a57684fc797b5
                                              • Instruction ID: bff41b325b3289fedbac18fbac63f4f703d752b8431977e542aff4a378fa6c21
                                              • Opcode Fuzzy Hash: 26d7608b8b50786c935eaebf6dc35b0a07093a615ad00bcb256a57684fc797b5
                                              • Instruction Fuzzy Hash: 1FF03972710314ABC710EFA9E895E867BECAF04384B40847AF908CB610EA78E8408798
                                              Function 0045B5B1 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: fputs$fputc
                                              • String ID:
                                              • API String ID: 1185151155-0
                                              • Opcode ID: e55dbb8cd4a245286a50b86eb452f2b907deaaf33b55afecbbe72c532953c665
                                              • Instruction ID: 59bce1d212745e977e393e324d8eeb2e60a26964b5a0e98281c770431f454819
                                              • Opcode Fuzzy Hash: e55dbb8cd4a245286a50b86eb452f2b907deaaf33b55afecbbe72c532953c665
                                              • Instruction Fuzzy Hash: EBE08C3720A1246F961A2B49BC09E552795DB89362329003FEA4093260AF172C195AAC
                                              Function 004B7E00 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: ErrorLast_beginthreadex
                                              • String ID:
                                              • API String ID: 4034172046-0
                                              • Opcode ID: feae97f9eee17cc748b26d449db4624173cc03bb1ba3f31d3de0665a52a81772
                                              • Instruction ID: 0e83695db4810c79bad6bc9c88cadaf58de85b74c494b894b8e7d377cdff7dbc
                                              • Opcode Fuzzy Hash: feae97f9eee17cc748b26d449db4624173cc03bb1ba3f31d3de0665a52a81772
                                              • Instruction Fuzzy Hash: 61E0CDB22042016BF3109B50CC01FB7719CDFD0740F40447EFA49D6180E660CD00C379
                                              Function 00429C4D Relevance: 3.0, APIs: 2, Instructions: 7COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcess.KERNEL32(?,?,00429C6E), ref: 00429C52
                                              • GetProcessAffinityMask.KERNEL32(00000000), ref: 00429C59
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: Process$AffinityCurrentMask
                                              • String ID:
                                              • API String ID: 1231390398-0
                                              • Opcode ID: d90740eb3caf2129ab3e0e9466cbf7c29ac6c0984fb80c924e8684ad13269cf2
                                              • Instruction ID: 7bc5b6444cc86e7ac40ceeb905248eb57bd7c0d68b8fc1eb93c67d80fa8b4d17
                                              • Opcode Fuzzy Hash: d90740eb3caf2129ab3e0e9466cbf7c29ac6c0984fb80c924e8684ad13269cf2
                                              • Instruction Fuzzy Hash: 65B012B2400100FFCF409BF1DD8CC163B2CFA043013004664F10DC2010C636C045CB68
                                              Function 0042B668 Relevance: 2.7, APIs: 2, Instructions: 222COMMON
                                              Download Yara Rule
                                              APIs
                                              • memcpy.MSVCRT(?,00000000,00000000,00000000,00040000,?), ref: 0042B843
                                              • GetLastError.KERNEL32 ref: 0042B8AA
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: ErrorLastmemcpy
                                              • String ID:
                                              • API String ID: 2523627151-0
                                              • Opcode ID: 9d51ddcc8bce8546b6a1c6ac0928ac23bafef7f4a4286dbe19f801f3ee218455
                                              • Instruction ID: a8d90a464cd431552aedac390ecebcace64fd7e950421533ea2406c1607518a4
                                              • Opcode Fuzzy Hash: 9d51ddcc8bce8546b6a1c6ac0928ac23bafef7f4a4286dbe19f801f3ee218455
                                              • Instruction Fuzzy Hash: BF8159317007259BDB64DE25E980A6BB3F6FF84314F94492EE84687B40D738F841CB99
                                              Function 00421E0C Relevance: 2.5, APIs: 2, Instructions: 18COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: ExceptionThrowmalloc
                                              • String ID:
                                              • API String ID: 2436765578-0
                                              • Opcode ID: bba7d56cf5e11a9402413efd1c7eb766b9c9f7b22bac6b69a86b686b9e6bd864
                                              • Instruction ID: e8a60d3677ceb791b076e0b9378e6964b5c7892f046ea88b2c9229c8ab1efe81
                                              • Opcode Fuzzy Hash: bba7d56cf5e11a9402413efd1c7eb766b9c9f7b22bac6b69a86b686b9e6bd864
                                              • Instruction Fuzzy Hash: ACE08C3010424CAACF106FA1E854B993B685B10399F509027F80C8E211C678D6948B58
                                              Function 0046B05D Relevance: 2.2, APIs: 1, Instructions: 653COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID:
                                              • API String ID: 3519838083-0
                                              • Opcode ID: a1b0c0feaee24170eb5f3e53fa9ce252a5ae3aedde84db8ffffdb93cae5b832d
                                              • Instruction ID: ccfa5b807d7d6b551de75080c7f4200aa42a22ba11e5689fb5c62fe70177a725
                                              • Opcode Fuzzy Hash: a1b0c0feaee24170eb5f3e53fa9ce252a5ae3aedde84db8ffffdb93cae5b832d
                                              • Instruction Fuzzy Hash: B4527F30900249DFDF11CFA8C594B9EBBB5EF49304F14409AE845EB391EB799E81CB56
                                              Function 00436305 Relevance: 1.9, APIs: 1, Instructions: 377COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID:
                                              • API String ID: 3519838083-0
                                              • Opcode ID: ea05c8b3cd3cdefdad7306a47682bf4df776a51bbc734574c85a5de84b6ab653
                                              • Instruction ID: 7d9bc0a38e72c0cc1854743eb47900c20814cff8a208241443aee70f0a3a08c2
                                              • Opcode Fuzzy Hash: ea05c8b3cd3cdefdad7306a47682bf4df776a51bbc734574c85a5de84b6ab653
                                              • Instruction Fuzzy Hash: 70F1CF71904786EFCF21CF24C490AABBBE1BF19304F55986FD49A8B311D738A944CB5A
                                              Function 004710D3 Relevance: 1.8, APIs: 1, Instructions: 336COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID:
                                              • API String ID: 3519838083-0
                                              • Opcode ID: 9ee6804865bf9101394ce3309bd012456a5a3c7f7b0559f0dcc3d34d89b5d391
                                              • Instruction ID: cf756896324ddecda5b76a8281c230bc9bda6fee0bb9e0bda4399981ab34c5e3
                                              • Opcode Fuzzy Hash: 9ee6804865bf9101394ce3309bd012456a5a3c7f7b0559f0dcc3d34d89b5d391
                                              • Instruction Fuzzy Hash: 61D1A070A00745AFDF24CFA9C880BEEBBF5BF18304F10852EE859A7661D779A844CB55
                                              Function 0046CF91 Relevance: 1.6, APIs: 1, Instructions: 139COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 0046CF96
                                                • Part of subcall function 00471511: __EH_prolog.LIBCMT ref: 00471516
                                                • Part of subcall function 00471511: _CxxThrowException.MSVCRT(?,004DD480), ref: 00471561
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog$ExceptionThrow
                                              • String ID:
                                              • API String ID: 2366012087-0
                                              • Opcode ID: 98bb2322e78897a9d0e693fde8af4e15011f4af103e9f8a984099d72670018c4
                                              • Instruction ID: 20d884c8ca3f8e52217366c5cb3ee246b1631e5b02989db7af69c8cd0152cd6b
                                              • Opcode Fuzzy Hash: 98bb2322e78897a9d0e693fde8af4e15011f4af103e9f8a984099d72670018c4
                                              • Instruction Fuzzy Hash: D9514171E00249DFCB11CFA8C4C8BAEBBB4AF49308F14449EE45A97342D7759E45DB26
                                              Function 0045F784 Relevance: 1.6, APIs: 1, Instructions: 129COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID:
                                              • API String ID: 3519838083-0
                                              • Opcode ID: b8da50a0318964001ab72892023eb3d0bc847d97c125fa6d7d7d3779c10fcc68
                                              • Instruction ID: e9b0b032b491fd200a6ce49533ad8cf8eb17b4fbc894c717317613f02c5cf6e7
                                              • Opcode Fuzzy Hash: b8da50a0318964001ab72892023eb3d0bc847d97c125fa6d7d7d3779c10fcc68
                                              • Instruction Fuzzy Hash: 78516D74A00606DFCB14DF64C4809ABFBB2FF49344B10496ED992AB751D335A90ACF95
                                              Function 0046AD3A Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID:
                                              • API String ID: 3519838083-0
                                              • Opcode ID: e0f53a21d432effd09d739cc88620cb0177b7664c002fe107af450f155bb3a57
                                              • Instruction ID: ad7d2e9907e6bd2d57843687b8b5734b161ec4e50c3b82825911d7c2e3dd6525
                                              • Opcode Fuzzy Hash: e0f53a21d432effd09d739cc88620cb0177b7664c002fe107af450f155bb3a57
                                              • Instruction Fuzzy Hash: BB41CF70A00B46EFDB20CF54C484B6ABBA1FF44310F188A6ED456A7A91E374ED91CF46
                                              Function 00434250 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00434255
                                                • Part of subcall function 0043440B: __EH_prolog.LIBCMT ref: 00434410
                                                • Part of subcall function 00421E0C: malloc.MSVCRT ref: 00421E1F
                                                • Part of subcall function 00421E0C: _CxxThrowException.MSVCRT(?,004D4B28), ref: 00421E39
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog$ExceptionThrowmalloc
                                              • String ID:
                                              • API String ID: 3744649731-0
                                              • Opcode ID: 31b80d01c7a77d17a74c5c62112fb595a0465bc9eabdbb7e8c3fc91a43e5f499
                                              • Instruction ID: d6cce68e8c4f2db8be5ba930be28da9e0ae51ba2e28ea337d3b9f11a74d5e33e
                                              • Opcode Fuzzy Hash: 31b80d01c7a77d17a74c5c62112fb595a0465bc9eabdbb7e8c3fc91a43e5f499
                                              • Instruction Fuzzy Hash: FC51E7B4901744CFC325DF69C184ACAFBE0BF19308F55886FC49A97752D7B8A608CB55
                                              Function 0044D0E1 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 0044D0E6
                                                • Part of subcall function 00421E0C: malloc.MSVCRT ref: 00421E1F
                                                • Part of subcall function 00421E0C: _CxxThrowException.MSVCRT(?,004D4B28), ref: 00421E39
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: ExceptionH_prologThrowmalloc
                                              • String ID:
                                              • API String ID: 3978722251-0
                                              • Opcode ID: 175f65e1c3389665c2a7a6ac29bd624300032664d722a4b8cedbff9252f91efd
                                              • Instruction ID: 51be31c351f19cbe17ab6fd026ca5b42e658dd85d52d67ecaa064f984b473726
                                              • Opcode Fuzzy Hash: 175f65e1c3389665c2a7a6ac29bd624300032664d722a4b8cedbff9252f91efd
                                              • Instruction Fuzzy Hash: 7041D471E002149FEB10DFA8C984BAEBBB4BF54314F24445FE841E7281CB789E05C795
                                              Function 00437FC5 Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00437FCA
                                                • Part of subcall function 0042950D: SysAllocStringLen.OLEAUT32(?,?), ref: 0042952C
                                                • Part of subcall function 0042950D: _CxxThrowException.MSVCRT(?,004D55B8), ref: 0042954A
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: AllocExceptionH_prologStringThrow
                                              • String ID:
                                              • API String ID: 1940201546-0
                                              • Opcode ID: 353d529b215f380358f5f9b271821b2d266ce16763a50020db06ca3ccd5e581e
                                              • Instruction ID: d44b2a5a3198480c2bc336c498fab6167f479f2f03f107dcf87386aa20f6ce13
                                              • Opcode Fuzzy Hash: 353d529b215f380358f5f9b271821b2d266ce16763a50020db06ca3ccd5e581e
                                              • Instruction Fuzzy Hash: 923191729202099ACF1CAFA5D8519FEB7B0FF18314F42502FF012A7261DE3D9A09C75A
                                              Function 0045ADB7 Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 0045ADBC
                                                • Part of subcall function 0045AD29: __EH_prolog.LIBCMT ref: 0045AD2E
                                                • Part of subcall function 0045AF2D: __EH_prolog.LIBCMT ref: 0045AF32
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID:
                                              • API String ID: 3519838083-0
                                              • Opcode ID: fb0591d17cbcfa6879f6983e5e82db56feb7d6162572a404da06856a7a96c438
                                              • Instruction ID: db52272feae4b7b7ddf4b05798b1c51379cd0eb2ce23730e2f69c3e856326836
                                              • Opcode Fuzzy Hash: fb0591d17cbcfa6879f6983e5e82db56feb7d6162572a404da06856a7a96c438
                                              • Instruction Fuzzy Hash: 7E41E97144ABC0DEC326DF7981656CAFFE06F25204F84C99EC4EA43A52D674A60CC76A
                                              Function 0044062E Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID:
                                              • API String ID: 3519838083-0
                                              • Opcode ID: 782dfe2ec91f83849719c8231f7bea942efc0a6b315827bd5f670de6293710cf
                                              • Instruction ID: 87edcb0e1d4771f1b6eed8b7f75b332086cfced12181d6def0cd858d7a139493
                                              • Opcode Fuzzy Hash: 782dfe2ec91f83849719c8231f7bea942efc0a6b315827bd5f670de6293710cf
                                              • Instruction Fuzzy Hash: EC314C70D00208DFDB14EF95C8918EEBBB4FF94364B11811FE52667241C7389D21CBA8
                                              Function 004498F2 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 004498F7
                                                • Part of subcall function 00449987: __EH_prolog.LIBCMT ref: 0044998C
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID:
                                              • API String ID: 3519838083-0
                                              • Opcode ID: 0c4bf7af05f737e2b0c4dc960d4d3389a26ea0255c8422832feb9ea5c236d2e6
                                              • Instruction ID: 5b5e3e5b0bae1641faee5af500fecbbf814e5722dbdd19bb58704f8fbfa23276
                                              • Opcode Fuzzy Hash: 0c4bf7af05f737e2b0c4dc960d4d3389a26ea0255c8422832feb9ea5c236d2e6
                                              • Instruction Fuzzy Hash: E91159756002059BEB14CF59C884BABB3A9FF89354F14855EE856DB351CB39EC00CB20
                                              Function 0044021A Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 0044021F
                                                • Part of subcall function 00433D66: __EH_prolog.LIBCMT ref: 00433D6B
                                                • Part of subcall function 00433D66: GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00433D7D
                                                • Part of subcall function 00433D66: OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00433D94
                                                • Part of subcall function 00433D66: LookupPrivilegeValueW.ADVAPI32(00000000,SeSecurityPrivilege,?), ref: 00433DB6
                                                • Part of subcall function 00433D66: AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00433DCB
                                                • Part of subcall function 00433D66: GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00433DD5
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prologProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                              • String ID:
                                              • API String ID: 1532160333-0
                                              • Opcode ID: 5eafa403da778bb42c42fec1c8e6dd602a1208ad44556a5977d5816cc5c1a92d
                                              • Instruction ID: 6e07ab3b254fce235fe2462ee1ac0a031d3fc9e92071c3165f225d78c4a02e5d
                                              • Opcode Fuzzy Hash: 5eafa403da778bb42c42fec1c8e6dd602a1208ad44556a5977d5816cc5c1a92d
                                              • Instruction Fuzzy Hash: 042138B1846B90CFC321CF6B86D1686FFF4BB19604B94996FC0DA83B12C374A548CB55
                                              Function 00441C6F Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00441C74
                                                • Part of subcall function 00426C72: __EH_prolog.LIBCMT ref: 00426C77
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID:
                                              • API String ID: 3519838083-0
                                              • Opcode ID: ecedb421c67446788990f5583816144f19ea46799dce0d18b3041472d7fa482a
                                              • Instruction ID: 0201075882e317b54e47c5d7d32e86f5a87a10945ff146cb565707a4d3ccb405
                                              • Opcode Fuzzy Hash: ecedb421c67446788990f5583816144f19ea46799dce0d18b3041472d7fa482a
                                              • Instruction Fuzzy Hash: 9011C231A002249BDF15FBD6E992BEEBB74AF54358F40002EE442232A2CB691D85C65C
                                              Function 00437E5A Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00437E5F
                                                • Part of subcall function 00426C72: __EH_prolog.LIBCMT ref: 00426C77
                                                • Part of subcall function 00421E40: free.MSVCRT ref: 00421E44
                                                • Part of subcall function 0042757D: GetLastError.KERNEL32(0042D14C), ref: 0042757D
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog$ErrorLastfree
                                              • String ID:
                                              • API String ID: 683690243-0
                                              • Opcode ID: 17d5d208d769906f2808d8c0adbc885513463dff623b583931aacf3b4da3a3f4
                                              • Instruction ID: 6b74fc85d1c7830815d7edc631a3d48c60bcfd289c0c36cbcc7314f019d161ef
                                              • Opcode Fuzzy Hash: 17d5d208d769906f2808d8c0adbc885513463dff623b583931aacf3b4da3a3f4
                                              • Instruction Fuzzy Hash: F00108716443109FC721EF76D8929DFBBB1EF45314F00466FE48353692CB786909CA58
                                              Function 0046BF8C Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 0046BF91
                                                • Part of subcall function 0046D144: __EH_prolog.LIBCMT ref: 0046D149
                                                • Part of subcall function 00421E40: free.MSVCRT ref: 00421E44
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog$free
                                              • String ID:
                                              • API String ID: 2654054672-0
                                              • Opcode ID: f46d31d40f8e35b9ab6d0e5e75b93dba7805ec1e276109582325f5aabc3e7a45
                                              • Instruction ID: fa14a8af4e4365a0513ea115e1ce66f6f18b2d89480641c0f3f102c79818217b
                                              • Opcode Fuzzy Hash: f46d31d40f8e35b9ab6d0e5e75b93dba7805ec1e276109582325f5aabc3e7a45
                                              • Instruction Fuzzy Hash: D3115171900714DBC714EF65D955BDABBF4BF04348F00851FA4A6936A2D7B86A04CB48
                                              Function 00427AB2 Relevance: 1.5, APIs: 1, Instructions: 40timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetFileTime.KERNEL32(00000002,00000000,000000FF,00000000,00000000,80000000,00000000,?,00421AD1,00000000,00000002,00000002,?,00427B3E,?,00000000), ref: 00427AFD
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: FileTime
                                              • String ID:
                                              • API String ID: 1425588814-0
                                              • Opcode ID: 9e9f783231b304838aab3bd11688a5bb03323f6d2c731f6811083aeda23351c6
                                              • Instruction ID: ba07eb27bcb4f55b67d468e64cb245ca73a0935cba99adcd683f901c2d780d8c
                                              • Opcode Fuzzy Hash: 9e9f783231b304838aab3bd11688a5bb03323f6d2c731f6811083aeda23351c6
                                              • Instruction Fuzzy Hash: EB01A270208258BFDF268F54DC05BEE7FA59F05364F14814EB8A6532E2C6749E50D758
                                              Function 0045ACF8 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 0045C0B8
                                                • Part of subcall function 00447193: __EH_prolog.LIBCMT ref: 00447198
                                                • Part of subcall function 00421E40: free.MSVCRT ref: 00421E44
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog$free
                                              • String ID:
                                              • API String ID: 2654054672-0
                                              • Opcode ID: d1ade75c1219b4ef7edf35e696661600c22b712e0ff51f634733494c4cdb5fc8
                                              • Instruction ID: 5295756519d47cd3997f8c2228b953ad2f9b19cdcdb49a4b72f58c2cfdaf6b16
                                              • Opcode Fuzzy Hash: d1ade75c1219b4ef7edf35e696661600c22b712e0ff51f634733494c4cdb5fc8
                                              • Instruction Fuzzy Hash: 5FF02B72A00321DFDB115B8AD88179FF3A9EF14714F10002FE80197353CBB99C048698
                                              Function 0046035F Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00460364
                                                • Part of subcall function 004601C4: __EH_prolog.LIBCMT ref: 004601C9
                                                • Part of subcall function 00460143: __EH_prolog.LIBCMT ref: 00460148
                                                • Part of subcall function 00421E40: free.MSVCRT ref: 00421E44
                                                • Part of subcall function 004603D8: __EH_prolog.LIBCMT ref: 004603DD
                                                • Part of subcall function 0046004A: __EH_prolog.LIBCMT ref: 0046004F
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog$free
                                              • String ID:
                                              • API String ID: 2654054672-0
                                              • Opcode ID: 845d2560cbc035aed01b2a02b6f3cdcb9e3196633412147d31ba0adeb4b8d8ad
                                              • Instruction ID: 5f65cb5ccb6026e657013d37a88a9b7446c20bb26e9a6935028d95975a203295
                                              • Opcode Fuzzy Hash: 845d2560cbc035aed01b2a02b6f3cdcb9e3196633412147d31ba0adeb4b8d8ad
                                              • Instruction Fuzzy Hash: 6FF0F431914B50DBCB19EB69D8227DEBBE4AF05318F10465FE452632E2DBBC6B04874D
                                              Function 00458565 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID:
                                              • API String ID: 3519838083-0
                                              • Opcode ID: b6f0aa8ec8b0837d0ae12a3e6f683575d07210855aee148bd8fef5f5a6f3514f
                                              • Instruction ID: d4271195408e90eb5a94f3d159ce600f4e221671b3bbd0f594986976af9d5331
                                              • Opcode Fuzzy Hash: b6f0aa8ec8b0837d0ae12a3e6f683575d07210855aee148bd8fef5f5a6f3514f
                                              • Instruction Fuzzy Hash: CEF0AF32E1101AABCB04DF99D8409EFBB75FF44790B00805FF815E7251DB388A05CB98
                                              Function 00465505 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 0046550A
                                                • Part of subcall function 00464E8A: __EH_prolog.LIBCMT ref: 00464E8F
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID:
                                              • API String ID: 3519838083-0
                                              • Opcode ID: ea3701ec8777eb476666d5aa54f0f6bf18b057b376d638134f410418ac46d7e8
                                              • Instruction ID: 091dbb49d70d9278a4f2cc9a9fd95d0ebece79a0fc7eeada3bd9313d23d50899
                                              • Opcode Fuzzy Hash: ea3701ec8777eb476666d5aa54f0f6bf18b057b376d638134f410418ac46d7e8
                                              • Instruction Fuzzy Hash: 46F03076600514ABCB059F48D815A9E7BA9EF84364F10441EF40657241EB79DD118BA5
                                              Function 00449987 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID:
                                              • API String ID: 3519838083-0
                                              • Opcode ID: 4d38adc7fdf908d77836a2a37e728f8fdc38d82b7c0f3e8dd0b57452819b2c88
                                              • Instruction ID: 3dcbba6c3fd982e3150761a507eb8076f0ea1f1a742aa02d1d744b73b69430c0
                                              • Opcode Fuzzy Hash: 4d38adc7fdf908d77836a2a37e728f8fdc38d82b7c0f3e8dd0b57452819b2c88
                                              • Instruction Fuzzy Hash: 96E06D76600108AFCB00EF99D855F9ABBA8EB48354F10841EB00A97205C778AA00CA68
                                              Function 00465E2B Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00465E30
                                                • Part of subcall function 004608B6: __aulldiv.LIBCMT ref: 0046093F
                                                • Part of subcall function 0043DFC9: __EH_prolog.LIBCMT ref: 0043DFCE
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog$__aulldiv
                                              • String ID:
                                              • API String ID: 604474441-0
                                              • Opcode ID: 9b86b9679fb907f3ca3c867cb28d3221f09808048563b2a4e24f7896d62a4ba8
                                              • Instruction ID: 7ee32a8cdb759bd446d37affc95d56f8a058a84e9f581392c2fc64b649287ea8
                                              • Opcode Fuzzy Hash: 9b86b9679fb907f3ca3c867cb28d3221f09808048563b2a4e24f7896d62a4ba8
                                              • Instruction Fuzzy Hash: 33E06DB0E10750DFCB55EFB9955168EB7F4BF08704F00586FA046D3B41EBB8AA008B95
                                              Function 00468ED1 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00468ED6
                                                • Part of subcall function 00469267: __EH_prolog.LIBCMT ref: 0046926C
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID:
                                              • API String ID: 3519838083-0
                                              • Opcode ID: 72cdca556637efcb367e03f640e230f09d677674ab70fd6d573c13897fa6da3d
                                              • Instruction ID: cc1a65d5c5f2a7c7757f8a6a8f9e7e42ca02522196c26d56ca2574e4b9151cf2
                                              • Opcode Fuzzy Hash: 72cdca556637efcb367e03f640e230f09d677674ab70fd6d573c13897fa6da3d
                                              • Instruction Fuzzy Hash: 6FE09271A24524AACB0DEB65D522BDDB7A8EF04708F000A5EA40392582DBF86B08C799
                                              Function 00427C68 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00427C8B
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: FileWrite
                                              • String ID:
                                              • API String ID: 3934441357-0
                                              • Opcode ID: daf566a3aec90f6c2b85f87f7ef7f1265259ade1463c7d5b9e852fe9382e7416
                                              • Instruction ID: 1a16debcfdc58ed576ec5b50846b601859bd84f36bc723c695a48f8c620773ed
                                              • Opcode Fuzzy Hash: daf566a3aec90f6c2b85f87f7ef7f1265259ade1463c7d5b9e852fe9382e7416
                                              • Instruction Fuzzy Hash: 78E01A75600209FBCF11CFA6D801F8E7BB9EB09754F20C06AF9199A260D739DA50DF54
                                              Function 0046BE69 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 0046BE6E
                                                • Part of subcall function 00465E2B: __EH_prolog.LIBCMT ref: 00465E30
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID:
                                              • API String ID: 3519838083-0
                                              • Opcode ID: 087616eef1405c624ce835b8f532173acb276a8fe00b34eca3d79aece376c4b4
                                              • Instruction ID: 7b8fc848d9af0fdd3e11df542c449e5769b9d31e277ad2283b32302cef642733
                                              • Opcode Fuzzy Hash: 087616eef1405c624ce835b8f532173acb276a8fe00b34eca3d79aece376c4b4
                                              • Instruction Fuzzy Hash: E9E09B7192496087D715EB65C411BDDB7E4BB10308F00845FF096D3181DFB86A04C76A
                                              Function 00422201 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: fputs
                                              • String ID:
                                              • API String ID: 1795875747-0
                                              • Opcode ID: eac503db4e924dac5c795042dc67010d99318f824d2987c5a846b0e117ab66fd
                                              • Instruction ID: e48041b50305948a05673ce99605c275ee5495a6a5ebaa12557d915b7602473c
                                              • Opcode Fuzzy Hash: eac503db4e924dac5c795042dc67010d99318f824d2987c5a846b0e117ab66fd
                                              • Instruction Fuzzy Hash: CBD01232504129ABCF156B95EC45CDD77BCEF18214704442FF545E2160EEB5E5148B94
                                              Function 0045F745 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 0045F74A
                                                • Part of subcall function 0045F784: __EH_prolog.LIBCMT ref: 0045F789
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID:
                                              • API String ID: 3519838083-0
                                              • Opcode ID: 9565ffe698da9f22fd89273bb1e08a157b7c03b9f12707453d3fbbccc8781bfe
                                              • Instruction ID: 66158085bcfa79ae016438860d85dc654309a55eef550194e3f02e2bf6b53b6a
                                              • Opcode Fuzzy Hash: 9565ffe698da9f22fd89273bb1e08a157b7c03b9f12707453d3fbbccc8781bfe
                                              • Instruction Fuzzy Hash: 81D01275A14204BFDB149B49DC13BEEB778EB44759F10452FF00161141C3B95A048AB9
                                              Function 00427B4F Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • ReadFile.KERNELBASE(00000002,?,?,00000000,00000000,00000002,?,0042785F,00000000,00004000,00000000,00000002,?,?,?), ref: 00427B65
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: FileRead
                                              • String ID:
                                              • API String ID: 2738559852-0
                                              • Opcode ID: 3d730df2a1effc1c346bfff2a0f5603b1f39f7eb5ea4a21694ecd99706253558
                                              • Instruction ID: 9151445ee64cc0c3a4f0d7a9a84551e1c554ddb5348d52ab9cccf6cc74bf33c0
                                              • Opcode Fuzzy Hash: 3d730df2a1effc1c346bfff2a0f5603b1f39f7eb5ea4a21694ecd99706253558
                                              • Instruction Fuzzy Hash: 3EE0EC75200208FBDF01CF91CC41F8E7BB9EB49754F208058E90596160C775AA54EB54
                                              Function 004780AA Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 004780AF
                                                • Part of subcall function 00421E0C: malloc.MSVCRT ref: 00421E1F
                                                • Part of subcall function 00421E0C: _CxxThrowException.MSVCRT(?,004D4B28), ref: 00421E39
                                                • Part of subcall function 0046BDB5: __EH_prolog.LIBCMT ref: 0046BDBA
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog$ExceptionThrowmalloc
                                              • String ID:
                                              • API String ID: 3744649731-0
                                              • Opcode ID: d3aa5835b8f115f65d1c08dd27ac20bb622b41473f58787eb69de9bb1f127375
                                              • Instruction ID: fb125752e505a8f861dfccb8e87b6cbb05fca7384064df51cc26b25658ad81f2
                                              • Opcode Fuzzy Hash: d3aa5835b8f115f65d1c08dd27ac20bb622b41473f58787eb69de9bb1f127375
                                              • Instruction Fuzzy Hash: B2D05B71B051056FCF4CEFB4981675F72A0DB44304F10457FA016E7781EF789904866D
                                              Function 00426848 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                              Download Yara Rule
                                              APIs
                                              • FindClose.KERNELBASE(00000000,?,00426880), ref: 00426853
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: CloseFind
                                              • String ID:
                                              • API String ID: 1863332320-0
                                              • Opcode ID: 595ee849d6a360f0d2b68ecd89af8bd9d2b2d769f537b8b1d2552cbc1a460217
                                              • Instruction ID: 5389f1942f120def4649b6771ee5fa54703c9e5735330670771014f00a13f218
                                              • Opcode Fuzzy Hash: 595ee849d6a360f0d2b68ecd89af8bd9d2b2d769f537b8b1d2552cbc1a460217
                                              • Instruction Fuzzy Hash: 47D01231605231468A646F3E78449D633D86E063343660B5AF0B4C32E5D7648C835A54
                                              Function 00422010 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: fputs
                                              • String ID:
                                              • API String ID: 1795875747-0
                                              • Opcode ID: aa7a43c7b7de6311484edacd9e084059553ec392a68630163b56fc6a56f14e84
                                              • Instruction ID: 8a1308cc069d8fafa66bc790fb21a5949d16ad3c8a77d583c20d1ce63c9f1d00
                                              • Opcode Fuzzy Hash: aa7a43c7b7de6311484edacd9e084059553ec392a68630163b56fc6a56f14e84
                                              • Instruction Fuzzy Hash: 2AD0C936108251AF96656F06FC09C8BFBA5FFD5320725082FF480921609F626825DAA4
                                              Function 00421FA0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: fputc
                                              • String ID:
                                              • API String ID: 1992160199-0
                                              • Opcode ID: 757eef88efa5550270b07b390257135ba033aba8e4b736791add40c45e4b29b2
                                              • Instruction ID: adeec50d6d4221546b048a1ac9564b348a01e166067a330adcc635555da6e285
                                              • Opcode Fuzzy Hash: 757eef88efa5550270b07b390257135ba033aba8e4b736791add40c45e4b29b2
                                              • Instruction Fuzzy Hash: EAB092323082209BE6581A9CBC0AAC06794DB09732B25006FF548C21909E911C814A99
                                              Function 00427C3B Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetFileTime.KERNELBASE(?,?,?,?,00427C65,00000000,00000000,?,0042F238,?,?,?,?), ref: 00427C49
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: FileTime
                                              • String ID:
                                              • API String ID: 1425588814-0
                                              • Opcode ID: b2af0b91cded661f68e388fe15f3c5af86688d4f51d81d58eea0fbf76a7575e1
                                              • Instruction ID: bda036cc9ba7f814454247ca3ef88afa14dcd21ffcb4a1b017414679cbe50e5c
                                              • Opcode Fuzzy Hash: b2af0b91cded661f68e388fe15f3c5af86688d4f51d81d58eea0fbf76a7575e1
                                              • Instruction Fuzzy Hash: E2C04C36158115FF8F020F71CC44C1ABBA2ABA5711F10C918F159C4470CB328024EF02
                                              Function 00427D3C Relevance: 1.5, APIs: 1, Instructions: 6fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetEndOfFile.KERNELBASE(?,00427D81,?,?,?), ref: 00427D3E
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: File
                                              • String ID:
                                              • API String ID: 749574446-0
                                              • Opcode ID: cd42a2f370ace6a7d433f7f4988b1199df19867ccde6f7d6365bdb9200d39cee
                                              • Instruction ID: 5e2035d9830bc670e094e3d93ace9c611d8ad5235f4f783f1688cf62fa87ef95
                                              • Opcode Fuzzy Hash: cd42a2f370ace6a7d433f7f4988b1199df19867ccde6f7d6365bdb9200d39cee
                                              • Instruction Fuzzy Hash: BCA001702E511A8E8E511B35D8498243AA1AA5260676426A4A006CA4B5DE22441AAA05
                                              Function 0042C4D6 Relevance: 1.5, APIs: 1, Instructions: 205COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: memmove
                                              • String ID:
                                              • API String ID: 2162964266-0
                                              • Opcode ID: 5ed39fdbeb2dbe899d3689d2b5b3b44965438cbf3e02571bd252dfa24c8c4cb7
                                              • Instruction ID: 5b0d51f8afb403b327a5d890dca461576584c04ed8d3467479b69eecc01b1152
                                              • Opcode Fuzzy Hash: 5ed39fdbeb2dbe899d3689d2b5b3b44965438cbf3e02571bd252dfa24c8c4cb7
                                              • Instruction Fuzzy Hash: 7C817071E04229AFCF14CFA8D5C0AAEBBB1AF48304F54846BD415A7341D779A981CF59
                                              Function 00433E04 Relevance: 1.3, APIs: 1, Instructions: 17COMMON
                                              Download Yara Rule
                                              APIs
                                              • CloseHandle.KERNELBASE(00000000,00000000,00433D8D,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00433E12
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: CloseHandle
                                              • String ID:
                                              • API String ID: 2962429428-0
                                              • Opcode ID: db6c55365811c90c665e1c773c106c8515f4597ddb3b1b9a3f6f254876192cea
                                              • Instruction ID: 72697589b34739c418e631a651e89a264b7b81591729a213417546072a54a18a
                                              • Opcode Fuzzy Hash: db6c55365811c90c665e1c773c106c8515f4597ddb3b1b9a3f6f254876192cea
                                              • Instruction Fuzzy Hash: 06D0123251422147DB705E2DF8457D263DD6F14322F15545AF890CB240EB68CCC35A58
                                              Function 004A6BC6 Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: malloc
                                              • String ID:
                                              • API String ID: 2803490479-0
                                              • Opcode ID: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                                              • Instruction ID: 16bde434935c07d6ba47989cae6c4d5d1d7164b6af632a6b3b2caee80f27a577
                                              • Opcode Fuzzy Hash: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                                              • Instruction Fuzzy Hash: 93D0237020310101CF4845304C0975B30845F6530AF1C447EE833CB381F71CD21C817C
                                              Function 0042764C Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                                              Download Yara Rule
                                              APIs
                                              • CloseHandle.KERNELBASE(00000000,?,004275AF,00000002,?,00000000,00000000), ref: 00427657
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: CloseHandle
                                              • String ID:
                                              • API String ID: 2962429428-0
                                              • Opcode ID: 43fb83f66656dba85674ff66320978dde1b7ca0a0257ff67e152e9c6103f578d
                                              • Instruction ID: 344547b1eb993d9c01e3fb062a0bb9c2cf58e7cbcec8e97fb27d75c9f461179d
                                              • Opcode Fuzzy Hash: 43fb83f66656dba85674ff66320978dde1b7ca0a0257ff67e152e9c6103f578d
                                              • Instruction Fuzzy Hash: 84D01231208632468A641E3C7885DC333D85A123343A5075AF0B4C33E1D7688C834A58
                                              Function 004A6B23 Relevance: 1.3, APIs: 1, Instructions: 9memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAlloc.KERNELBASE(00000000), ref: 004A6B31
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: c2888f032e5b6653757e989dbfaa44933ac87d11132aa46959728b1fe8b53031
                                              • Instruction ID: 429270787b18db05161f394c2bb4335e73f14b08242a0ffc2e12f869dac901b6
                                              • Opcode Fuzzy Hash: c2888f032e5b6653757e989dbfaa44933ac87d11132aa46959728b1fe8b53031
                                              • Instruction Fuzzy Hash: 12C02BE1A4D280DFDF0213508C80B603F308F83300F0A00C1E4085B0D3C2041C0CC723
                                              Function 004A69D0 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: malloc
                                              • String ID:
                                              • API String ID: 2803490479-0
                                              • Opcode ID: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                                              • Instruction ID: 7de908c6009f1b77d398cdd6b4bec3a3433756dd532b66512f9d5f948ec52e0c
                                              • Opcode Fuzzy Hash: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                                              • Instruction Fuzzy Hash: E1A012C551104001DD1D11352C014572009126020B7C408BE7406C0201F61DC108101D
                                              Function 004A6AF0 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: malloc
                                              • String ID:
                                              • API String ID: 2803490479-0
                                              • Opcode ID: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                                              • Instruction ID: c13f877b4ce53d6b681ea590c13c269e18d790af00a703bb2b90a0bf6aba430a
                                              • Opcode Fuzzy Hash: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                                              • Instruction Fuzzy Hash: ACA012CCE00000019D0510393C01453201722F16097D8C87D640540205FA1DC008201A
                                              Function 004A6BA3 Relevance: 1.3, APIs: 1, Instructions: 6COMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 004A6BAC
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: FreeVirtual
                                              • String ID:
                                              • API String ID: 1263568516-0
                                              • Opcode ID: 55d192b9e50d5141903f86de90496a6bc0e7567bf188c160ff98b9b08027b242
                                              • Instruction ID: d03b7c5a316231baef4125705041049eb32ab8881da289643e72d1708ba6f2e6
                                              • Opcode Fuzzy Hash: 55d192b9e50d5141903f86de90496a6bc0e7567bf188c160ff98b9b08027b242
                                              • Instruction Fuzzy Hash: F4A00278680700B7EDA067716D8FF5937247781F05F308554B246690D05AE470459A5C
                                              Function 004A69F0 Relevance: 1.3, APIs: 1, Instructions: 4COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: free
                                              • String ID:
                                              • API String ID: 1294909896-0
                                              • Opcode ID: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                                              • Instruction ID: 5db3effc983c54602bfdd98a7daf172abbe9f04f4eec302b1ba255ffc378739e
                                              • Opcode Fuzzy Hash: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                                              • Instruction Fuzzy Hash:
                                              Function 004A6B10 Relevance: 1.3, APIs: 1, Instructions: 4COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: free
                                              • String ID:
                                              • API String ID: 1294909896-0
                                              • Opcode ID: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                                              • Instruction ID: badc76be817879bd7ef09c182fbe09d7a8893a7387c5e0050c58d69485ec7ad3
                                              • Opcode Fuzzy Hash: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                                              • Instruction Fuzzy Hash:
                                              Function 00421E40 Relevance: 1.3, APIs: 1, Instructions: 4COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: free
                                              • String ID:
                                              • API String ID: 1294909896-0
                                              • Opcode ID: 9a6dd6666303c5e56da2871342e167429e3aa0441f37d75c8afcfa08738def13
                                              • Instruction ID: f0ad32b91ef7ebcdd2da678729b2542725d316e2f6fded36f714ccbff2db3a9d
                                              • Opcode Fuzzy Hash: 9a6dd6666303c5e56da2871342e167429e3aa0441f37d75c8afcfa08738def13
                                              • Instruction Fuzzy Hash: 53A00271405101DBDA451B11ED498897B61EB85627B254469F05B504718F314860BE05

                                              Non-executed Functions

                                              Function 004C0090 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: Version
                                              • String ID:
                                              • API String ID: 1889659487-0
                                              • Opcode ID: 11b6713ada4bd50c1467c92de9e1940558607edc5c788eba3699fe11c68ce8a8
                                              • Instruction ID: 5e54d0dcc2b9b89716bef5466ef51ac0ce0ec3dae8529c59b5b7690b2bc04279
                                              • Opcode Fuzzy Hash: 11b6713ada4bd50c1467c92de9e1940558607edc5c788eba3699fe11c68ce8a8
                                              • Instruction Fuzzy Hash: 19D0C276811400C7D780732DC806B5A3361F760304FC9085CD864C1123F96DC645828B
                                              Function 0042C085 Relevance: 21.5, APIs: 17, Instructions: 290COMMON
                                              Download Yara Rule
                                              APIs
                                              • memcmp.MSVCRT(?,004D48A0,00000010), ref: 0042C09E
                                              • memcmp.MSVCRT(?,004D0258,00000010), ref: 0042C0BB
                                              • memcmp.MSVCRT(?,004D0348,00000010), ref: 0042C0CE
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: memcmp
                                              • String ID:
                                              • API String ID: 1475443563-0
                                              • Opcode ID: 8867ee23e320e1a91c46dca14538a3edff8472e4473baf41a6a7f82b07937310
                                              • Instruction ID: 7237b6e346046b796511b20792d5fefd3969ae203f1d045b039ae189217025b2
                                              • Opcode Fuzzy Hash: 8867ee23e320e1a91c46dca14538a3edff8472e4473baf41a6a7f82b07937310
                                              • Instruction Fuzzy Hash: 18918071740620EBD7208A21EC81FAF37A8EF65754F50842AFD4AD7301F728AE44D7A9
                                              Function 0048447A Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 291COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: $16-bit overflow for number of files in headers$32-bit overflow in headers$Central$Local$Minor_Extra_ERROR$Missing volume : $Unsorted_CD$Zip64$apk
                                              • API String ID: 3519838083-1909666238
                                              • Opcode ID: 84006fcd4d65770080297d4b00b22d06b1685520e34e81193daaf4c52693b456
                                              • Instruction ID: ed8dd54a197c1c3957490d4424dfa4cbf7898ec2560e3298f297d40c30629cf4
                                              • Opcode Fuzzy Hash: 84006fcd4d65770080297d4b00b22d06b1685520e34e81193daaf4c52693b456
                                              • Instruction Fuzzy Hash: 98C1F331900287AFCB15FFA4C451AFE7B71AF91304F5988ABE0496B262D73C9E45DB09
                                              Function 004264F3 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 116threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 004264F8
                                              • GetCurrentThreadId.KERNEL32 ref: 00426508
                                              • GetTickCount.KERNEL32 ref: 00426513
                                              • GetCurrentProcessId.KERNEL32(?,?,00000000), ref: 0042651E
                                              • GetTickCount.KERNEL32 ref: 00426578
                                              • SetLastError.KERNEL32(000000B7,?,?,?,?,00000000), ref: 004265C5
                                              • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 004265EC
                                                • Part of subcall function 00425D7A: __EH_prolog.LIBCMT ref: 00425D7F
                                                • Part of subcall function 00425D7A: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,00000001,?,?,00000000), ref: 00425DA1
                                                • Part of subcall function 00421E40: free.MSVCRT ref: 00421E44
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: CountCurrentErrorH_prologLastTick$CreateDirectoryProcessThreadfree
                                              • String ID: .tmp$d
                                              • API String ID: 1989517917-2797371523
                                              • Opcode ID: 2af2a29e79b3f502b7d632eb04dccc76dfc7ca8063b1625c88e91e659411a523
                                              • Instruction ID: 1072a611bad8b5b83aeba24044e8af1f536abed70288156603a02693a5a4dca8
                                              • Opcode Fuzzy Hash: 2af2a29e79b3f502b7d632eb04dccc76dfc7ca8063b1625c88e91e659411a523
                                              • Instruction Fuzzy Hash: 32411432B10134ABCF05AFA5F845BED7771BF15308F95412FE406A62A1CB3C8941CB59
                                              Function 00456244 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 71COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prologfputs
                                              • String ID: Cannot open the file$The archive is open with offset$The file is open$WARNING:
                                              • API String ID: 1798449854-1259944392
                                              • Opcode ID: 79c45f0bc34eb0258f25857448dad214ca565721e875891164ece27307dbc345
                                              • Instruction ID: fd75a0ee3b11fc2c92ef100502f45e53a983dadeb836c084223db394e7701bbf
                                              • Opcode Fuzzy Hash: 79c45f0bc34eb0258f25857448dad214ca565721e875891164ece27307dbc345
                                              • Instruction Fuzzy Hash: 49219231B005109FCB04EB95D542EAEB3B5EF14314F81406FF902976A2DB7CAD1B8B88
                                              Function 0042A08C Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 143COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 0042A091
                                                • Part of subcall function 00429BAA: RegCloseKey.ADVAPI32(?,?,00429BA0), ref: 00429BB6
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: CloseH_prolog
                                              • String ID: HARDWARE\DESCRIPTION\System\CentralProcessor\0$Previous Update Revision$Update Revision$x86
                                              • API String ID: 1579395594-270022386
                                              • Opcode ID: edee1babc94998d4899a67ea75fc734c6ca76d6c8f1a182297d034f139de9673
                                              • Instruction ID: 06910872f80cf2bd72c0ba3133054bfee021c7ead4443bfc34bb875623d865f0
                                              • Opcode Fuzzy Hash: edee1babc94998d4899a67ea75fc734c6ca76d6c8f1a182297d034f139de9673
                                              • Instruction Fuzzy Hash: F551D130B00215EFCB10EF95D992ABEB7B0BF18304F90446FE816A7251DB78AD15CB59
                                              Function 0047C44E Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 67COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 0047C453
                                                • Part of subcall function 0047C1DF: __EH_prolog.LIBCMT ref: 0047C1E4
                                                • Part of subcall function 0047C543: __EH_prolog.LIBCMT ref: 0047C548
                                                • Part of subcall function 00421E0C: malloc.MSVCRT ref: 00421E1F
                                                • Part of subcall function 00421E0C: _CxxThrowException.MSVCRT(?,004D4B28), ref: 00421E39
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog$ExceptionThrowmalloc
                                              • String ID: ((M$<(M$L(M$\(M
                                              • API String ID: 3744649731-1960766677
                                              • Opcode ID: 4aa15f472a53129df285f273feddeb268f738b358800a467c9b5343b241cd86b
                                              • Instruction ID: e04827ac91b083649a13db6df62b102486a428a2fc28c47ba61daa880a9711a4
                                              • Opcode Fuzzy Hash: 4aa15f472a53129df285f273feddeb268f738b358800a467c9b5343b241cd86b
                                              • Instruction Fuzzy Hash: F3215EB0900B44DEC724DF6AC55869BFBF4EF50308F108A5FD09A97751DBB86A088B59
                                              Function 00456025 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 0045602A
                                              • EnterCriticalSection.KERNEL32(004E2938), ref: 00456044
                                              • LeaveCriticalSection.KERNEL32(004E2938), ref: 00456060
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: CriticalSection$EnterH_prologLeave
                                              • String ID: v$8)N
                                              • API String ID: 367238759-2650726389
                                              • Opcode ID: 0776858f8b7a306ed82179e9fa368a3b3c7f31961d80ce778309e4553d1b1945
                                              • Instruction ID: 7e0a244db1f9314f63f44bf67ff4fdc680a6857395585312f34b14fcd9368b1c
                                              • Opcode Fuzzy Hash: 0776858f8b7a306ed82179e9fa368a3b3c7f31961d80ce778309e4553d1b1945
                                              • Instruction Fuzzy Hash: D4F09A36A00104EFC700CF89C949EDEBBB8FF45351F10806AF405A7211C7B8DA04CBA9
                                              Function 004803D6 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 212COMMON
                                              Download Yara Rule
                                              APIs
                                              • memset.MSVCRT ref: 004803F5
                                              • memcpy.MSVCRT(?,?,00000008,00000064,?,?,?,?,00000064), ref: 00480490
                                              • memset.MSVCRT ref: 00480618
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: memset$memcpy
                                              • String ID: $@
                                              • API String ID: 368790112-1077428164
                                              • Opcode ID: b087934bbc7c95f7ee7647cfdf8c5fba5a54d9d4edf4d7707c4dc34027eb37c2
                                              • Instruction ID: 9f69a26f69d67f2a075a93a51de3917f2e7d0a64b7a2df44962e5a23f868c782
                                              • Opcode Fuzzy Hash: b087934bbc7c95f7ee7647cfdf8c5fba5a54d9d4edf4d7707c4dc34027eb37c2
                                              • Instruction Fuzzy Hash: B691E531910308AFDBA0EF25C841BDEB7B1AF50314F00895EE55967152E778BA9DCF98
                                              Function 0042613C Relevance: 7.6, APIs: 5, Instructions: 150COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00426141
                                                • Part of subcall function 00426C72: __EH_prolog.LIBCMT ref: 00426C77
                                              • SetLastError.KERNEL32(0000010B,00000000,00000000), ref: 00426197
                                              • GetLastError.KERNEL32(?,?,?,0000005C,?,00000000,00000000), ref: 0042626E
                                              • SetLastError.KERNEL32(?,?,?,?,?,0000005C,?,00000000,00000000), ref: 004262A9
                                                • Part of subcall function 00426096: __EH_prolog.LIBCMT ref: 0042609B
                                                • Part of subcall function 00426096: DeleteFileW.KERNEL32(?,?,?,00000000), ref: 004260DF
                                              • GetLastError.KERNEL32(?,?,?,0000005C,?,00000000,00000000), ref: 00426285
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: ErrorLast$H_prolog$DeleteFile
                                              • String ID:
                                              • API String ID: 3586524497-0
                                              • Opcode ID: 956d8d9ba357e9f89de744500883564522ea055fd73bd2081be947507966a51a
                                              • Instruction ID: da1dc7675e4ac61b016d6e130ef28db56941a83b96f82cae441eac05b7b336f3
                                              • Opcode Fuzzy Hash: 956d8d9ba357e9f89de744500883564522ea055fd73bd2081be947507966a51a
                                              • Instruction Fuzzy Hash: 90519031E04238EADF15EBE5E951BEDBB74AF15348F91409FE84173192CB381A06CB69
                                              Function 004344C2 Relevance: 7.6, APIs: 6, Instructions: 84COMMON
                                              Download Yara Rule
                                              APIs
                                              • memcmp.MSVCRT(?,004D48A0,00000010), ref: 004344DB
                                              • memcmp.MSVCRT(?,004D0128,00000010), ref: 004344EE
                                              • memcmp.MSVCRT(?,004D0228,00000010), ref: 0043450B
                                              • memcmp.MSVCRT(?,004D0248,00000010), ref: 00434528
                                              • memcmp.MSVCRT(?,004D01C8,00000010), ref: 00434545
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: memcmp
                                              • String ID:
                                              • API String ID: 1475443563-0
                                              • Opcode ID: 83ccb9011945a02a7f50d10a348397b34e6b0838aae92c1aa74355e85303c757
                                              • Instruction ID: 5ac15a4f8edc018480e5f28884af501d4339eaa92d9302370719fdbf2623e094
                                              • Opcode Fuzzy Hash: 83ccb9011945a02a7f50d10a348397b34e6b0838aae92c1aa74355e85303c757
                                              • Instruction Fuzzy Hash: 8321A471B402047BD7048E219C81FFF37A8DB947A4F10442BFE099B341F66CED4556A9
                                              Function 0046C414 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 181COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: !$LZMA2:$LZMA:
                                              • API String ID: 3519838083-3332058968
                                              • Opcode ID: 2eadce98754611e5ad5bc771f0301627cd448fc40dcaed0fb5c585c873f0b979
                                              • Instruction ID: 3dc79129943cc553dda588847f261472e715348dc2177b285ef7af9a672f4ff4
                                              • Opcode Fuzzy Hash: 2eadce98754611e5ad5bc771f0301627cd448fc40dcaed0fb5c585c873f0b979
                                              • Instruction Fuzzy Hash: 3A610430A00156EECB15DB64C9C9FFE7BA1AF15344F1440ABE48657262EB78AE80C74E
                                              Function 0042A384 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 88COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 0042A389
                                                • Part of subcall function 0042A4C5: GetModuleHandleW.KERNEL32(ntdll.dll,?,0042A3C1,00000001), ref: 0042A4CD
                                                • Part of subcall function 0042A4C5: GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0042A4DD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: AddressH_prologHandleModuleProc
                                              • String ID: : $ SP:$Windows
                                              • API String ID: 786088110-3655538264
                                              • Opcode ID: 2d9af393958068c1ffd9a2b2ff93bed50154917a68986a7b26f4d7ba89b47b07
                                              • Instruction ID: 99ea0656200a349646feca55b13bc5373a88c61c87c3ef69c99a8a4ad982542f
                                              • Opcode Fuzzy Hash: 2d9af393958068c1ffd9a2b2ff93bed50154917a68986a7b26f4d7ba89b47b07
                                              • Instruction Fuzzy Hash: 28314371E00129ABCF15FBA2D9529FEB774BF14304FC0016FE505721A1DFB85A85CA59
                                              Function 0042A4C5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNEL32(ntdll.dll,?,0042A3C1,00000001), ref: 0042A4CD
                                              • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0042A4DD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: AddressHandleModuleProc
                                              • String ID: RtlGetVersion$ntdll.dll
                                              • API String ID: 1646373207-1489217083
                                              • Opcode ID: 37da57a2f94411754ba7f3fca163633a785d61f76311b18973f6fc1b640f53b5
                                              • Instruction ID: fe6db1179da590113e2b92a4ee9501f801128a4225f7a3b2f186f8fdc25f2b2a
                                              • Opcode Fuzzy Hash: 37da57a2f94411754ba7f3fca163633a785d61f76311b18973f6fc1b640f53b5
                                              • Instruction Fuzzy Hash: CED0A7353142306BB6A076B53D8EFE7128C8B40B507054427FC04C0041EACCDD8344AD
                                              Function 00440306 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFileSecurityW.ADVAPI32(?,00000007,?,?,00000000,?,?,00000000,?), ref: 00440359
                                              • GetLastError.KERNEL32(?,?,00000000,?), ref: 00440382
                                              • GetFileSecurityW.ADVAPI32(?,00000007,?,?,00000000,?,?,?,00000000,?), ref: 004403DA
                                              • GetLastError.KERNEL32(?,?,00000000,?,?,?,00000000,?), ref: 004403F0
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: ErrorFileLastSecurity
                                              • String ID:
                                              • API String ID: 555121230-0
                                              • Opcode ID: 497dc0fa02b760d3df625ca00a698c645572ba16188e9d2e98d3874e0293f234
                                              • Instruction ID: b1592b22d284e023456ec34a920a1874619657824d0644a14f8d69ffd6017a79
                                              • Opcode Fuzzy Hash: 497dc0fa02b760d3df625ca00a698c645572ba16188e9d2e98d3874e0293f234
                                              • Instruction Fuzzy Hash: D4317C70900209EFEB10DFA4C880BAFBBB5FF44348F10895AE95697351D774AE51DB64
                                              Function 004282FB Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00428300
                                              • GetFileInformationByHandle.KERNEL32(000000FF,?,?,00000000,00000001,00000003,02200000,?,?,?), ref: 0042834F
                                              • DeviceIoControl.KERNEL32(000000FF,000900A8,00000000,00000000,00000000,00004000,?,00000000), ref: 0042837C
                                              • memcpy.MSVCRT(?,?,?,?,?,00000000,00000001,00000003,02200000,?,?,?), ref: 0042839B
                                                • Part of subcall function 00421E40: free.MSVCRT ref: 00421E44
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: ControlDeviceFileH_prologHandleInformationfreememcpy
                                              • String ID:
                                              • API String ID: 1689166341-0
                                              • Opcode ID: 8d680ebc258baa49a76990f26901e986a33ca7b0867071c0a18dc5c2e63a0653
                                              • Instruction ID: fc8df9f9133b12a353d7bb3e4f3d236561053c74de80f8ac007d9186af7203f4
                                              • Opcode Fuzzy Hash: 8d680ebc258baa49a76990f26901e986a33ca7b0867071c0a18dc5c2e63a0653
                                              • Instruction Fuzzy Hash: FB21D372600114AFDF20DF95EC81EEFBBB9EF94794F14002EF804A3251CA3A4E04CA68
                                              Function 004660D2 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 157COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: BlockPackSize$BlockUnpackSize
                                              • API String ID: 3519838083-5494122
                                              • Opcode ID: cf2178237f44c326121dd416830941ad90f607d2ec4dc78bac5f8c299370da86
                                              • Instruction ID: 7f38c94f94107cef8582e2a2bb82accb5b7037e97444e8d67689f4c3d1ba036f
                                              • Opcode Fuzzy Hash: cf2178237f44c326121dd416830941ad90f607d2ec4dc78bac5f8c299370da86
                                              • Instruction Fuzzy Hash: C751D7B19001849ECF75EB6488B1AFF7BA1AF56300F1A409FD05656292F7295D8CD70F
                                              Function 0042A4F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 0042A4F8
                                                • Part of subcall function 0042A384: __EH_prolog.LIBCMT ref: 0042A389
                                                • Part of subcall function 00429E14: GetSystemInfo.KERNEL32(?), ref: 00429E36
                                                • Part of subcall function 00429E14: GetModuleHandleA.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 00429E50
                                                • Part of subcall function 00429E14: GetProcAddress.KERNEL32(00000000), ref: 00429E57
                                              • strcmp.MSVCRT ref: 0042A564
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog$AddressHandleInfoModuleProcSystemstrcmp
                                              • String ID: -
                                              • API String ID: 2798778560-3695764949
                                              • Opcode ID: 810e76710438dc610a8f65e68e3b3fb7bc448d836c8ce3c0334078f89870ee5c
                                              • Instruction ID: e6ce380c3a3ac2c55b51f2b4440a97a73f837847137fa23a562351a59a445e21
                                              • Opcode Fuzzy Hash: 810e76710438dc610a8f65e68e3b3fb7bc448d836c8ce3c0334078f89870ee5c
                                              • Instruction Fuzzy Hash: 82319031E00229ABCF05FBE1F9529EEB775AF50314F90411FF801721A1DB785A55CA6A
                                              Function 00456184 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: 0$x
                                              • API String ID: 3519838083-1948001322
                                              • Opcode ID: e8dfd2092c0bd346839a9ba7c07ea0da855a25eceef19db3491fe183db29c813
                                              • Instruction ID: 4825260e410dee78dd90eee5c2bd2523bef7b344be8e191b36b302618c3deac5
                                              • Opcode Fuzzy Hash: e8dfd2092c0bd346839a9ba7c07ea0da855a25eceef19db3491fe183db29c813
                                              • Instruction Fuzzy Hash: 80218336E01129ABCF04EB94D991AEEB7B5FF48304F51016FE80177251CB795E08CB98
                                              Function 00484034 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00484039
                                                • Part of subcall function 004840BA: __EH_prolog.LIBCMT ref: 004840BF
                                                • Part of subcall function 00465E2B: __EH_prolog.LIBCMT ref: 00465E30
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: D.M$T.M
                                              • API String ID: 3519838083-4150459566
                                              • Opcode ID: f527413cab59bc25ec31fa53a7f25e721b9f24c527a2e7b1f6beebf70916a76f
                                              • Instruction ID: 51df24ae04f476c2e1096f4ece4a0301458e2f5d620fb106c23a7af1e73a3154
                                              • Opcode Fuzzy Hash: f527413cab59bc25ec31fa53a7f25e721b9f24c527a2e7b1f6beebf70916a76f
                                              • Instruction Fuzzy Hash: F30116B1911B018FC764EF69C51569ABBF4AF18704F008D5FD09A93741EBB8AA08CB99
                                              Function 004582DD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: fputs
                                              • String ID: =
                                              • API String ID: 1795875747-2525689732
                                              • Opcode ID: 45351be993b1d4f6b51fe1e4ee47cbc9d77fb0c3a24e0736e5e3b3bd33a7744d
                                              • Instruction ID: f6e17bfd3699b8af70f1966a2494370728ba27e23b19ab2eb1c88cd75a5a978f
                                              • Opcode Fuzzy Hash: 45351be993b1d4f6b51fe1e4ee47cbc9d77fb0c3a24e0736e5e3b3bd33a7744d
                                              • Instruction Fuzzy Hash: B8E0D835A0012497CB00B7EA9C95CAE7F29EB80314754083BE910D7211FF759915CBD8
                                              Function 0045C2AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 16COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: fputs
                                              • String ID: Unsupported Windows version$p&N
                                              • API String ID: 1795875747-68333940
                                              • Opcode ID: e1d3b1d9f0c095e92c589de624ee91bbd92bd9c7fd3ade569fb611b27b4483c7
                                              • Instruction ID: 5cddd74770577398ac329313bb9416a5282d8e88131c72cd80ffbf302befb3aa
                                              • Opcode Fuzzy Hash: e1d3b1d9f0c095e92c589de624ee91bbd92bd9c7fd3ade569fb611b27b4483c7
                                              • Instruction Fuzzy Hash: E9D0A773744200EFD7054FC8FA86F943760E388720F20042BE002C5192DBB960018A18
                                              Function 004841C0 Relevance: 5.1, APIs: 4, Instructions: 57COMMON
                                              Download Yara Rule
                                              APIs
                                              • memcmp.MSVCRT(?,004D48A0,00000010), ref: 004841D6
                                              • memcmp.MSVCRT(?,004D0168,00000010), ref: 004841F1
                                              • memcmp.MSVCRT(?,004D01E8,00000010), ref: 00484205
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1829676869.0000000000421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00420000, based on PE: true
                                              • Associated: 0000000A.00000002.1829660103.0000000000420000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829724406.00000000004CC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829742442.00000000004E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 0000000A.00000002.1829757497.00000000004EB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_420000_7zr.jbxd
                                              Similarity
                                              • API ID: memcmp
                                              • String ID:
                                              • API String ID: 1475443563-0
                                              • Opcode ID: 4171e7940701ba9401a046c7d4fce7a466684006aa783ad211c68c674f6b8a86
                                              • Instruction ID: 5c3b89eb4b210754d4b4a199afad6b6e978e564ca018becb56adc8a470906151
                                              • Opcode Fuzzy Hash: 4171e7940701ba9401a046c7d4fce7a466684006aa783ad211c68c674f6b8a86
                                              • Instruction Fuzzy Hash: B801043538020667D7106A15CC42FBE77A8ABA4790F14482FFE49DB381F6BDA980A359