Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Setup64v4.1.9.exe

Overview

General Information

Sample name:Setup64v4.1.9.exe
Analysis ID:1580841
MD5:f07267a8be1916ac2b02700f5fdb65bc
SHA1:15380faa66ef42ba6171ffed2bbee6bba9cc3e16
SHA256:7157a44b6835911bb056cea9b6f5d53eab8a393f25e425caee5de1183c00c571
Tags:exeuser-kafan_shengui
Infos:

Detection

Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Adds a directory exclusion to Windows Defender
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Setup64v4.1.9.exe (PID: 7560 cmdline: "C:\Users\user\Desktop\Setup64v4.1.9.exe" MD5: F07267A8BE1916AC2B02700F5FDB65BC)
    • Setup64v4.1.9.tmp (PID: 7576 cmdline: "C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmp" /SL5="$2047A,11953450,792064,C:\Users\user\Desktop\Setup64v4.1.9.exe" MD5: 9F18A5E381F7509154D344A6946A533A)
      • powershell.exe (PID: 7592 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 7780 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • Setup64v4.1.9.exe (PID: 7864 cmdline: "C:\Users\user\Desktop\Setup64v4.1.9.exe" /VERYSILENT MD5: F07267A8BE1916AC2B02700F5FDB65BC)
        • Setup64v4.1.9.tmp (PID: 7880 cmdline: "C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmp" /SL5="$40496,11953450,792064,C:\Users\user\Desktop\Setup64v4.1.9.exe" /VERYSILENT MD5: 9F18A5E381F7509154D344A6946A533A)
          • 7zr.exe (PID: 7972 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 8000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 8060 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 8068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 7972 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • sc.exe (PID: 8072 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
              • conhost.exe (PID: 8076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7948 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7964 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8140 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8156 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8172 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8188 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7292 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7340 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4584 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3452 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2188 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5288 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1620 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3220 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3604 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1216 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3744 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7672 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7736 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7752 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7608 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7312 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7848 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7576 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8004 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7964 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5928 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7976 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8120 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8104 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8168 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8172 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8164 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7292 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2140 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4020 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3320 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2188 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4108 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4956 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3608 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4180 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5480 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3604 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7648 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7652 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7632 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7592 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7584 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7840 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7984 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7576 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7980 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8052 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8148 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8152 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3624 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7196 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4996 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7296 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2496 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2200 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3228 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmp" /SL5="$2047A,11953450,792064,C:\Users\user\Desktop\Setup64v4.1.9.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmp, ParentProcessId: 7576, ParentProcessName: Setup64v4.1.9.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7592, ProcessName: powershell.exe
Sigma detected: New Kernel Driver Via SC.EXE
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7948, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 7964, ProcessName: sc.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmp" /SL5="$2047A,11953450,792064,C:\Users\user\Desktop\Setup64v4.1.9.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmp, ParentProcessId: 7576, ParentProcessName: Setup64v4.1.9.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7592, ProcessName: powershell.exe
Sigma detected: New Service Creation Using Sc.EXE
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7948, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 7964, ProcessName: sc.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmp" /SL5="$2047A,11953450,792064,C:\Users\user\Desktop\Setup64v4.1.9.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmp, ParentProcessId: 7576, ParentProcessName: Setup64v4.1.9.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7592, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Windows NT\hrsv.vbcVirustotal: Detection: 11%Perma Link
Source: C:\Users\user\AppData\Local\Temp\is-B3NKO.tmp\Setup.tmpVirustotal: Detection: 11%Perma Link
Multi AV Scanner detection for submitted file
Source: Setup64v4.1.9.exeVirustotal: Detection: 8%Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CJF95.tmp\Setup.tmpJoe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows NT\hrsv.vbcJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\is-B3NKO.tmp\Setup.tmpJoe Sandbox ML: detected
Source: Setup64v4.1.9.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Setup64v4.1.9.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.1768250778.0000000003880000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.1768154729.0000000003680000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00116868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,9_2_00116868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00117496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,9_2_00117496
Source: Setup64v4.1.9.tmp, 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Setup64v4.1.9.tmp, 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: Setup64v4.1.9.tmp, 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: Setup64v4.1.9.tmp, 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Setup64v4.1.9.tmp, 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Setup64v4.1.9.tmp, 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Setup64v4.1.9.tmp, 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: Setup64v4.1.9.tmp, 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Setup64v4.1.9.tmp, 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Setup64v4.1.9.tmp, 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.6.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: Setup64v4.1.9.tmp, 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.6.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: Setup64v4.1.9.tmp, 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.6.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: Setup64v4.1.9.tmp, 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.6.drString found in binary or memory: http://ocsp.digicert.com0A
Source: Setup64v4.1.9.tmp, 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.6.drString found in binary or memory: http://ocsp.digicert.com0C
Source: Setup64v4.1.9.tmp, 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.6.drString found in binary or memory: http://ocsp.digicert.com0H
Source: Setup64v4.1.9.tmp, 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.6.drString found in binary or memory: http://ocsp.digicert.com0I
Source: Setup64v4.1.9.tmp, 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.6.drString found in binary or memory: http://ocsp.digicert.com0X
Source: Setup64v4.1.9.tmp, 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.6.drString found in binary or memory: http://www.digicert.com/CPS0
Source: Setup64v4.1.9.tmp, 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.6.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: Setup64v4.1.9.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: Setup64v4.1.9.exe, 00000000.00000003.1667491459.000000007F8EB000.00000004.00001000.00020000.00000000.sdmp, Setup64v4.1.9.exe, 00000000.00000003.1667059618.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, Setup64v4.1.9.tmp, 00000001.00000000.1668948759.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Setup64v4.1.9.tmp, 00000006.00000000.1732057526.00000000002CD000.00000020.00000001.01000000.00000008.sdmp, Setup64v4.1.9.tmp.5.dr, Setup64v4.1.9.tmp.0.drString found in binary or memory: https://www.innosetup.com/
Source: Setup64v4.1.9.exe, 00000000.00000003.1667491459.000000007F8EB000.00000004.00001000.00020000.00000000.sdmp, Setup64v4.1.9.exe, 00000000.00000003.1667059618.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, Setup64v4.1.9.tmp, 00000001.00000000.1668948759.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Setup64v4.1.9.tmp, 00000006.00000000.1732057526.00000000002CD000.00000020.00000001.01000000.00000008.sdmp, Setup64v4.1.9.tmp.5.dr, Setup64v4.1.9.tmp.0.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpProcess information set: 01 00 00 00 Jump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001182FB: __EH_prolog,GetFileInformationByHandle,DeviceIoControl,memcpy,9_2_001182FB
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C733CE06_2_6C733CE0
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C780D506_2_6C780D50
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C71FEC96_2_6C71FEC9
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C705EA16_2_6C705EA1
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C786E806_2_6C786E80
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C77B8106_2_6C77B810
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C7059726_2_6C705972
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C7979306_2_6C797930
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C7869F06_2_6C7869F0
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C77CA506_2_6C77CA50
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C77AAD06_2_6C77AAD0
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C77EAA06_2_6C77EAA0
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C791AA06_2_6C791AA0
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C71DB666_2_6C71DB66
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C70DBCA6_2_6C70DBCA
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C72240A6_2_6C72240A
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C78C5C06_2_6C78C5C0
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C77F5806_2_6C77F580
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C7866E06_2_6C7866E0
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C7A67006_2_6C7A6700
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C7097CF6_2_6C7097CF
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C77D0206_2_6C77D020
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C7907506_2_6C790750
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001581EC9_2_001581EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0012E00A9_2_0012E00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001981C09_2_001981C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001A82409_2_001A8240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001922E09_2_001922E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001B23009_2_001B2300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001AC3C09_2_001AC3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0017E49F9_2_0017E49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001A04C89_2_001A04C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001925F09_2_001925F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001886509_2_00188650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0018A6A09_2_0018A6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001866D09_2_001866D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0018C9509_2_0018C950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001609439_2_00160943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001AE9909_2_001AE990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00192A809_2_00192A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0016AB119_2_0016AB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00188C209_2_00188C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00196CE09_2_00196CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001A0E009_2_001A0E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001A4EA09_2_001A4EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0019D0899_2_0019D089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001710AC9_2_001710AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0017B1219_2_0017B121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001A11209_2_001A1120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001951809_2_00195180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0018B1809_2_0018B180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0018D1D09_2_0018D1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001A91C09_2_001A91C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001A72009_2_001A7200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001AD2C09_2_001AD2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0019F3A09_2_0019F3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001AF3C09_2_001AF3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001153CF9_2_001153CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001753F39_2_001753F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0013B3E49_2_0013B3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001874109_2_00187410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0019F4209_2_0019F420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001AD4709_2_001AD470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0015D4969_2_0015D496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001A54D09_2_001A54D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001B351A9_2_001B351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0018F5009_2_0018F500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001A35309_2_001A3530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001A15509_2_001A1550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001115729_2_00111572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001AF5999_2_001AF599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001B36019_2_001B3601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001696529_2_00169652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0019D6A09_2_0019D6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001297669_2_00129766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001A77C09_2_001A77C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001197CA9_2_001197CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0013F8E09_2_0013F8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0018F9109_2_0018F910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001AD9E09_2_001AD9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00111AA19_2_00111AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0012BAC99_2_0012BAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00197AF09_2_00197AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00163AEF9_2_00163AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00197C509_2_00197C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0012BC929_2_0012BC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0018FDF09_2_0018FDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00195E809_2_00195E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00195F809_2_00195F80
Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\Windows NT\7zr.exe BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00111E40 appears 82 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 001AFB10 appears 720 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 001128E3 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpCode function: String function: 6C7A3F10 appears 415 times
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpCode function: String function: 6C706240 appears 31 times
Source: Setup64v4.1.9.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: Setup64v4.1.9.tmp.5.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: Setup64v4.1.9.exeStatic PE information: Number of sections : 11 > 10
Source: Setup64v4.1.9.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: Setup64v4.1.9.tmp.5.drStatic PE information: Number of sections : 11 > 10
Source: Setup64v4.1.9.exe, 00000000.00000003.1667059618.0000000002F3F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameSetup.exe vs Setup64v4.1.9.exe
Source: Setup64v4.1.9.exe, 00000000.00000003.1667491459.000000007FBDB000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameSetup.exe vs Setup64v4.1.9.exe
Source: Setup64v4.1.9.exe, 00000000.00000000.1665204010.0000000000719000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameSetup.exe vs Setup64v4.1.9.exe
Source: Setup64v4.1.9.exeBinary or memory string: OriginalFileNameSetup.exe vs Setup64v4.1.9.exe
Source: Setup64v4.1.9.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.12.drBinary string: \Device\TfSysMon
Source: tProtect.dll.12.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal88.evad.winEXE@144/31@0/0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00119313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,9_2_00119313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00123D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,9_2_00123D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00119252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,9_2_00119252
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpFile created: C:\Program Files (x86)\Windows NT\is-NOSH8.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8064:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4484:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4304:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7836:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3320:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8000:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5756:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8088:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2304:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1900:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7988:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3760:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8012:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7980:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7228:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7596:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7856:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8076:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4460:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7336:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7696:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1312:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8032:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7360:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7244:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1216:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7956:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7600:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8068:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8164:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7752:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3916:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3220:120:WilError_03
Source: C:\Users\user\Desktop\Setup64v4.1.9.exeFile created: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmpJump to behavior
Source: C:\Users\user\Desktop\Setup64v4.1.9.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\Setup64v4.1.9.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\Setup64v4.1.9.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\Setup64v4.1.9.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\Setup64v4.1.9.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: Setup64v4.1.9.exeVirustotal: Detection: 8%
Source: Setup64v4.1.9.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\Setup64v4.1.9.exeFile read: C:\Users\user\Desktop\Setup64v4.1.9.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\Setup64v4.1.9.exe "C:\Users\user\Desktop\Setup64v4.1.9.exe"
Source: C:\Users\user\Desktop\Setup64v4.1.9.exeProcess created: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmp "C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmp" /SL5="$2047A,11953450,792064,C:\Users\user\Desktop\Setup64v4.1.9.exe"
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpProcess created: C:\Users\user\Desktop\Setup64v4.1.9.exe "C:\Users\user\Desktop\Setup64v4.1.9.exe" /VERYSILENT
Source: C:\Users\user\Desktop\Setup64v4.1.9.exeProcess created: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmp "C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmp" /SL5="$40496,11953450,792064,C:\Users\user\Desktop\Setup64v4.1.9.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\Setup64v4.1.9.exeProcess created: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmp "C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmp" /SL5="$2047A,11953450,792064,C:\Users\user\Desktop\Setup64v4.1.9.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpProcess created: C:\Users\user\Desktop\Setup64v4.1.9.exe "C:\Users\user\Desktop\Setup64v4.1.9.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\Setup64v4.1.9.exeProcess created: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmp "C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmp" /SL5="$40496,11953450,792064,C:\Users\user\Desktop\Setup64v4.1.9.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\Setup64v4.1.9.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Setup64v4.1.9.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\Setup64v4.1.9.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Setup64v4.1.9.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Setup64v4.1.9.exeStatic file information: File size 12899330 > 1048576
Source: Setup64v4.1.9.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.1768250778.0000000003880000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.1768154729.0000000003680000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001957D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,9_2_001957D0
Source: hrsv.vbc.6.drStatic PE information: real checksum: 0x0 should be: 0x649dd2
Source: Setup.tmp.1.drStatic PE information: real checksum: 0x0 should be: 0x649dd2
Source: Setup64v4.1.9.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x32a21e
Source: Setup.tmp.6.drStatic PE information: real checksum: 0x0 should be: 0x649dd2
Source: tProtect.dll.12.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: Setup64v4.1.9.tmp.5.drStatic PE information: real checksum: 0x0 should be: 0x32a21e
Source: Setup64v4.1.9.exeStatic PE information: section name: .didata
Source: Setup64v4.1.9.tmp.0.drStatic PE information: section name: .didata
Source: Setup.tmp.1.drStatic PE information: section name: .00cfg
Source: Setup.tmp.1.drStatic PE information: section name: .voltbl
Source: Setup.tmp.1.drStatic PE information: section name: .XkS
Source: Setup64v4.1.9.tmp.5.drStatic PE information: section name: .didata
Source: 7zr.exe.6.drStatic PE information: section name: .sxdata
Source: Setup.tmp.6.drStatic PE information: section name: .00cfg
Source: Setup.tmp.6.drStatic PE information: section name: .voltbl
Source: Setup.tmp.6.drStatic PE information: section name: .XkS
Source: hrsv.vbc.6.drStatic PE information: section name: .00cfg
Source: hrsv.vbc.6.drStatic PE information: section name: .voltbl
Source: hrsv.vbc.6.drStatic PE information: section name: .XkS
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C7A3F10 push eax; ret 6_2_6C7A3F2E
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C7089F4 push 004AC35Ch; ret 6_2_6C708A0E
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C7A4290 push eax; ret 6_2_6C7A42BE
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001145F4 push 001BC35Ch; ret 9_2_0011460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001AFB10 push eax; ret 9_2_001AFB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001AFE90 push eax; ret 9_2_001AFEBE
Source: Setup.tmp.1.drStatic PE information: section name: .text entropy: 6.902892302303514
Source: Setup.tmp.6.drStatic PE information: section name: .text entropy: 6.902892302303514
Source: hrsv.vbc.6.drStatic PE information: section name: .text entropy: 6.902892302303514
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpFile created: C:\Users\user\AppData\Local\Temp\is-CJF95.tmp\Setup.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpFile created: C:\Users\user\AppData\Local\Temp\is-B3NKO.tmp\Setup.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpFile created: C:\Users\user\AppData\Local\Temp\is-CJF95.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpFile created: C:\Program Files (x86)\Windows NT\hrsv.vbcJump to dropped file
Source: C:\Users\user\Desktop\Setup64v4.1.9.exeFile created: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpJump to dropped file
Source: C:\Users\user\Desktop\Setup64v4.1.9.exeFile created: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpFile created: C:\Users\user\AppData\Local\Temp\is-B3NKO.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpFile created: C:\Program Files (x86)\Windows NT\hrsv.vbcJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\Setup64v4.1.9.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Setup64v4.1.9.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6124Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3660Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpWindow / User API: threadDelayed 532Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpWindow / User API: threadDelayed 519Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpWindow / User API: threadDelayed 519Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-CJF95.tmp\Setup.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-B3NKO.tmp\Setup.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-CJF95.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsv.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-B3NKO.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.4 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7708Thread sleep count: 6124 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7708Thread sleep count: 3660 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7756Thread sleep time: -5534023222112862s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00116868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,9_2_00116868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00117496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,9_2_00117496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00119C60 GetSystemInfo,9_2_00119C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: Setup64v4.1.9.tmp, 00000001.00000002.1734916739.00000000009BD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: Setup64v4.1.9.tmp, 00000001.00000002.1734916739.00000000009BD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\>
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpProcess queried: DebugPortJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001957D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,9_2_001957D0
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C6E7676 mov eax, dword ptr fs:[00000030h]6_2_6C6E7676
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Found driver which could be used to inject code into processes
Source: tProtect.dll.12.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmpProcess created: C:\Users\user\Desktop\Setup64v4.1.9.exe "C:\Users\user\Desktop\Setup64v4.1.9.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C7A4720 cpuid 6_2_6C7A4720
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0011AB2A GetSystemTimeAsFileTime,9_2_0011AB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001B0090 GetVersion,9_2_001B0090
Source: Setup64v4.1.9.tmp, 00000006.00000002.1899349444.00000000014E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Program Files\Windows Defender\MsMpEng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
Windows Service		1
Access Token Manipulation		11
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Service Execution		1
DLL Side-Loading		1
Windows Service		1
Disable or Modify Tools		LSASS Memory321
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Native API		Logon Script (Windows)111
Process Injection		231
Virtualization/Sandbox Evasion		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		1
Access Token Manipulation		NTDS231
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information		Cached Domain Credentials2
System Owner/User Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information		DCSync3
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing		Proc Filesystem25
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1580841 Sample: Setup64v4.1.9.exe Startdate: 26/12/2024 Architecture: WINDOWS Score: 88 97 Multi AV Scanner detection for dropped file 2->97 99 Multi AV Scanner detection for submitted file 2->99 101 Found driver which could be used to inject code into processes 2->101 103 2 other signatures 2->103 11 Setup64v4.1.9.exe 2 2->11         started        14 cmd.exe 2->14         started        16 cmd.exe 2->16         started        18 30 other processes 2->18 process3 file4 95 C:\Users\user\AppData\...\Setup64v4.1.9.tmp, PE32 11->95 dropped 20 Setup64v4.1.9.tmp 3 5 11->20         started        24 sc.exe 1 14->24         started        26 sc.exe 1 16->26         started        28 sc.exe 1 18->28         started        30 sc.exe 1 18->30         started        32 sc.exe 1 18->32         started        34 26 other processes 18->34 process5 file6 81 C:\Users\user\AppData\Local\...\Setup.tmp, PE32 20->81 dropped 83 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 20->83 dropped 105 Adds a directory exclusion to Windows Defender 20->105 36 Setup64v4.1.9.exe 2 20->36         started        39 powershell.exe 23 20->39         started        42 conhost.exe 24->42         started        44 conhost.exe 26->44         started        46 conhost.exe 28->46         started        48 conhost.exe 30->48         started        50 conhost.exe 32->50         started        52 conhost.exe 34->52         started        54 25 other processes 34->54 signatures7 process8 file9 85 C:\Users\user\AppData\...\Setup64v4.1.9.tmp, PE32 36->85 dropped 56 Setup64v4.1.9.tmp 4 15 36->56         started        107 Loading BitLocker PowerShell Module 39->107 60 conhost.exe 39->60         started        62 WmiPrvSE.exe 39->62         started        signatures10 process11 file12 87 C:\Users\user\AppData\Local\...\Setup.tmp, PE32 56->87 dropped 89 C:\Program Files (x86)\Windows NT\hrsv.vbc, PE32 56->89 dropped 91 C:\Program Files (x86)\Windows NT\7zr.exe, PE32 56->91 dropped 93 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 56->93 dropped 109 Query firmware table information (likely to detect VMs) 56->109 111 Protects its processes via BreakOnTermination flag 56->111 113 Hides threads from debuggers 56->113 64 7zr.exe 2 56->64         started        67 cmd.exe 56->67         started        69 7zr.exe 7 56->69         started        signatures13 process14 file15 79 C:\Program Files (x86)\...\tProtect.dll, PE32+ 64->79 dropped 71 conhost.exe 64->71         started        73 sc.exe 67->73         started        75 conhost.exe 69->75         started        process16 process17 77 conhost.exe 73->77         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Setup64v4.1.9.exe3%ReversingLabs
Setup64v4.1.9.exe8%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\is-CJF95.tmp\Setup.tmp100%Joe Sandbox ML
C:\Program Files (x86)\Windows NT\hrsv.vbc100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\is-B3NKO.tmp\Setup.tmp100%Joe Sandbox ML
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\7zr.exe0%VirustotalBrowse
C:\Program Files (x86)\Windows NT\hrsv.vbc11%VirustotalBrowse
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll6%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-B3NKO.tmp\Setup.tmp11%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-B3NKO.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-CJF95.tmp\_isetup\_setup64.tmp0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUSetup64v4.1.9.exefalse
    		high
    https://www.remobjects.com/psSetup64v4.1.9.exe, 00000000.00000003.1667491459.000000007F8EB000.00000004.00001000.00020000.00000000.sdmp, Setup64v4.1.9.exe, 00000000.00000003.1667059618.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, Setup64v4.1.9.tmp, 00000001.00000000.1668948759.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Setup64v4.1.9.tmp, 00000006.00000000.1732057526.00000000002CD000.00000020.00000001.01000000.00000008.sdmp, Setup64v4.1.9.tmp.5.dr, Setup64v4.1.9.tmp.0.drfalse
      		high
      https://www.innosetup.com/Setup64v4.1.9.exe, 00000000.00000003.1667491459.000000007F8EB000.00000004.00001000.00020000.00000000.sdmp, Setup64v4.1.9.exe, 00000000.00000003.1667059618.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, Setup64v4.1.9.tmp, 00000001.00000000.1668948759.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Setup64v4.1.9.tmp, 00000006.00000000.1732057526.00000000002CD000.00000020.00000001.01000000.00000008.sdmp, Setup64v4.1.9.tmp.5.dr, Setup64v4.1.9.tmp.0.drfalse
        		high

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1580841
        Start date and time:2024-12-26 11:06:09 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 8m 35s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:110
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Critical Process Termination
        Sample name:Setup64v4.1.9.exe
        Detection:MAL
        Classification:mal88.evad.winEXE@144/31@0/0
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:
        • Successful, ratio: 59%
        • Number of executed functions: 95
        • Number of non-executed functions: 196
        Cookbook Comments:
        • Found application associated with file extension: .exe

        Warnings

        • Exclude process from analysis (whitelisted): Conhost.exe, SIHClient.exe
        • Excluded IPs from analysis (whitelisted): 52.149.20.212
        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
        • Not all processes where analyzed, report is missing behavior information
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size getting too big, too many NtCreateKey calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        05:07:02API Interceptor15x Sleep call for process: powershell.exe modified

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        C:\Program Files (x86)\Windows NT\7zr.exe#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeGet hashmaliciousUnknownBrowse
          #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeGet hashmaliciousUnknownBrowse
            yvaKqhmD4L.exeGet hashmaliciousUnknownBrowse
              yvaKqhmD4L.exeGet hashmaliciousUnknownBrowse
                #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeGet hashmaliciousUnknownBrowse
                  #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeGet hashmaliciousUnknownBrowse
                    #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeGet hashmaliciousUnknownBrowse
                      #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeGet hashmaliciousUnknownBrowse
                        #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeGet hashmaliciousUnknownBrowse
                          #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeGet hashmaliciousUnknownBrowse

                            Created / dropped Files

                            C:\Program Files (x86)\Windows NT\7zr.exe

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmp
                            File Type:PE32 executable (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):831200
                            Entropy (8bit):6.671005303304742
                            Encrypted:false
                            SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                            MD5:84DC4B92D860E8AEA55D12B1E87EA108
                            SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                            SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                            SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            • Antivirus: Virustotal, Detection: 0%, Browse
                            Joe Sandbox View:
                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe, Detection: malicious, Browse
                            • Filename: yvaKqhmD4L.exe, Detection: malicious, Browse
                            • Filename: yvaKqhmD4L.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe, Detection: malicious, Browse
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Windows NT\file.dat (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmp
                            File Type:data
                            Category:dropped
                            Size (bytes):3221009
                            Entropy (8bit):7.999940595371903
                            Encrypted:true
                            SSDEEP:98304:XCOjC0WnYf+LCXhksIbstsy780E+S5XufrjVpfjF:y2hWCRksIb5y7W5ezjVxF
                            MD5:844C90C34433E6159EC531A2038FD95C
                            SHA1:55229F8F5715E1E2F4F5F13FFEB67B188259DEF6
                            SHA-256:B8E5BBB5400326FDF0366A0212F4F2C05D1517A064883A7CA82480AF46948BFE
                            SHA-512:39AE0AE1FF66C10FCF48A337C594FA19A33CF9E44D75F9800E09377E1DD5F432CFD8FF05063DD6D3055FDDF99126F78C8D4849DE1A194EDBD0DAD10C3CC95B26
                            Malicious:false
                            Preview:.@S.....T..L...............A...-_..kG.k.EoO..W.....9f.FD...o&f.~.A.6.......v.3i...R.S.....wA.yYN...7...j\AC#..F..?..).......`...../...I.LF.Z............kV...3....v.B..........G.n).1..*TYA.B..8...ihp......Z??.T....Fb:...B.-;..{.Fc.2...z.n=bSY)."....K...e...n...0;.^.O.:.P.:.....p?..=....E>Z..|.?$d?.....k&...]......N..*?f~r.I@Z...t....~m.<.....<...i..!......~.*.l....y=i....?..(.AG...rH.0-/.%p.G.pz&.,.~.|Y...?.A...,..ljW...].k.....b.J..f).R......s3}.......E..Ge7F.U\.,.....|...o...4.......A.lr..#%P.h.Bb.P....FPXR.#!......qG<............Y.'.=K./.4.Z\.F..O..9.?\-.}.IQq@......2..Y.......n ..c....r\.<f..f{......6A.......~{..c."..[...y<...l..S..,Z.t...{.zF....r.&T.....,....J>-.%?.[.8..fy..Y...."...Q.......Q....U.(...mc.......TN.......Rp._0y..w...)h.p...M..n....2.%../.f....f>..xQ.1.m)I%.|.\f..q..M r..xJ.?X.."....RV>......[r%y...L..L....tS1.1(...b...k..].e.mZ.x.G.kx....r..U....a.....A.....)K.N....;.c.....e_...f.Q..y`|AN.._l4...bXf.&..UL..6

                            C:\Program Files (x86)\Windows NT\hrsv.vbc

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):6553088
                            Entropy (8bit):7.647769337217841
                            Encrypted:false
                            SSDEEP:196608:90JmOiIkT/p5gtxNvL/6amzp5+/2nfD3:fjghjCZm2f
                            MD5:7660CD2408FA83CD090E58097DF443EA
                            SHA1:927B4D4213058490E4A5F0E8F917F492A7B9816F
                            SHA-256:02A7CA1654FA8AE05144BB9750DC43784E00AAD587B2DEE2E3AED67AB82D0C52
                            SHA-512:A93AE155006D47B59D34358B202B04EBB14E9BD62F64E4FB8FFD80102836B2BCA92382A7CA8559105EC4F66587918A498C59F510CF3FB2DE94B96FC83AA8A849
                            Malicious:true
                            Antivirus:
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: Virustotal, Detection: 11%, Browse
                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....lg...........!.....:...........u........................................d...........@.........................t.......a...(....0d......................@d..:...................................................................................text....9.......:.................. ..`.rdata.......P.......>..............@..@.data...`....P.......0..............@....00cfg.......0......................@..@.tls.........@......................@....voltbl.F....P...........................XkS....`.G..`....G................. ..`.rsrc........0d.......c.............@..@.reloc...:...@d..<....c.............@..B................................................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Windows NT\is-NOSH8.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmp
                            File Type:data
                            Category:dropped
                            Size (bytes):3221009
                            Entropy (8bit):7.999940595371903
                            Encrypted:true
                            SSDEEP:98304:XCOjC0WnYf+LCXhksIbstsy780E+S5XufrjVpfjF:y2hWCRksIb5y7W5ezjVxF
                            MD5:844C90C34433E6159EC531A2038FD95C
                            SHA1:55229F8F5715E1E2F4F5F13FFEB67B188259DEF6
                            SHA-256:B8E5BBB5400326FDF0366A0212F4F2C05D1517A064883A7CA82480AF46948BFE
                            SHA-512:39AE0AE1FF66C10FCF48A337C594FA19A33CF9E44D75F9800E09377E1DD5F432CFD8FF05063DD6D3055FDDF99126F78C8D4849DE1A194EDBD0DAD10C3CC95B26
                            Malicious:false
                            Preview:.@S.....T..L...............A...-_..kG.k.EoO..W.....9f.FD...o&f.~.A.6.......v.3i...R.S.....wA.yYN...7...j\AC#..F..?..).......`...../...I.LF.Z............kV...3....v.B..........G.n).1..*TYA.B..8...ihp......Z??.T....Fb:...B.-;..{.Fc.2...z.n=bSY)."....K...e...n...0;.^.O.:.P.:.....p?..=....E>Z..|.?$d?.....k&...]......N..*?f~r.I@Z...t....~m.<.....<...i..!......~.*.l....y=i....?..(.AG...rH.0-/.%p.G.pz&.,.~.|Y...?.A...,..ljW...].k.....b.J..f).R......s3}.......E..Ge7F.U\.,.....|...o...4.......A.lr..#%P.h.Bb.P....FPXR.#!......qG<............Y.'.=K./.4.Z\.F..O..9.?\-.}.IQq@......2..Y.......n ..c....r\.<f..f{......6A.......~{..c."..[...y<...l..S..,Z.t...{.zF....r.&T.....,....J>-.%?.[.8..fy..Y...."...Q.......Q....U.(...mc.......TN.......Rp._0y..w...)h.p...M..n....2.%../.f....f>..xQ.1.m)I%.|.\f..q..M r..xJ.?X.."....RV>......[r%y...L..L....tS1.1(...b...k..].e.mZ.x.G.kx....r..U....a.....A.....)K.N....;.c.....e_...f.Q..y`|AN.._l4...bXf.&..UL..6

                            C:\Program Files (x86)\Windows NT\locale.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):56546
                            Entropy (8bit):7.99657747958244
                            Encrypted:true
                            SSDEEP:1536:0wybuqhUe1ZL6Pl98y1spKtRz11VYBDas2fSG74fO5+:Euqh31gPL/ZVQG1KG74f9
                            MD5:8A30882E738E453D9259B2EAE6880356
                            SHA1:D6D794D2A99B03A2206D28C10DC2BB68578E3E62
                            SHA-256:510100BDD847A8E22AFE7B393B4F67E5F9835FA06D2CB263BC3E3858126FF40F
                            SHA-512:6B33273BE7E6680BC910322FD5B49BD79F97A2E00B234BACA885B13835EA3DF4599A6A7CFF093FBE2B618F5B41AC7E8402CB08B09A131AD1AEE9E69D87BA2817
                            Malicious:false
                            Preview:.@S......2Sl ..............j,..J../...:.w._......&.........H[9...a.tW..5?..!..........B.P......E.... .u`X.,.{9A.<...~....G`.....`....we..`.......a/8R(.*.f1....M$}...d(9..6.y?..o.t&...W;.(}r.B#._Z...O...\.....L....5{.S.......JX.;.#.v. .or....b......ug..C.G..9?.4..mn0.eMY:....z..J...i;...V.W#.n........M.;m.k.....2QkK.}JZ\....T....C..~V|.1.......O.L&V..........0..B.6.f..Sd.A..g...2WR..../n.....F~...Hd.p..}.......o...}EO..Of...."..{e....N(D.]...{.F.1(.D.....:.e.)Pz..c..~.Zc.R....:;....N4.p.Qm.o.m...y..S.<.]^,.a0JTa...`......O.".:.m^........i..m..*..u.A..3.?...T^.....=...Bl..)K....,.....gD....B..B.E..lC.)r.?S t.N5.;...<;.../...8..3{.-..H.....Y...s....&...)/0.v>Po..0......\ZVl.m.c.A...}..P...R."em;.....3f../...r....mem.N..1....bJ7..1c7..Y..S..a......oB.QW.....+.w.?|C.*%]!Z..;.u>$...qR..qKI*..<.6"...i.gk,...k....y+...-..@....N.....J....0..n6....C.........y....<..w.-.D.j...........F'.(....D.iY..Ui..v..*F.#sW=.u.....)N....J.....|.s....#.......x9.

                            C:\Program Files (x86)\Windows NT\locale.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):56546
                            Entropy (8bit):7.996577479582443
                            Encrypted:true
                            SSDEEP:1536:1R6xzdWTOgFy6W9or7zm3viXV6p8V6Y/mYrG:1R6xzdWTfFy6JG6p0YrG
                            MD5:5E4625C9C66FD7AE2A8415D0C39590CC
                            SHA1:90A370CAE2FECC67E467B5134793EB71406D119C
                            SHA-256:4B7825FEEFF9F889D656E2F136FB905B7B4C90733E5CEA086CAED401B4F3B680
                            SHA-512:9E6E5F1263171F8F84DFFEB18A2B33AE0D102858DB0A959E64C13842C51A12AB530C14FECC24BE61B33DC59522EACAB4CAE4570D92BFFB14EE1AA15FAAB6484C
                            Malicious:false
                            Preview:7z..'...{P.........2.........?.....;E4/.....](+Y...}..&.m...+.....H\.5..@......co..n..;.0M....'~l.o.dB[......F.?..u.W.@........~...q.pc ...`[...c/.......n.6..Q|....vQ1...2...}M..s".|...59M..........?.Pz:|.`..{.Q...Q....#.DP$.^..9.<...$......rg..g!T.d..|a...&{!..G.~/v...6m.....H......[^...]a.....z.H..$A........X...k...;....$...m..B.^..8...A..=b0YMd......@0..HY.34 .E...:.|.....P.Z.J....K.."zW:..h.*....s{@....P;.h.#L@a.?..3......kA4Q[..=..H)......e5c...O....[Qn=..............(...N2..Z.r............}...Nx...;...5....P}...A.K....p.&..&.u.j.s..p(..0.U@...c.F...9..".....-.E..C^...\'.=|.X.Y..j0..B.a\.P.%...).1.._.."x.``.....?.y.p.qV....1.y...;.....L..t..I6})...d.......b.. e+....Q...B...*.NR.=....f...pZ..).].W..@..6..c.....q...&.'x....b..C....f....T{I.m...|..G......`...?..R....n,....6.....[=....%.%.....f.m....z....2O.z7..nhk.O."X#,.*3.0G. ...2:'I..?...VR..a.HX...o..S...q.....?.jg.....q.n........|..X.z7.].......x'...Am<.|Y..k.b..V{.."UfZ..|...G

                            C:\Program Files (x86)\Windows NT\locale2.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):56546
                            Entropy (8bit):7.996966859255975
                            Encrypted:true
                            SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                            MD5:CEA69F993E1CE0FB945A98BF37A66546
                            SHA1:7114365265F041DA904574D1F5876544506F89BA
                            SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                            SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                            Malicious:false
                            Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..

                            C:\Program Files (x86)\Windows NT\locale2.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):56546
                            Entropy (8bit):7.996966859255979
                            Encrypted:true
                            SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                            MD5:4CB8B7E557C80FC7B014133AB834A042
                            SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                            SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                            SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                            Malicious:false
                            Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.

                            C:\Program Files (x86)\Windows NT\locale3.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):31890
                            Entropy (8bit):7.99402458740637
                            Encrypted:true
                            SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                            MD5:8622FC7228777F64A47BD6C61478ADD9
                            SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                            SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                            SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                            Malicious:false
                            Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..

                            C:\Program Files (x86)\Windows NT\locale3.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):31890
                            Entropy (8bit):7.99402458740637
                            Encrypted:true
                            SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                            MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                            SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                            SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                            SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                            Malicious:false
                            Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.

                            C:\Program Files (x86)\Windows NT\locale4.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):74960
                            Entropy (8bit):7.99759370165655
                            Encrypted:true
                            SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                            MD5:950338D50B95A25F494EE74E97B7B7A9
                            SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                            SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                            SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                            Malicious:false
                            Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...

                            C:\Program Files (x86)\Windows NT\locale4.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):74960
                            Entropy (8bit):7.997593701656546
                            Encrypted:true
                            SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                            MD5:059BA7C31F3E227356CA5F29E4AA2508
                            SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                            SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                            SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                            Malicious:false
                            Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.

                            C:\Program Files (x86)\Windows NT\locale7.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):29730
                            Entropy (8bit):7.994290657653607
                            Encrypted:true
                            SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                            MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                            SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                            SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                            SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                            Malicious:false
                            Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.

                            C:\Program Files (x86)\Windows NT\locale7.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:modified
                            Size (bytes):29730
                            Entropy (8bit):7.994290657653608
                            Encrypted:true
                            SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                            MD5:A9C8A3E00692F79E1BA9693003F85D18
                            SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                            SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                            SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                            Malicious:false
                            Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8

                            C:\Program Files (x86)\Windows NT\res.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):3221009
                            Entropy (8bit):7.999940595371902
                            Encrypted:true
                            SSDEEP:98304:6agv3bsjsmV7kOYQQOanECdSue7C9A8lBQ:ifbsj33anEKSueIPBQ
                            MD5:4090D84E35D0027AD6F80E5025EFFA48
                            SHA1:BB0E514B427D866B4BA46B41A810EB58DA2E76A3
                            SHA-256:7DA43951BF763885F9C2CF070A8F1BB30648FB2480EBE357EBE3F8A76F30CFFA
                            SHA-512:8BE39035256DCA49065FBA6749DA0DD32203D6646E0A972CB60AF54B58D74477D3F6B6A423D959C517E7E2D778F95F803C92013FD785DF803A49267650B20A85
                            Malicious:false
                            Preview:7z..'...<.(/.%1.....A........Qh;..m...-......cb..z.b...V.M..}...,.<|sj.m.;.&.#.....s9.Z".....B@.).H.....y.......u.j,..6...m............O:.b?.eo..P?.......+..C.A.U.^..];".{k9...........h.Yw..jv....a.5p.g...@.e....h"n../B...M....;..3#k.z......h.`fc!o.;...1?...~...K.C..am...).H..-...})..F.48...&.N...4g......W;...,.t@P.o%........<...oX5...b....BR.V[.."..6..ne..'...._~9...m/+..X=.U...A-..v...5.2j......V.>..dzT.9.]pF./o....x$..cu-.rb........a..[-^(....u...{.*......'..U..{.~...X'..S].f++..Y.....n..._.m..>t.^%......O..P...BD...5....%.X.~....w.n..).`.)[..U.g+.......a......r.gW.....}..`c%.."..|f..r....]..;$.....`......b..p...<f.#....Q)K3....3^.U;.9..).....p....(Np.7.3......hO&.OKj..........qV.....hpiW..`Id_.$Mb.,0>v&.x1.4.(.jT'..a{.[..Y...1.c>'.@V..v.....Z4/...#z.(...c...4..!.Q....;.9i'..(`.y..L......qD.4..%H*.B$..;...f.~G.!#[.....R..).k.....v.B.R........Dw.....%..<.2......k...T_;.Y....u.$v...67~".$...>.<.g%....gu......@..V......-gi...ZsA...U..)x..>=.

                            C:\Program Files (x86)\Windows NT\tProtect.dll

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:PE32+ executable (native) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):63640
                            Entropy (8bit):6.482810107683822
                            Encrypted:false
                            SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                            MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                            SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                            SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                            SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 9%
                            • Antivirus: Virustotal, Detection: 6%, Browse
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................

                            C:\Program Files (x86)\Windows NT\task.xml

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmp
                            File Type:data
                            Category:dropped
                            Size (bytes):4096
                            Entropy (8bit):3.340989669697226
                            Encrypted:false
                            SSDEEP:48:dXKLzDlnyL6w0QldOVQOj933ODOiTdKbKsz72eW+5y2:dXazDlnHwhldOVQOj6dKbKsz7
                            MD5:E1D51247D1DAF8A0FC6537B88C88FDE2
                            SHA1:D57695EFE59DE41E3EDB50A8331609B4E7A88168
                            SHA-256:F06F970B6AEC492D4CE8EABEF736C88E03C3D560EBA0A951A278A2441D2A582E
                            SHA-512:87BF2EAC8F23B7A56BFC9F56CA7F155A0C66492C5F33FAEC3F2F9D7E1FE84A6A0C3D520791839CBB5B19AC4CA28DCECC1798D2287B03EE03100C573C62BD2F21
                            Malicious:false
                            Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\turminoob</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAva

                            C:\Program Files (x86)\Windows NT\trash

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2970813
                            Entropy (8bit):7.999933720029463
                            Encrypted:true
                            SSDEEP:49152:VFhJ5YgezPp0Pkb1EhI5LLh08nFa6aS1YO3PhX1RgxrMlJZHeYqNXaHtWeNU2:VF187yq1nl0iFawyO3PhfO4zZHe4tWej
                            MD5:92132FE3BD20C7955B8DBD8B1C7A2312
                            SHA1:86792AB31D1706F69B1E048F3E301A0B3924106E
                            SHA-256:EF9260CC02284F63FC5106B6F9A2C05DEB31F4700FBB4CDEBD201C3CD8227EE0
                            SHA-512:1B48D8AF7489B5928988982895C901921C0D9BB7D02138DC5CAE0FB6B67030FF1556DD6964BFAF94F3A13B349E11AE31F512A38BA72860BCD0CE5CB8DDE508EC
                            Malicious:false
                            Preview:!..)..2..b`}.w.........T..t...+9d.j.d...sn....0Q...D...h..+8..F.92..4~.sS0........nC..y..%...$......%..,\...HF.Pp).....>.Nbx..,.......=R..#..C...F..Pv..i%...],..y..k.;...E{1..%".j.*Nt.4.W.f."..J..t....%.~.SN."4v.......$(.b`.iI<.....'F._u...Q..vV0.e..........M..m..;6qrw....oj..@)$.VyA.3.|)y..........|.H....a...q...R.C.5..}..oV.......[.^..wD:[hY..,.).D..9.V.}.U..........nE.........v(f.7...v.....\=..Sr.W..d.ej7.Z...[..L...,..N..+..`lCf..@|..n..|..m^am.E."......M.n...[..,..'.o..kt..Yquzq..o..2d.ky.C..5Z.iI.............~(M.u....*^W.I{._..oy ..d..O..>....K..o .i..r....:.d.i<.nX>...Zv..s....<.>.IBq.;..{...M...7......h...^..~..9O..6.e.P..W..x.8,-..d7...w...J6.4...s.....&.....d..\f.D..Io..P..E....L.4....ew.+%....''q"E.WJ.^^&.q:.......z.-..B-.(.@.....d(.......b...%O.CF.. (yDW..^..s}.!..vd....}c......V..... .A>%.E.y..%...Z2|5.t.X.A.....B.......+.a(.cy.......G..k...&.|..=...\..5.....gg??/.r.g.%...f9..?hn.;......X.%>j!..(..I..9.....x6..D..HE(...U

                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):64
                            Entropy (8bit):1.1510207563435464
                            Encrypted:false
                            SSDEEP:3:Nlllullkv/tz:NllU+v/
                            MD5:6442F277E58B3984BA5EEE0C15C0C6AD
                            SHA1:5343ADC2E7F102EC8FB6A101508730898CB14F57
                            SHA-256:36B765624FCA82C57E4C5D3706FBD81B5419F18FC3DD7B77CD185E6E3483382D
                            SHA-512:F9E62F510D5FB788F40EBA13287C282444607D2E0033D2233BC6C39CA3E1F5903B65A07F85FA0942BEDDCE2458861073772ACA06F291FA68F23C765B0CA5CA17
                            Malicious:false
                            Preview:@...e................................................@..........

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5whsjh2o.f10.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jt3velxy.hfk.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_opxgboft.j5r.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qtabke0l.x2a.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\is-B3NKO.tmp\Setup.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):6553088
                            Entropy (8bit):7.647769337217841
                            Encrypted:false
                            SSDEEP:196608:90JmOiIkT/p5gtxNvL/6amzp5+/2nfD3:fjghjCZm2f
                            MD5:7660CD2408FA83CD090E58097DF443EA
                            SHA1:927B4D4213058490E4A5F0E8F917F492A7B9816F
                            SHA-256:02A7CA1654FA8AE05144BB9750DC43784E00AAD587B2DEE2E3AED67AB82D0C52
                            SHA-512:A93AE155006D47B59D34358B202B04EBB14E9BD62F64E4FB8FFD80102836B2BCA92382A7CA8559105EC4F66587918A498C59F510CF3FB2DE94B96FC83AA8A849
                            Malicious:true
                            Antivirus:
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: Virustotal, Detection: 11%, Browse
                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....lg...........!.....:...........u........................................d...........@.........................t.......a...(....0d......................@d..:...................................................................................text....9.......:.................. ..`.rdata.......P.......>..............@..@.data...`....P.......0..............@....00cfg.......0......................@..@.tls.........@......................@....voltbl.F....P...........................XkS....`.G..`....G................. ..`.rsrc........0d.......c.............@..@.reloc...:...@d..<....c.............@..B................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\is-B3NKO.tmp\_isetup\_setup64.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmp
                            File Type:PE32+ executable (console) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):6144
                            Entropy (8bit):4.720366600008286
                            Encrypted:false
                            SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                            MD5:E4211D6D009757C078A9FAC7FF4F03D4
                            SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                            SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                            SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\is-CJF95.tmp\Setup.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):6553088
                            Entropy (8bit):7.647769337217841
                            Encrypted:false
                            SSDEEP:196608:90JmOiIkT/p5gtxNvL/6amzp5+/2nfD3:fjghjCZm2f
                            MD5:7660CD2408FA83CD090E58097DF443EA
                            SHA1:927B4D4213058490E4A5F0E8F917F492A7B9816F
                            SHA-256:02A7CA1654FA8AE05144BB9750DC43784E00AAD587B2DEE2E3AED67AB82D0C52
                            SHA-512:A93AE155006D47B59D34358B202B04EBB14E9BD62F64E4FB8FFD80102836B2BCA92382A7CA8559105EC4F66587918A498C59F510CF3FB2DE94B96FC83AA8A849
                            Malicious:true
                            Antivirus:
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....lg...........!.....:...........u........................................d...........@.........................t.......a...(....0d......................@d..:...................................................................................text....9.......:.................. ..`.rdata.......P.......>..............@..@.data...`....P.......0..............@....00cfg.......0......................@..@.tls.........@......................@....voltbl.F....P...........................XkS....`.G..`....G................. ..`.rsrc........0d.......c.............@..@.reloc...:...@d..<....c.............@..B................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\is-CJF95.tmp\_isetup\_setup64.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmp
                            File Type:PE32+ executable (console) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):6144
                            Entropy (8bit):4.720366600008286
                            Encrypted:false
                            SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                            MD5:E4211D6D009757C078A9FAC7FF4F03D4
                            SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                            SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                            SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmp

                            Download File
                            Process:C:\Users\user\Desktop\Setup64v4.1.9.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3282432
                            Entropy (8bit):6.577767672935761
                            Encrypted:false
                            SSDEEP:49152:NdJYVM+9JtzZWnoS2VC23aun8+f5KuG2OY9IG9ivyv2cLx1RQh333WT:DJYVM+LtVt3P/KuG2ONG9iqLRQh333U
                            MD5:9F18A5E381F7509154D344A6946A533A
                            SHA1:3B4308BECDCFA810AE5B552A1067F360CE898C6E
                            SHA-256:A0060D5DE5421B06375AE0298C3BB4DB66E67C2CE94B4E0B1DC517D09B4289CE
                            SHA-512:998CC90205E7F05B009B9C298B3CE10C096D3C60693E144A44B62953FACF08694AF2C321C693449691B5A4DED981BFC02BEF34FB092EDF691A0A583D64F110D3
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*..P........*.......*...@...........................2...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                            C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmp

                            Download File
                            Process:C:\Users\user\Desktop\Setup64v4.1.9.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3282432
                            Entropy (8bit):6.577767672935761
                            Encrypted:false
                            SSDEEP:49152:NdJYVM+9JtzZWnoS2VC23aun8+f5KuG2OY9IG9ivyv2cLx1RQh333WT:DJYVM+LtVt3P/KuG2ONG9iqLRQh333U
                            MD5:9F18A5E381F7509154D344A6946A533A
                            SHA1:3B4308BECDCFA810AE5B552A1067F360CE898C6E
                            SHA-256:A0060D5DE5421B06375AE0298C3BB4DB66E67C2CE94B4E0B1DC517D09B4289CE
                            SHA-512:998CC90205E7F05B009B9C298B3CE10C096D3C60693E144A44B62953FACF08694AF2C321C693449691B5A4DED981BFC02BEF34FB092EDF691A0A583D64F110D3
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*..P........*.......*...@...........................2...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                            \Device\ConDrv

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:ASCII text, with CRLF, CR line terminators
                            Category:dropped
                            Size (bytes):406
                            Entropy (8bit):5.117520345541057
                            Encrypted:false
                            SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                            MD5:9200058492BCA8F9D88B4877F842C148
                            SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                            SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                            SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                            Malicious:false
                            Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.983954571040596
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 98.45%
                            • Inno Setup installer (109748/4) 1.08%
                            • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                            • Win16/32 Executable Delphi generic (2074/23) 0.02%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            File name:Setup64v4.1.9.exe
                            File size:12'899'330 bytes
                            MD5:f07267a8be1916ac2b02700f5fdb65bc
                            SHA1:15380faa66ef42ba6171ffed2bbee6bba9cc3e16
                            SHA256:7157a44b6835911bb056cea9b6f5d53eab8a393f25e425caee5de1183c00c571
                            SHA512:5f07314e8555085ab6fbe78ca2acea7e8a8eb376c967ce23f5a9dc4bf23588ff0119b880353842e3bd1124b676c127ede0cc270e03fce9046c1a4385e3c557b8
                            SSDEEP:393216:gBH71D5PwzHeGyn9XHWtpMrd4qN5xR3zy:I71D5S+f19d4qN5xR+
                            TLSH:56D62323B7CBE03DF49E4B3B0673A25494FB662665276E2297F445ACCF220601D7E253
                            File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                            File Icon

                            Icon Hash:4c4d494959190d0c

                            Static PE Info

                            General

                            Entrypoint:0x4a83bc
                            Entrypoint Section:.itext
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                            Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:6
                            OS Version Minor:1
                            File Version Major:6
                            File Version Minor:1
                            Subsystem Version Major:6
                            Subsystem Version Minor:1
                            Import Hash:40ab50289f7ef5fae60801f88d4541fc

                            Entrypoint Preview

                            Instruction
                            push ebp
                            mov ebp, esp
                            add esp, FFFFFFA4h
                            push ebx
                            push esi
                            push edi
                            xor eax, eax
                            mov dword ptr [ebp-3Ch], eax
                            mov dword ptr [ebp-40h], eax
                            mov dword ptr [ebp-5Ch], eax
                            mov dword ptr [ebp-30h], eax
                            mov dword ptr [ebp-38h], eax
                            mov dword ptr [ebp-34h], eax
                            mov dword ptr [ebp-2Ch], eax
                            mov dword ptr [ebp-28h], eax
                            mov dword ptr [ebp-14h], eax
                            mov eax, 004A2EBCh
                            call 00007FCF7CB9AD95h
                            xor eax, eax
                            push ebp
                            push 004A8AC1h
                            push dword ptr fs:[eax]
                            mov dword ptr fs:[eax], esp
                            xor edx, edx
                            push ebp
                            push 004A8A7Bh
                            push dword ptr fs:[edx]
                            mov dword ptr fs:[edx], esp
                            mov eax, dword ptr [004B0634h]
                            call 00007FCF7CC2C71Bh
                            call 00007FCF7CC2C26Eh
                            lea edx, dword ptr [ebp-14h]
                            xor eax, eax
                            call 00007FCF7CC26F48h
                            mov edx, dword ptr [ebp-14h]
                            mov eax, 004B41F4h
                            call 00007FCF7CB94E43h
                            push 00000002h
                            push 00000000h
                            push 00000001h
                            mov ecx, dword ptr [004B41F4h]
                            mov dl, 01h
                            mov eax, dword ptr [0049CD14h]
                            call 00007FCF7CC28273h
                            mov dword ptr [004B41F8h], eax
                            xor edx, edx
                            push ebp
                            push 004A8A27h
                            push dword ptr fs:[edx]
                            mov dword ptr fs:[edx], esp
                            call 00007FCF7CC2C7A3h
                            mov dword ptr [004B4200h], eax
                            mov eax, dword ptr [004B4200h]
                            cmp dword ptr [eax+0Ch], 01h
                            jne 00007FCF7CC3348Ah
                            mov eax, dword ptr [004B4200h]
                            mov edx, 00000028h
                            call 00007FCF7CC28B68h
                            mov edx, dword ptr [004B4200h]

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                            IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x3dfc.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                            .rsrc0xcb0000x3dfc0x3e000eefb6d053a8779d574a753018b80d10False0.2716103830645161data3.9582158898435735IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_ICON0xcb4380x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.05054151624548736
                            RT_STRING0xcbce00x3f8data0.3198818897637795
                            RT_STRING0xcc0d80x2dcdata0.36475409836065575
                            RT_STRING0xcc3b40x430data0.40578358208955223
                            RT_STRING0xcc7e40x44cdata0.38636363636363635
                            RT_STRING0xccc300x2d4data0.39226519337016574
                            RT_STRING0xccf040xb8data0.6467391304347826
                            RT_STRING0xccfbc0x9cdata0.6410256410256411
                            RT_STRING0xcd0580x374data0.4230769230769231
                            RT_STRING0xcd3cc0x398data0.3358695652173913
                            RT_STRING0xcd7640x368data0.3795871559633027
                            RT_STRING0xcdacc0x2a4data0.4275147928994083
                            RT_RCDATA0xcdd700x10data1.5
                            RT_RCDATA0xcdd800x310data0.6173469387755102
                            RT_RCDATA0xce0900x2cdata1.1590909090909092
                            RT_GROUP_ICON0xce0bc0x14dataEnglishUnited States1.25
                            RT_VERSION0xce0d00x584dataEnglishUnited States0.24575070821529746
                            RT_MANIFEST0xce6540x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163

                            Imports

                            DLLImport
                            kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                            comctl32.dllInitCommonControls
                            user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                            oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                            advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

                            Exports

                            NameOrdinalAddress
                            __dbk_fcall_wrapper20x40fc10
                            dbkFCallWrapperAddr10x4b063c

                            Possible Origin

                            Language of compilation systemCountry where language is spokenMap
                            EnglishUnited States

                            Network Behavior

                            No network behavior found

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:05:06:59
                            Start date:26/12/2024
                            Path:C:\Users\user\Desktop\Setup64v4.1.9.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\Setup64v4.1.9.exe"
                            Imagebase:0x660000
                            File size:12'899'330 bytes
                            MD5 hash:F07267A8BE1916AC2B02700F5FDB65BC
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:1
                            Start time:05:06:59
                            Start date:26/12/2024
                            Path:C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmp
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\AppData\Local\Temp\is-MGHDN.tmp\Setup64v4.1.9.tmp" /SL5="$2047A,11953450,792064,C:\Users\user\Desktop\Setup64v4.1.9.exe"
                            Imagebase:0x180000
                            File size:3'282'432 bytes
                            MD5 hash:9F18A5E381F7509154D344A6946A533A
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:2
                            Start time:05:07:00
                            Start date:26/12/2024
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                            Imagebase:0x7ff788560000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:3
                            Start time:05:07:00
                            Start date:26/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:4
                            Start time:05:07:03
                            Start date:26/12/2024
                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                            Imagebase:0x7ff693ab0000
                            File size:496'640 bytes
                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                            Has elevated privileges:true
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:false

                            General

                            Target ID:5
                            Start time:05:07:05
                            Start date:26/12/2024
                            Path:C:\Users\user\Desktop\Setup64v4.1.9.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\Setup64v4.1.9.exe" /VERYSILENT
                            Imagebase:0x660000
                            File size:12'899'330 bytes
                            MD5 hash:F07267A8BE1916AC2B02700F5FDB65BC
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:false

                            General

                            Target ID:6
                            Start time:05:07:05
                            Start date:26/12/2024
                            Path:C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmp
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\AppData\Local\Temp\is-F5HFV.tmp\Setup64v4.1.9.tmp" /SL5="$40496,11953450,792064,C:\Users\user\Desktop\Setup64v4.1.9.exe" /VERYSILENT
                            Imagebase:0x50000
                            File size:3'282'432 bytes
                            MD5 hash:9F18A5E381F7509154D344A6946A533A
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:7
                            Start time:05:07:08
                            Start date:26/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                            Imagebase:0x7ff746760000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:8
                            Start time:05:07:08
                            Start date:26/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                            Imagebase:0x7ff707a50000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:9
                            Start time:05:07:08
                            Start date:26/12/2024
                            Path:C:\Program Files (x86)\Windows NT\7zr.exe
                            Wow64 process (32bit):true
                            Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                            Imagebase:0x110000
                            File size:831'200 bytes
                            MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Antivirus matches:
                            • Detection: 0%, ReversingLabs
                            • Detection: 0%, Virustotal, Browse
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:10
                            Start time:05:07:08
                            Start date:26/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:11
                            Start time:05:07:08
                            Start date:26/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:12
                            Start time:05:07:09
                            Start date:26/12/2024
                            Path:C:\Program Files (x86)\Windows NT\7zr.exe
                            Wow64 process (32bit):true
                            Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                            Imagebase:0x110000
                            File size:831'200 bytes
                            MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:13
                            Start time:05:07:09
                            Start date:26/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:14
                            Start time:05:07:09
                            Start date:26/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff746760000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:15
                            Start time:05:07:09
                            Start date:26/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff707a50000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:16
                            Start time:05:07:09
                            Start date:26/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:17
                            Start time:05:07:09
                            Start date:26/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff746760000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:18
                            Start time:05:07:09
                            Start date:26/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff707a50000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:19
                            Start time:05:07:09
                            Start date:26/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:20
                            Start time:05:07:09
                            Start date:26/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff746760000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:21
                            Start time:05:07:09
                            Start date:26/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff707a50000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:22
                            Start time:05:07:10
                            Start date:26/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:23
                            Start time:05:07:10
                            Start date:26/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff746760000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:24
                            Start time:05:07:10
                            Start date:26/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff707a50000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:25
                            Start time:05:07:10
                            Start date:26/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:26
                            Start time:05:07:10
                            Start date:26/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff746760000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:27
                            Start time:05:07:10
                            Start date:26/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff707a50000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:28
                            Start time:05:07:10
                            Start date:26/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:29
                            Start time:05:07:10
                            Start date:26/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff746760000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:30
                            Start time:05:07:10
                            Start date:26/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff707a50000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:31
                            Start time:05:07:10
                            Start date:26/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:32
                            Start time:05:07:11
                            Start date:26/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff746760000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:33
                            Start time:05:07:11
                            Start date:26/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff707a50000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:34
                            Start time:05:07:11
                            Start date:26/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:35
                            Start time:05:07:11
                            Start date:26/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff746760000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:36
                            Start time:05:07:11
                            Start date:26/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff707a50000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:37
                            Start time:05:07:11
                            Start date:26/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:38
                            Start time:05:07:11
                            Start date:26/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff746760000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:39
                            Start time:05:07:11
                            Start date:26/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff707a50000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:40
                            Start time:05:07:11
                            Start date:26/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:41
                            Start time:05:07:11
                            Start date:26/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff746760000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:42
                            Start time:05:07:11
                            Start date:26/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff707a50000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:43
                            Start time:05:07:11
                            Start date:26/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:44
                            Start time:05:07:11
                            Start date:26/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff746760000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:45
                            Start time:05:07:11
                            Start date:26/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff707a50000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:46
                            Start time:05:07:11
                            Start date:26/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:47
                            Start time:05:07:11
                            Start date:26/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff746760000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:48
                            Start time:05:07:11
                            Start date:26/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff707a50000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:49
                            Start time:05:07:11
                            Start date:26/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:50
                            Start time:05:07:11
                            Start date:26/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff746760000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:51
                            Start time:05:07:11
                            Start date:26/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff707a50000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:52
                            Start time:05:07:11
                            Start date:26/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:53
                            Start time:05:07:11
                            Start date:26/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff746760000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:54
                            Start time:05:07:11
                            Start date:26/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff707a50000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:55
                            Start time:05:07:11
                            Start date:26/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:56
                            Start time:05:07:12
                            Start date:26/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff746760000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:57
                            Start time:05:07:12
                            Start date:26/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff707a50000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:58
                            Start time:05:07:12
                            Start date:26/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:59
                            Start time:05:07:12
                            Start date:26/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff746760000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:60
                            Start time:05:07:12
                            Start date:26/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff707a50000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:61
                            Start time:05:07:12
                            Start date:26/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:62
                            Start time:05:07:12
                            Start date:26/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff746760000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:63
                            Start time:05:07:12
                            Start date:26/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff707a50000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:64
                            Start time:05:07:12
                            Start date:26/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:65
                            Start time:05:07:12
                            Start date:26/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff746760000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:66
                            Start time:05:07:12
                            Start date:26/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff707a50000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:67
                            Start time:05:07:12
                            Start date:26/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:68
                            Start time:05:07:12
                            Start date:26/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff746760000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:69
                            Start time:05:07:12
                            Start date:26/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff707a50000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:70
                            Start time:05:07:12
                            Start date:26/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:71
                            Start time:05:07:12
                            Start date:26/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7699e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:72
                            Start time:05:07:12
                            Start date:26/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff707a50000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:73
                            Start time:05:07:12
                            Start date:26/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:74
                            Start time:05:07:13
                            Start date:26/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff746760000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:75
                            Start time:05:07:13
                            Start date:26/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff707a50000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:76
                            Start time:05:07:13
                            Start date:26/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:77
                            Start time:05:07:13
                            Start date:26/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff746760000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:78
                            Start time:05:07:13
                            Start date:26/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff707a50000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:79
                            Start time:05:07:13
                            Start date:26/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:80
                            Start time:05:07:13
                            Start date:26/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff746760000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:81
                            Start time:05:07:13
                            Start date:26/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff707a50000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:82
                            Start time:05:07:13
                            Start date:26/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:83
                            Start time:05:07:14
                            Start date:26/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff746760000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:84
                            Start time:05:07:14
                            Start date:26/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff707a50000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:85
                            Start time:05:07:14
                            Start date:26/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:86
                            Start time:05:07:14
                            Start date:26/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff746760000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:87
                            Start time:05:07:14
                            Start date:26/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff707a50000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:88
                            Start time:05:07:14
                            Start date:26/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:89
                            Start time:05:07:14
                            Start date:26/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff746760000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:90
                            Start time:05:07:14
                            Start date:26/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff707a50000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:91
                            Start time:05:07:14
                            Start date:26/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:92
                            Start time:05:07:14
                            Start date:26/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff746760000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:93
                            Start time:05:07:14
                            Start date:26/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff707a50000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:94
                            Start time:05:07:14
                            Start date:26/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:95
                            Start time:05:07:14
                            Start date:26/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff746760000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:96
                            Start time:05:07:14
                            Start date:26/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff707a50000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:97
                            Start time:05:07:14
                            Start date:26/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:98
                            Start time:05:07:14
                            Start date:26/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff746760000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:99
                            Start time:05:07:14
                            Start date:26/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff707a50000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:100
                            Start time:05:07:14
                            Start date:26/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:101
                            Start time:05:07:14
                            Start date:26/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff746760000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:102
                            Start time:05:07:14
                            Start date:26/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff707a50000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:103
                            Start time:05:07:14
                            Start date:26/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:105
                            Start time:05:07:15
                            Start date:26/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff746760000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:106
                            Start time:05:07:15
                            Start date:26/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff707a50000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:107
                            Start time:05:07:15
                            Start date:26/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:108
                            Start time:05:07:15
                            Start date:26/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff746760000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:0.1%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:9.3%
                              Total number of Nodes:43
                              Total number of Limit Nodes:1
                              execution_graph 40127 6c6dc974 40128 6c6dc980 40127->40128 40129 6c6dc994 40128->40129 40130 6c6dc987 GetLastError ExitThread 40128->40130 40141 6c6e22c2 GetLastError 40129->40141 40132 6c6dc999 40168 6c6e7676 40132->40168 40135 6c6dc9b0 40174 6c6dc8df 11 API calls 40135->40174 40138 6c6dc9d2 40175 6c6dde29 GetLastError SetLastError TlsGetValue TlsSetValue GetProcAddress 40138->40175 40140 6c6dc9e3 40142 6c6e22d9 40141->40142 40143 6c6e22df 40141->40143 40176 6c6e4433 TlsGetValue GetProcAddress 40142->40176 40156 6c6e22e5 40143->40156 40177 6c6e4472 TlsSetValue GetProcAddress 40143->40177 40146 6c6e2364 SetLastError 40150 6c6e2373 40146->40150 40154 6c6e2379 40146->40154 40147 6c6e22fd 40148 6c6e232c 40147->40148 40149 6c6e2315 40147->40149 40147->40156 40179 6c6e4472 TlsSetValue GetProcAddress 40148->40179 40178 6c6e4472 TlsSetValue GetProcAddress 40149->40178 40150->40132 40153 6c6e2338 40153->40156 40180 6c6e4472 TlsSetValue GetProcAddress 40153->40180 40155 6c6e2390 40154->40155 40181 6c6e4433 TlsGetValue GetProcAddress 40154->40181 40160 6c6e2396 40155->40160 40182 6c6e4472 TlsSetValue GetProcAddress 40155->40182 40156->40146 40160->40132 40161 6c6e23aa 40161->40160 40162 6c6e23d7 40161->40162 40163 6c6e23c2 40161->40163 40184 6c6e4472 TlsSetValue GetProcAddress 40162->40184 40183 6c6e4472 TlsSetValue GetProcAddress 40163->40183 40166 6c6e23e3 40166->40160 40185 6c6e4472 TlsSetValue GetProcAddress 40166->40185 40169 6c6e7688 GetPEB 40168->40169 40170 6c6dc9a4 40168->40170 40169->40170 40171 6c6e769b 40169->40171 40170->40135 40173 6c6e467f GetProcAddress 40170->40173 40186 6c6e4728 GetProcAddress 40171->40186 40173->40135 40174->40138 40175->40140 40176->40143 40177->40147 40178->40156 40179->40153 40180->40156 40181->40155 40182->40161 40183->40160 40184->40166 40185->40160 40186->40170

                              Executed Functions

                              Function 6C6DC974 Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetLastError.KERNEL32(6C703A20,0000000C), ref: 6C6DC987
                              • ExitThread.KERNEL32 ref: 6C6DC98E
                              Memory Dump Source
                              • Source File: 00000006.00000002.1904192373.000000006C611000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C610000, based on PE: true
                              • Associated: 00000006.00000002.1904171768.000000006C610000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1905104205.000000006C6F5000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1909517846.000000006CC53000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID: ErrorExitLastThread
                              • String ID:
                              • API String ID: 1611280651-0
                              • Opcode ID: 8b90557a3fd538b3c0fe36e6a3907bc8540f162175f87b77b30fbe21a7863527
                              • Instruction ID: ce72b7f37ac6599768e836ebb25ff4b6be171ac625466e26c72bcaac02f3b913
                              • Opcode Fuzzy Hash: 8b90557a3fd538b3c0fe36e6a3907bc8540f162175f87b77b30fbe21a7863527
                              • Instruction Fuzzy Hash: B3F0C2B0A04205AFDB05AFB0C409EAE3B75FF46308F11055AF402ABB80CF30A945CBA8

                              Non-executed Functions

                              Function 6C733CE0 Relevance: 5.4, APIs: 1, Strings: 1, Instructions: 1923COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C733CE5
                                • Part of subcall function 6C709C2A: __EH_prolog.LIBCMT ref: 6C709C2F
                                • Part of subcall function 6C70B6A6: __EH_prolog.LIBCMT ref: 6C70B6AB
                                • Part of subcall function 6C733A0E: __EH_prolog.LIBCMT ref: 6C733A13
                                • Part of subcall function 6C733837: __EH_prolog.LIBCMT ref: 6C73383C
                                • Part of subcall function 6C737143: __EH_prolog.LIBCMT ref: 6C737148
                                • Part of subcall function 6C737143: ctype.LIBCPMT ref: 6C73716C
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID: H_prolog$ctype
                              • String ID:
                              • API String ID: 1039218491-3916222277
                              • Opcode ID: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                              • Instruction ID: 5b626b03d3b139384263055eca9227f5e0278fbe1150011e3924d272baf0709b
                              • Opcode Fuzzy Hash: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                              • Instruction Fuzzy Hash: 9E03DE709012A8DFDF15CFA4CA5CBDCBBB0AF15308F2480A9D84967792DB745B89DB21
                              Function 6C705EA1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 246COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: x=J
                              • API String ID: 3519838083-1497497802
                              • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                              • Instruction ID: 1b59c26b1a5a615b3fac26dbfc19e4de5c79000bb5bed12c2f089a8663641ec3
                              • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                              • Instruction Fuzzy Hash: ED91D4F1F011099ACF04DFA4DAA89EDB7F1FF05348F208069D851A7A52DB715B89CB94
                              Function 6C705972 Relevance: 2.6, Strings: 2, Instructions: 91COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID:
                              • String ID: @4J$DsL
                              • API String ID: 0-2004129199
                              • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                              • Instruction ID: 101d0ae307244ea2bf9a9d3a304ed9ca8a3a9d5c3d8bfc36280362c1297c46f2
                              • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                              • Instruction Fuzzy Hash: 7E218D37AA48560BD74CCA68EC33AB92680E744305B88527EE94BCB7E1DE6C8800C648
                              Function 6C72240A Relevance: 2.3, APIs: 1, Instructions: 760COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C72240F
                                • Part of subcall function 6C723137: __EH_prolog.LIBCMT ref: 6C72313C
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                              • Instruction ID: 988aeafca1a83db13b464cbee76ed742210fa67927f59d95461ae0ea03c5639b
                              • Opcode Fuzzy Hash: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                              • Instruction Fuzzy Hash: C0629C71D14219CFDF15CFA4CA98BEDBBB4BF08318F14416AE855ABA80D7789A44CF90
                              Function 6C77AAD0 Relevance: 1.9, Strings: 1, Instructions: 669COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID:
                              • String ID: YA1
                              • API String ID: 0-613462611
                              • Opcode ID: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                              • Instruction ID: 3c35f9e2333263a5bdc35342dcc712442476e11e36442ba3924ae49e3682f2a1
                              • Opcode Fuzzy Hash: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                              • Instruction Fuzzy Hash: E44214306093858FD725CF28C59069ABBE2FFC9318F145A6DE8D58B742D771D80ACB62
                              Function 6C70DBCA Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID: __aullrem
                              • String ID:
                              • API String ID: 3758378126-0
                              • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                              • Instruction ID: d521bcb3fa1a50fa38054f12074c4bfdf9bf191b55daee2f5c4dc6019e437fd5
                              • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                              • Instruction Fuzzy Hash: 1351E8B1A043459BD710CF6EC4C12EAFBF6AF79214F18C05AE88897242D27A499AC760
                              Function 6C786E80 Relevance: 1.7, Strings: 1, Instructions: 424COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID: 0-3916222277
                              • Opcode ID: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                              • Instruction ID: a85768886dfcf90e12e2761e58b2afb71b92a0a0120261207e84cac86a05eca8
                              • Opcode Fuzzy Hash: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                              • Instruction Fuzzy Hash: 9602AC3160A3818BD325CF29C69079EBBE2ABC8358F144A3DFAD697B51C770D945CB42
                              Function 6C7097CF Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID:
                              • String ID: (SL
                              • API String ID: 0-669240678
                              • Opcode ID: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                              • Instruction ID: 065ff472b07d250cb6fdb6f2462e06a2de0aa211fa47e8b67d2dde136d52037f
                              • Opcode Fuzzy Hash: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                              • Instruction Fuzzy Hash: 1F516473E208314AD78CCE24DC2177572D2E784310F8BC2B99D4BAB6E6DD78989587D4
                              Function 6C77D020 Relevance: .8, Instructions: 762COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                              • Instruction ID: b952060e4b392b2786f0d581d5e5e5ef61f5caf8d78b6cc655f234a873227ef2
                              • Opcode Fuzzy Hash: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                              • Instruction Fuzzy Hash: CA528F31208B458BD728CF29C6946AABBE2FFA5308F148A2DD4DAC7B41DB70F445CB55
                              Function 6C797930 Relevance: .7, Instructions: 740COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                              • Instruction ID: 140c155310c044133fd5f2869f57efe234cf805b8cf831dee0f794b9e8638d16
                              • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                              • Instruction Fuzzy Hash: E96214B1A087458FC714CF1AD68091AFBF6BFC8744F248A2EE89997715D770E845CB82
                              Function 6C780D50 Relevance: .5, Instructions: 547COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                              • Instruction ID: 7f0cfa89f4cc91ff6ec5501659bcbd8acbdfd46cd50e1252225f22b94d7b1619
                              • Opcode Fuzzy Hash: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                              • Instruction Fuzzy Hash: 2112AF7160A3458FC718CF29C6906AABBF2BFC8344F54893DE6A687B42D731E845CB51
                              Function 6C791AA0 Relevance: .5, Instructions: 474COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                              • Instruction ID: 613487c8aa1e75cdd4b75fac180de45327bce64e4927c1df8e87ef4d5d4422e0
                              • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                              • Instruction Fuzzy Hash: 00022832A483118BC318CE28D580269BBF7FBC4345F190B3EE49697B96D770D894CB82
                              Function 6C77CA50 Relevance: .5, Instructions: 453COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                              • Instruction ID: bd5776b1ccd442b575cde822768e743fbeff37ae3fc4e3df58dd3d0479642022
                              • Opcode Fuzzy Hash: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                              • Instruction Fuzzy Hash: 29F100326042888BEF34DE2CD9507EEBBE2FBC9305F544539D889CBB41DB35954A87A1
                              Function 6C78C5C0 Relevance: .3, Instructions: 333COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                              • Instruction ID: 173007538d3e4f713f13967a3b9cc3b53d25ea62ee00115a2908ac9483ee86b5
                              • Opcode Fuzzy Hash: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                              • Instruction Fuzzy Hash: 4FD131715067128FD718EF2DC5A4236BBE1FF86305F054ABDDAA28B78AD7349605CB40
                              Function 6C77F580 Relevance: .3, Instructions: 316COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                              • Instruction ID: 8f8d38bb849358b8f17576c6c7a6e179bb1a01a0ac052074626fb196b1feb70c
                              • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                              • Instruction Fuzzy Hash: 29C1B5352047458BC728CF39D2A0697BFE2EFD9314F148A6DC4DA8BB56DA30A40DCB65
                              Function 6C77B810 Relevance: .3, Instructions: 296COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                              • Instruction ID: f77986e58f35b62b6e5f94439c85a98613b19215ca959f28b298c49e21ed273d
                              • Opcode Fuzzy Hash: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                              • Instruction Fuzzy Hash: FEB1C0313047094BEB24DF39CA98BDAB7E1BF84318F44452DC5AA87B51DF34B50987A1
                              Function 6C77EAA0 Relevance: .3, Instructions: 291COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                              • Instruction ID: c29c80ff79d6113136ca3f52304ec08377df1b395f8727aa93f9995b857a4411
                              • Opcode Fuzzy Hash: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                              • Instruction Fuzzy Hash: 76B18A7560470A8FC314DF29C9806EAF7E2FFC8304F14892DE49A87711E771A55ACBA6
                              Function 6C7869F0 Relevance: .3, Instructions: 287COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                              • Instruction ID: 559716ef8a3ae9a33d1d7883021436a8e4058ae519a96fb4494dbd7b7a152308
                              • Opcode Fuzzy Hash: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                              • Instruction Fuzzy Hash: 89A1037221D3419FC319CF29C69069EBBE1ABD5308F148A3DE5D6C7B41D631EA4ACB42
                              Function 6C7866E0 Relevance: .2, Instructions: 223COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                              • Instruction ID: abfd2fec1306410e6a692232718a69e86624b64723a97e1a143b0653304738a9
                              • Opcode Fuzzy Hash: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                              • Instruction Fuzzy Hash: 3881BF35A057018FC320CF29C180646B7E2FF99714F288A7DC699DB715E772EA46CB81
                              Function 6C71DB66 Relevance: .2, Instructions: 167COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                              • Instruction ID: b989bef354057c7b85744302e0fcd90e23eef1fc20d42fc28ad64457fbc0bc41
                              • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                              • Instruction Fuzzy Hash: 0D518072F046099FDB08CE98DE926ADB7F1EB98304F28857AD111E7B82D7749A41CF44
                              Function 6C71FEC9 Relevance: .1, Instructions: 136COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                              • Instruction ID: 2634bdf23425acd3f49c636be113d8ce5f2e64f1b38bb7fb4f46f4fcc5821dcc
                              • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                              • Instruction Fuzzy Hash: 183114277A840103C70CCD3BCD1279F91575BD422A70ECF39AC09DEF56D52CC8164144
                              Function 6C7A6700 Relevance: .1, Instructions: 70COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                              • Instruction ID: 49fa0e5f510183b275095d123494cdcbc172079cbfb8a60aa1f3e0f88a4ef22d
                              • Opcode Fuzzy Hash: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                              • Instruction Fuzzy Hash: 3F219077320A0647E74C8A38D93737532D0A705318F98A26DEA6BCE2C2E73AC457C385
                              Function 6C6E7676 Relevance: .0, Instructions: 29COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1904192373.000000006C611000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C610000, based on PE: true
                              • Associated: 00000006.00000002.1904171768.000000006C610000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1905104205.000000006C6F5000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1909517846.000000006CC53000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5c9894cd077a2c440a1f974aad43339a956dc4c7ef1791398d89484d1280d6b2
                              • Instruction ID: 15897804d3aa0d344a66018f096cc443cfd39ceaf8e273b0ba274ef6deea26e3
                              • Opcode Fuzzy Hash: 5c9894cd077a2c440a1f974aad43339a956dc4c7ef1791398d89484d1280d6b2
                              • Instruction Fuzzy Hash: 4DF03771A152249BCB11DA4DC905B8573F8D74A759F110156E501A7641C6B0ED41C7D8
                              Function 6C7A4720 Relevance: .0, Instructions: 16COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d8b2ce9af6ca23b39d287f27f794cd19cdb7301d321a8ca7d0b17b1edfa8364a
                              • Instruction ID: 79bb21561801745295d783b800fc6bf97490bfd90da4f823d67ba6362670e109
                              • Opcode Fuzzy Hash: d8b2ce9af6ca23b39d287f27f794cd19cdb7301d321a8ca7d0b17b1edfa8364a
                              • Instruction Fuzzy Hash: 3AC08CA312810017C306EA3599C0BAAF6A37361330F228D3EE0A2E7E43C329D0658511
                              Function 6C73BB50 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 341COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 391 6c73bb50-6c73bb78 call 6c7a3f10 394 6c73bf6a-6c73bf74 call 6c7063a0 391->394 395 6c73bb7e-6c73bb88 391->395 403 6c73bf76-6c73bf84 394->403 397 6c73bba4-6c73bba8 395->397 398 6c73bb8a-6c73bba2 call 6c73c016 395->398 401 6c73bbaa-6c73bbbc 397->401 402 6c73bbbe-6c73bbc6 call 6c7063b3 397->402 406 6c73bbcb-6c73bbd0 398->406 401->406 402->406 408 6c73bc12-6c73bc1c 406->408 409 6c73bbd2-6c73bbd4 406->409 410 6c73bc22-6c73bc40 408->410 411 6c73bd2a-6c73bd43 408->411 412 6c73bbd6-6c73bbea 409->412 413 6c73bbeb-6c73bc05 call 6c7064df 409->413 410->403 428 6c73bc46-6c73bc4b 410->428 415 6c73bdb0-6c73bdb7 411->415 416 6c73bd45-6c73bd46 411->416 412->413 425 6c73bf5b-6c73bf64 413->425 426 6c73bc0b-6c73bc0d 413->426 419 6c73bdca-6c73bdcf 415->419 420 6c73bdb9-6c73bdbc 415->420 422 6c73bd48-6c73bd4b 416->422 423 6c73bd9f-6c73bda6 416->423 429 6c73bdd1-6c73bdd4 419->429 430 6c73be0f-6c73be14 419->430 427 6c73bdbe-6c73bdc1 call 6c70da04 420->427 431 6c73bd4d-6c73bd64 422->431 432 6c73bd6c-6c73bd76 422->432 423->419 424 6c73bda8-6c73bdae 423->424 424->427 425->394 425->395 435 6c73bf56 call 6c7063a0 426->435 448 6c73bdc6 427->448 437 6c73bc51-6c73bc58 428->437 438 6c73bf4a-6c73bf4f 428->438 439 6c73bdd6-6c73bdda 429->439 440 6c73bddc-6c73bdfe call 6c73bf9a 429->440 433 6c73be16-6c73be19 430->433 434 6c73be3b-6c73be3f 430->434 464 6c73bd6a 431->464 465 6c73bf8e-6c73bf98 call 6c70da5d 431->465 432->419 441 6c73bd78-6c73bd9d call 6c70da30 432->441 444 6c73be1f 433->444 445 6c73bf3e-6c73bf45 call 6c70da5d 433->445 446 6c73be41-6c73be7a call 6c719133 call 6c73c0fe 434->446 447 6c73beac-6c73beb0 434->447 435->425 449 6c73bc85-6c73bc88 437->449 450 6c73bc5a-6c73bc5e 437->450 438->425 453 6c73bf51 438->453 439->430 439->440 471 6c73be00-6c73be07 440->471 472 6c73be09-6c73be0a 440->472 441->448 457 6c73be22-6c73be36 call 6c73c016 444->457 445->438 503 6c73be90-6c73be9f call 6c7a4270 446->503 504 6c73be7c-6c73be82 446->504 458 6c73beb2-6c73bed3 call 6c707497 call 6c70649a 447->458 459 6c73beee-6c73bf02 call 6c732bff 447->459 448->419 455 6c73bcd2-6c73bcd6 449->455 456 6c73bc8a-6c73bca7 call 6c707204 call 6c73317e 449->456 462 6c73bf87-6c73bf8c 450->462 463 6c73bc64-6c73bc76 call 6c732da0 450->463 453->435 455->462 470 6c73bcdc-6c73bce0 455->470 507 6c73bca9-6c73bcb8 call 6c706410 456->507 508 6c73bcbd-6c73bccc call 6c706240 456->508 457->445 509 6c73bee1-6c73beec call 6c73c042 458->509 510 6c73bed5-6c73bedf call 6c706410 458->510 490 6c73bf16-6c73bf34 call 6c73c091 459->490 491 6c73bf04-6c73bf11 459->491 462->403 495 6c73bc78-6c73bc80 463->495 464->448 465->403 486 6c73bce2-6c73bd02 call 6c7065d8 470->486 487 6c73bd07-6c73bd25 call 6c73c176 470->487 477 6c73be83-6c73be8b 471->477 478 6c73bf35-6c73bf3d call 6c7a4270 472->478 477->445 478->445 486->438 487->495 490->478 491->477 495->438 503->445 519 6c73bea5-6c73bea7 503->519 504->477 507->508 508->438 508->455 509->445 510->445 519->457
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                              • API String ID: 3519838083-609671
                              • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                              • Instruction ID: da0a0b06adcf88d2d1bbfc83b247ae463ae961804e63421784fad684191dd8d8
                              • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                              • Instruction Fuzzy Hash: E4D1D471A0461ADFCB01CFA4DA94FEDB7B5FF05308F105169E159A3A52DB70AA48CF60
                              Function 6C723798 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 461COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1110 6c723798-6c7237ba call 6c7a3f10 1113 6c7237bf-6c7237cf call 6c70f028 1110->1113 1114 6c7237bc 1110->1114 1117 6c723b20-6c723b25 1113->1117 1118 6c7237d5-6c7237da 1113->1118 1114->1113 1119 6c723cf6-6c723d04 1117->1119 1120 6c7237df-6c72380f call 6c7a4210 call 6c7a40e0 * 2 1118->1120 1121 6c7237dc 1118->1121 1128 6c723811-6c723818 1120->1128 1129 6c72381b-6c723833 1120->1129 1121->1120 1128->1129 1130 6c723840-6c723863 call 6c723dba call 6c70620c 1129->1130 1131 6c723835-6c72383a 1129->1131 1140 6c723865-6c72387d call 6c7a402a 1130->1140 1141 6c72387f 1130->1141 1131->1130 1132 6c723ace-6c723af9 call 6c706add call 6c70f36c 1131->1132 1144 6c723aff-6c723b04 1132->1144 1145 6c723bbc-6c723bce call 6c706240 1132->1145 1146 6c723881-6c723894 call 6c79c2e0 1140->1146 1141->1146 1149 6c723b06-6c723b18 call 6c706240 1144->1149 1150 6c723b2a-6c723b42 1144->1150 1158 6c723bd0-6c723bd2 1145->1158 1159 6c723bd6-6c723bd8 1145->1159 1155 6c723896 1146->1155 1156 6c7238a9-6c7238b2 1146->1156 1149->1117 1161 6c723b1a-6c723b1c 1149->1161 1166 6c723b56-6c723b79 call 6c71f10c 1150->1166 1167 6c723b44-6c723b54 call 6c71238c 1150->1167 1162 6c7238a2-6c7238a4 1155->1162 1163 6c723898-6c72389d 1155->1163 1164 6c7238b8-6c7238bb 1156->1164 1165 6c72399d-6c7239a3 1156->1165 1158->1159 1159->1119 1161->1117 1168 6c723abd-6c723ac9 call 6c723dcd 1162->1168 1163->1162 1169 6c7238be-6c7238e8 call 6c706add call 6c70f36c 1164->1169 1172 6c7239f0-6c7239f6 1165->1172 1173 6c7239a5 1165->1173 1186 6c723ba3-6c723ba6 call 6c78ae40 1166->1186 1187 6c723b7b-6c723ba1 call 6c71cff7 call 6c71f1fc 1166->1187 1167->1166 1184 6c723bab-6c723bb4 1167->1184 1168->1159 1204 6c723a91-6c723a93 1169->1204 1205 6c7238ee-6c7238f0 1169->1205 1174 6c723a2a-6c723a40 call 6c71cff7 call 6c71f4b1 1172->1174 1175 6c7239f8 1172->1175 1180 6c7239a8-6c7239d2 call 6c723d07 1173->1180 1174->1155 1214 6c723a46-6c723a5d call 6c71d0a2 1174->1214 1181 6c7239fa-6c723a0b call 6c79c180 1175->1181 1200 6c7239d7-6c7239d9 1180->1200 1201 6c7239d4 1180->1201 1181->1155 1203 6c723a11-6c723a16 1181->1203 1184->1145 1190 6c723bb6-6c723bb8 1184->1190 1186->1184 1187->1186 1216 6c723bdd-6c723c00 call 6c71d0a2 call 6c78ae40 1187->1216 1190->1145 1200->1162 1202 6c7239df-6c7239ec 1200->1202 1201->1200 1202->1180 1209 6c7239ee 1202->1209 1203->1168 1210 6c723a1c-6c723a28 1203->1210 1211 6c723aaf-6c723ab8 call 6c706240 1204->1211 1212 6c7238f6-6c723910 1205->1212 1213 6c723a95-6c723a9a 1205->1213 1209->1172 1210->1174 1210->1181 1211->1168 1225 6c723912-6c723922 call 6c71238c 1212->1225 1226 6c723928-6c72394f 1212->1226 1213->1211 1222 6c723a80-6c723a8c call 6c723dcd 1214->1222 1223 6c723a5f-6c723a62 1214->1223 1239 6c723c02-6c723c04 1216->1239 1240 6c723c08-6c723c1a call 6c706240 1216->1240 1245 6c723c22-6c723c62 call 6c7a4210 * 2 1222->1245 1228 6c723a65-6c723a6a 1223->1228 1225->1226 1241 6c723a9c-6c723aa5 1225->1241 1229 6c723951-6c723957 1226->1229 1230 6c72395a-6c72396e 1226->1230 1228->1168 1235 6c723a6c-6c723a6e 1228->1235 1229->1230 1236 6c723970-6c723972 1230->1236 1237 6c723976-6c723997 call 6c706240 1230->1237 1242 6c723a70-6c723a75 1235->1242 1243 6c723a77-6c723a7e 1235->1243 1236->1237 1237->1165 1237->1169 1239->1240 1240->1245 1254 6c723c1c-6c723c1e 1240->1254 1250 6c723aa7-6c723aa9 1241->1250 1251 6c723aad 1241->1251 1242->1243 1247 6c723aba-6c723abc 1242->1247 1243->1222 1243->1228 1257 6c723c64-6c723c68 1245->1257 1258 6c723ccc-6c723cf4 call 6c71d2d6 call 6c71d1df 1245->1258 1247->1168 1250->1251 1251->1211 1254->1245 1260 6c723cc0-6c723cca 1257->1260 1261 6c723c6a-6c723c6e 1257->1261 1258->1119 1260->1119 1260->1258 1263 6c723c70-6c723c7a call 6c7a4210 1261->1263 1264 6c723c7f-6c723cbb call 6c7a4210 call 6c7a41d0 call 6c71d2d6 call 6c71f7ff 1261->1264 1263->1264 1264->1260
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID: __aulldiv$H_prolog
                              • String ID: >WJ$x$x
                              • API String ID: 2300968129-3162267903
                              • Opcode ID: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                              • Instruction ID: 664e32f070883f7c0b9f050d542da3f983d17a66d1b59d917933a3540804480f
                              • Opcode Fuzzy Hash: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                              • Instruction Fuzzy Hash: F6128F71900209EFDF10DFA4CA88ADDBBB9FF08318F24856DE915AB650DB399A45CF50
                              Function 6C711FA6 Relevance: 9.1, APIs: 6, Instructions: 95COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1276 6c711fa6-6c711fe0 call 6c7a40e0 call 6c7a4150 1281 6c711fe2-6c711fef call 6c7a40e0 1276->1281 1282 6c712009-6c71200e 1276->1282 1290 6c711ff1 1281->1290 1291 6c711ff8-6c712006 call 6c7a4210 1281->1291 1284 6c712071-6c712074 1282->1284 1285 6c712010-6c71201f call 6c7a40e0 1282->1285 1286 6c712077-6c71207b 1284->1286 1292 6c712041-6c712053 call 6c7a40e0 call 6c7a4210 1285->1292 1293 6c712021 1285->1293 1294 6c711ff3-6c711ff6 1290->1294 1295 6c71206a-6c71206f 1290->1295 1291->1282 1306 6c712058-6c712061 1292->1306 1297 6c712023-6c712026 1293->1297 1298 6c712028-6c71203f call 6c7a4210 call 6c7a40e0 1293->1298 1294->1291 1294->1295 1295->1286 1297->1292 1297->1298 1298->1306 1306->1284 1308 6c712063 1306->1308 1308->1295 1309 6c712065-6c712068 1308->1309 1309->1284 1309->1295
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID: __aulldiv$__aullrem
                              • String ID:
                              • API String ID: 2022606265-0
                              • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                              • Instruction ID: dcad22b3b923e8b3514cd3aec283ff65230f9fc89c7cc3070ce385ce9c68523e
                              • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                              • Instruction Fuzzy Hash: 05210130904219FEDF108ED5DE4CDDF7A7AEB423A8F248326B42061AD0D7728DA0E661
                              Function 6C7176EC Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 183COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1310 6c7176ec-6c717705 call 6c7a3f10 1313 6c717707-6c71770c 1310->1313 1314 6c71771c-6c717723 1310->1314 1316 6c717715-6c71771a 1313->1316 1317 6c71770e-6c717713 1313->1317 1315 6c717724-6c717787 call 6c717e93 call 6c707204 call 6c7178f4 call 6c7448d2 call 6c718009 1314->1315 1328 6c717789-6c717795 call 6c7179b9 1315->1328 1329 6c71779a-6c7177a3 1315->1329 1316->1315 1317->1315 1328->1329 1331 6c7177a5-6c7177b1 1329->1331 1332 6c7177cc-6c7177d9 1329->1332 1335 6c7177c0-6c7177c7 call 6c7073ec 1331->1335 1336 6c7177b3-6c7177be call 6c70a89f 1331->1336 1333 6c7177f0-6c7177f9 1332->1333 1334 6c7177db-6c7177eb call 6c7073ec 1332->1334 1340 6c717882-6c7178ae call 6c717965 call 6c706240 1333->1340 1341 6c7177ff-6c71780a 1333->1341 1334->1333 1335->1332 1336->1332 1341->1340 1344 6c71780c 1341->1344 1346 6c717811-6c717828 call 6c732109 1344->1346 1351 6c7178b1-6c7178d2 call 6c726173 call 6c7a3f30 1346->1351 1352 6c71782e-6c71783d 1346->1352 1356 6c7178d7-6c7178ee call 6c726173 1351->1356 1354 6c717849-6c717880 call 6c714c9e 1352->1354 1355 6c71783f-6c717843 1352->1355 1354->1340 1362 6c71780e 1354->1362 1355->1354 1355->1356 1364 6c7178f4-6c717964 call 6c7a3f10 call 6c707204 * 7 1356->1364 1365 6c7178ef call 6c7a3f30 1356->1365 1362->1346 1365->1364
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C7176F1
                                • Part of subcall function 6C726173: __EH_prolog.LIBCMT ref: 6C726178
                              • __EH_prolog.LIBCMT ref: 6C7178F9
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: IJ$WIJ$J
                              • API String ID: 3519838083-740443243
                              • Opcode ID: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                              • Instruction ID: 8956f605b38eb4494d00d93c818af85f3f837dfa688992cfea32de835332b7d1
                              • Opcode Fuzzy Hash: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                              • Instruction Fuzzy Hash: 6C71D270A04255DFDB05DFA4C648BDDB7F0BF19308F1484A9E955ABB92CB74BA08CB90
                              Function 6C72B418 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • __EH_prolog.LIBCMT ref: 6C72B41D
                                • Part of subcall function 6C72BE40: __EH_prolog.LIBCMT ref: 6C72BE45
                                • Part of subcall function 6C72B8EB: __EH_prolog.LIBCMT ref: 6C72B8F0
                                • Part of subcall function 6C72B593: __EH_prolog.LIBCMT ref: 6C72B598
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: &qB$0aJ$A0$XqB
                              • API String ID: 3519838083-1326096578
                              • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                              • Instruction ID: 5ab94c25839066f47613eea69ba4ecddd2134c12356eaafe52e5f200c21d6832
                              • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                              • Instruction Fuzzy Hash: 55218EB1E01258AACF05DBE5DA9C9EDBBF4AF15318F10806AE51667781DB781E0CCB50
                              Function 6C72B234 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 43COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: J$0J$DJ$`J
                              • API String ID: 3519838083-2453737217
                              • Opcode ID: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                              • Instruction ID: 1a91df6764e4438085ea9067c3906bf34b70e7d28b03c4be6ff709304317fcf4
                              • Opcode Fuzzy Hash: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                              • Instruction Fuzzy Hash: F111B0B0900B648AC7249F5AC55859AFBE4BFA5708B10CA1FC4A787B50C7F8A548CB99
                              Function 6C753E3F Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 452COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1422 6c753e3f-6c753eea call 6c7a3f10 call 6c753c9d call 6c75353e call 6c753314 call 6c75c04a call 6c7559c7 call 6c75c04a * 2 1439 6c753ef0 1422->1439 1440 6c7541ee-6c75422d call 6c70869a 1422->1440 1441 6c753ef7-6c753f1d call 6c75353e 1439->1441 1446 6c75422f-6c75423b call 6c7a40c8 1440->1446 1447 6c75423e-6c754276 call 6c706240 * 2 call 6c753284 call 6c753c9d call 6c75599a 1440->1447 1450 6c753f23-6c753f26 1441->1450 1451 6c75438b-6c75439a call 6c7a3f30 1441->1451 1446->1447 1469 6c754290-6c75429c call 6c753447 1447->1469 1520 6c754278-6c75428e call 6c753447 1447->1520 1450->1451 1454 6c753f2c-6c753f32 1450->1454 1459 6c75439f-6c7543a7 call 6c753434 1451->1459 1457 6c7540bf-6c7540c2 1454->1457 1458 6c753f38-6c753f47 call 6c7533b5 1454->1458 1461 6c7540a7-6c7540ac 1457->1461 1474 6c7542c3-6c7542d2 call 6c7a3f30 1458->1474 1475 6c753f4d-6c753f56 1458->1475 1459->1469 1466 6c7540c4-6c7540ca 1461->1466 1467 6c7540ae-6c7540b1 1461->1467 1472 6c754327-6c754336 call 6c7a3f30 1466->1472 1473 6c7540d0-6c7540ed call 6c7543bd * 2 1466->1473 1467->1466 1471 6c7540b3-6c7540ba 1467->1471 1496 6c7542a2-6c7542a5 1469->1496 1497 6c7543ac-6c7543ba 1469->1497 1480 6c7541a9-6c7541cb 1471->1480 1485 6c75433b-6c75434a call 6c7a3f30 1472->1485 1512 6c754140-6c75414f 1473->1512 1513 6c7540ef-6c7540fa call 6c75353e 1473->1513 1482 6c7542d7-6c7542e6 call 6c7a3f30 1474->1482 1475->1482 1483 6c753f5c-6c753f65 1475->1483 1486 6c7541d2-6c7541e8 1480->1486 1487 6c7541cd call 6c753367 1480->1487 1502 6c7542eb-6c7542fa call 6c7a3f30 1482->1502 1491 6c753f67 call 6c753367 1483->1491 1492 6c753f6c-6c753f84 1483->1492 1507 6c75434f-6c75435e call 6c7a3f30 1485->1507 1486->1440 1501 6c753ef2-6c753ef5 1486->1501 1487->1486 1491->1492 1494 6c753f86 1492->1494 1495 6c753fc0-6c753fd2 1492->1495 1505 6c753f8b-6c753fb8 call 6c7a4250 1494->1505 1508 6c753fd4-6c753fdd call 6c72b61b 1495->1508 1509 6c753fe2-6c753fed 1495->1509 1496->1459 1506 6c7542ab-6c7542ad 1496->1506 1501->1441 1521 6c7542ff-6c75430e call 6c7a3f30 1502->1521 1539 6c753f88 1505->1539 1540 6c753fba-6c753fbd 1505->1540 1506->1459 1515 6c7542b3-6c7542c1 call 6c753d1d 1506->1515 1527 6c754363-6c754372 call 6c7a3f30 1507->1527 1508->1509 1518 6c754012-6c75401c 1509->1518 1519 6c753fef-6c753ffc call 6c75353e 1509->1519 1528 6c754185-6c75418a 1512->1528 1529 6c754151-6c754157 1512->1529 1513->1507 1546 6c754100-6c754108 1513->1546 1515->1469 1523 6c754313-6c754322 call 6c7a3f30 1518->1523 1524 6c754022-6c754026 1518->1524 1519->1502 1553 6c754002-6c75400c call 6c75353e 1519->1553 1520->1469 1521->1523 1523->1472 1537 6c754095-6c75409e 1524->1537 1538 6c754028-6c75403a call 6c75353e 1524->1538 1548 6c754377-6c754386 call 6c7a3f30 1527->1548 1534 6c7541a3 1528->1534 1535 6c75418c-6c754193 1528->1535 1529->1528 1543 6c754159-6c754163 call 6c75353e 1529->1543 1534->1480 1534->1548 1550 6c754195-6c754199 1535->1550 1551 6c75419d 1535->1551 1537->1458 1552 6c7540a4 1537->1552 1563 6c754044-6c754048 1538->1563 1564 6c75403c-6c754041 call 6c753367 1538->1564 1539->1505 1540->1495 1543->1527 1565 6c754169-6c754171 1543->1565 1546->1507 1556 6c75410e-6c75411e call 6c75353e 1546->1556 1548->1451 1550->1535 1555 6c75419b 1550->1555 1558 6c7541a0 1551->1558 1552->1461 1553->1518 1553->1521 1555->1558 1556->1485 1571 6c754124-6c75412c 1556->1571 1558->1534 1569 6c75406a-6c754071 1563->1569 1570 6c75404a-6c75404e 1563->1570 1564->1563 1565->1527 1566 6c754177-6c754183 1565->1566 1566->1528 1566->1543 1574 6c754073-6c754077 1569->1574 1575 6c754092 1569->1575 1570->1569 1573 6c754050-6c754053 1570->1573 1571->1485 1577 6c754132-6c75413e 1571->1577 1573->1575 1578 6c754055-6c754063 1573->1578 1574->1575 1576 6c754079-6c75407c 1574->1576 1575->1537 1576->1575 1580 6c75407e-6c75408d 1576->1580 1577->1512 1577->1513 1578->1575 1579 6c754065-6c754068 1578->1579 1579->1575 1580->1575 1581 6c75408f 1580->1581 1581->1575
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $!$@
                              • API String ID: 3519838083-2517134481
                              • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                              • Instruction ID: 58b5625096319baac91be1fefca74a650f026f9d9fb12e00b94e4e93011b9061
                              • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                              • Instruction Fuzzy Hash: 66129E70D01249DFCF04CFA4CA94ADDBBB1BF08308F548469E445ABB51DB35E965DB60
                              Function 6C71FB91 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 284COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1582 6c71fb91-6c71fbba call 6c7a3f10 1585 6c71fbc3-6c71fbda call 6c7a41d0 1582->1585 1586 6c71fbbc 1582->1586 1589 6c71fbe0-6c71fbee call 6c7a41d0 1585->1589 1590 6c71fbdc-6c71fbde 1585->1590 1586->1585 1594 6c71fbfd-6c71fc0c 1589->1594 1590->1589 1591 6c71fbf0-6c71fbfa 1590->1591 1591->1594 1595 6c71fc19-6c71fc3a call 6c70620c 1594->1595 1596 6c71fc0e-6c71fc13 1594->1596 1601 6c71fc5c 1595->1601 1602 6c71fc3c-6c71fc5a call 6c7a402a 1595->1602 1596->1595 1597 6c71fd6e-6c71fd92 call 6c71cff7 1596->1597 1606 6c71fd94-6c71fd96 1597->1606 1607 6c71fd98-6c71fdae call 6c71fec9 1597->1607 1605 6c71fc5e-6c71fc6c 1601->1605 1602->1605 1609 6c71fc9a-6c71fcab call 6c71cff7 1605->1609 1610 6c71fc6e 1605->1610 1606->1607 1611 6c71fdce-6c71fdd1 1606->1611 1617 6c71fdb0-6c71fdb9 1607->1617 1618 6c71fdbf-6c71fdc7 1607->1618 1624 6c71fd0b-6c71fd15 call 6c72003a 1609->1624 1625 6c71fcad 1609->1625 1614 6c71fc70-6c71fc98 1610->1614 1613 6c71fdd4-6c71fddb 1611->1613 1619 6c71fdf0-6c71fe6c call 6c71d0a2 call 6c7a4210 * 2 call 6c71d2d6 call 6c7a40e0 call 6c71d1df 1613->1619 1620 6c71fddd-6c71fddf 1613->1620 1614->1609 1614->1614 1617->1618 1631 6c71feb8-6c71fec6 1617->1631 1618->1607 1622 6c71fdc9-6c71fdcc 1618->1622 1669 6c71feb6 1619->1669 1670 6c71fe6e-6c71fe76 1619->1670 1620->1619 1623 6c71fde1-6c71fdea 1620->1623 1622->1607 1622->1611 1623->1619 1623->1631 1638 6c71fd17-6c71fd1f 1624->1638 1639 6c71fd49 1624->1639 1629 6c71fcb0-6c71fcc0 1625->1629 1634 6c71fce3-6c71fce9 call 6c79c200 1629->1634 1635 6c71fcc2-6c71fce1 call 6c71d506 call 6c79c240 1629->1635 1645 6c71fcee-6c71fcf3 1634->1645 1635->1645 1646 6c71fd21-6c71fd24 1638->1646 1647 6c71fd38-6c71fd44 call 6c72007b 1638->1647 1643 6c71fd55-6c71fd57 1639->1643 1644 6c71fd4b-6c71fd50 1639->1644 1652 6c71fd5b-6c71fd69 call 6c72007b 1643->1652 1644->1643 1653 6c71fcf5 1645->1653 1654 6c71fcf8-6c71fcfa 1645->1654 1655 6c71fd27-6c71fd2b 1646->1655 1647->1613 1652->1631 1653->1654 1654->1639 1660 6c71fcfc-6c71fd09 1654->1660 1661 6c71fd59 1655->1661 1662 6c71fd2d-6c71fd36 1655->1662 1660->1624 1660->1629 1661->1652 1662->1647 1662->1655 1669->1631 1671 6c71fe90-6c71fe92 1670->1671 1672 6c71fe78-6c71fe82 1670->1672 1675 6c71fe94-6c71feb4 call 6c71f7ff 1671->1675 1673 6c71fe84-6c71fe86 1672->1673 1674 6c71fe88-6c71fe8e 1672->1674 1673->1675 1674->1675 1675->1631 1675->1669
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID: H_prolog__aulldiv
                              • String ID: $SJ
                              • API String ID: 4125985754-3948962906
                              • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                              • Instruction ID: ef4f1dd2817126ba5e1efdd96992c9868cc51d4954af4ebbcba1e009dd0dc88c
                              • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                              • Instruction Fuzzy Hash: 21B16CB1D04209DFCB14CFA9CA949EEBBB5FF48318B24862ED459A7B51C730AA45CF50
                              Function 6C7231D6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1679 6c7231d6-6c723202 call 6c7a3f10 call 6c7232bf 1684 6c723204-6c723217 1679->1684 1685 6c72321c-6c72321e 1679->1685 1689 6c7232a0-6c7232ad 1684->1689 1686 6c723223-6c723229 1685->1686 1686->1686 1687 6c72322b-6c723238 call 6c723300 1686->1687 1692 6c72323a-6c72324d call 6c71f173 1687->1692 1693 6c72328b-6c72329f 1687->1693 1697 6c723251-6c723257 1692->1697 1693->1689 1698 6c72325a-6c723272 call 6c723300 call 6c7a25a0 1697->1698 1703 6c723274-6c72327b 1698->1703 1704 6c7232ae-6c7232b0 1698->1704 1703->1698 1705 6c72327d-6c723287 1703->1705 1704->1693 1706 6c723289 1705->1706 1707 6c72324f 1705->1707 1706->1693 1707->1697
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $CK$CK
                              • API String ID: 3519838083-2957773085
                              • Opcode ID: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                              • Instruction ID: f1f79f13b91b7cac3b6b40fdf21b574f51cd42b7d7cf2f8d2b352214a9065262
                              • Opcode Fuzzy Hash: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                              • Instruction Fuzzy Hash: 1D21B670E41205CBCB04DFE9C6841EEF7FAFF94314F14862EC522A7B92C7785A068A60
                              Function 6C73A584 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1708 6c73a584-6c73a5ac call 6c7a3f10 call 6c706add 1713 6c73a5b1-6c73a5bb 1708->1713 1714 6c73a5df-6c73a5eb 1713->1714 1715 6c73a5bd-6c73a5c6 1713->1715 1714->1713 1718 6c73a5ed-6c73a5ef 1714->1718 1716 6c73a5d0-6c73a5dd call 6c706ca1 1715->1716 1717 6c73a5c8-6c73a5cb call 6c706c81 1715->1717 1716->1714 1717->1716 1721 6c73a5f1-6c73a607 call 6c705d77 1718->1721 1722 6c73a61d-6c73a643 call 6c706b39 call 6c706240 1718->1722 1728 6c73a611-6c73a618 call 6c706ca1 1721->1728 1729 6c73a609-6c73a60c call 6c706c81 1721->1729 1728->1722 1729->1728
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: 0$LrJ$x
                              • API String ID: 3519838083-658305261
                              • Opcode ID: 4d1a12b996d8cdd79ba2c3eb3f59f6bf691634cc710ec0f5f651f2212a36eb1c
                              • Instruction ID: acd71d29b0153d9a857cfe4f4b92173b537516c8225cb423914a384c6c3599e6
                              • Opcode Fuzzy Hash: 4d1a12b996d8cdd79ba2c3eb3f59f6bf691634cc710ec0f5f651f2212a36eb1c
                              • Instruction Fuzzy Hash: 32219272E011299ACF04DBD4CA996EEB7F5EF48308F20006AD811B3641DB755F48CBA0
                              Function 6C731EC7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 54COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • __EH_prolog.LIBCMT ref: 6C731ECC
                                • Part of subcall function 6C71C58A: __EH_prolog.LIBCMT ref: 6C71C58F
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: :hJ$dJ$xJ
                              • API String ID: 3519838083-2437443688
                              • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                              • Instruction ID: 6bbec1cb7b6e98c818db36d61d9f0501566166cb34b15cf2c7ebe1bdb4742984
                              • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                              • Instruction Fuzzy Hash: 4221DCB0901B40CFC761DF6AC14828ABBF4BF1A714B10C95EC1AA97B11D7B4A508CF55
                              Function 6C728D0E Relevance: 6.4, Strings: 5, Instructions: 105COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2336 6c728d0e-6c728d26 2337 6c728e30-6c728e3d 2336->2337 2338 6c728d2c-6c728d30 2336->2338 2339 6c728e49-6c728e60 call 6c70db36 call 6c70da5d 2337->2339 2340 6c728e3f-6c728e44 call 6c70da04 2337->2340 2341 6c728d32-6c728d36 2338->2341 2342 6c728d65-6c728d74 call 6c707204 2338->2342 2340->2339 2341->2339 2345 6c728d3c-6c728d42 2341->2345 2353 6c728d76-6c728d95 call 6c707566 call 6c70767a call 6c707621 2342->2353 2354 6c728d9a-6c728d9d 2342->2354 2345->2339 2348 6c728d48-6c728d4b 2345->2348 2351 6c728d56-6c728d60 call 6c70d997 2348->2351 2352 6c728d4d-6c728d50 2348->2352 2351->2339 2352->2339 2352->2351 2353->2354 2356 6c728db3-6c728db6 2354->2356 2357 6c728d9f-6c728dae call 6c707566 call 6c7075e5 2354->2357 2362 6c728de2-6c728de5 2356->2362 2363 6c728db8-6c728dc8 call 6c728e63 2356->2363 2357->2356 2366 6c728de7-6c728def call 6c728e63 2362->2366 2367 6c728df4-6c728df7 2362->2367 2363->2362 2380 6c728dca-6c728ddd call 6c707621 * 2 2363->2380 2366->2367 2372 6c728e06-6c728e0a 2367->2372 2373 6c728df9-6c728e01 call 6c728e63 2367->2373 2378 6c728e19-6c728e2e call 6c70d90d call 6c706240 2372->2378 2379 6c728e0c-6c728e14 call 6c728e63 2372->2379 2373->2372 2378->2339 2379->2378 2380->2362
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID:
                              • String ID: <J$DJ$HJ$TJ$]
                              • API String ID: 0-686860805
                              • Opcode ID: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                              • Instruction ID: 2a3bb24d29db3534e98d1491e01319f6f44d44e83e15bb943ab6867430f62c7b
                              • Opcode Fuzzy Hash: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                              • Instruction Fuzzy Hash: 2C41CC72D05249AFCF14DBA0D6988EE77B4BF25308B10C16FD02167E50D73AA64DCB11
                              Function 6C723331 Relevance: 6.1, APIs: 4, Instructions: 76COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2389 6c723331-6c72334b 2390 6c723353-6c723357 2389->2390 2391 6c72334d-6c723351 2389->2391 2392 6c723358-6c723369 call 6c7a40e0 2390->2392 2391->2392 2395 6c72336b-6c72336f 2392->2395 2396 6c723388-6c72338e call 6c71f8fe 2392->2396 2395->2396 2398 6c723371-6c723386 call 6c7a41d0 call 6c71f89a 2395->2398 2399 6c723393-6c7233d5 call 6c7a40e0 * 3 call 6c71f946 2396->2399 2398->2399
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID: __aulldiv
                              • String ID:
                              • API String ID: 3732870572-0
                              • Opcode ID: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                              • Instruction ID: f3e1137b0a31f8a6cd42a20402c54c00c6b6c1182e6be0b8420c4078c2751fda
                              • Opcode Fuzzy Hash: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                              • Instruction Fuzzy Hash: B311E776200308BFEB204AA1DD49EAFBBBDEFC5744F00852DF14156A50CB72AC15E720
                              Function 6C70B072 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 398COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2412 6c70b072-6c70b08e call 6c7a3f10 2415 6c70b090-6c70b094 2412->2415 2416 6c70b096-6c70b09e 2412->2416 2415->2416 2417 6c70b0d3-6c70b0dc call 6c70ca64 2415->2417 2418 6c70b0a0-6c70b0a4 2416->2418 2419 6c70b0a6-6c70b0ae 2416->2419 2425 6c70b0e2-6c70b102 call 6c70abf0 call 6c707388 call 6c70cbdf 2417->2425 2426 6c70b187-6c70b192 call 6c70ccc6 2417->2426 2418->2417 2418->2419 2419->2417 2421 6c70b0b0-6c70b0b5 2419->2421 2421->2417 2423 6c70b0b7-6c70b0ce call 6c70abf0 call 6c707388 2421->2423 2438 6c70b55d-6c70b55f 2423->2438 2451 6c70b104-6c70b109 2425->2451 2452 6c70b14a-6c70b161 call 6c70bf41 2425->2452 2433 6c70b198-6c70b19e 2426->2433 2434 6c70b34c-6c70b362 call 6c70cbfa 2426->2434 2433->2434 2437 6c70b1a4-6c70b1c7 call 6c707247 * 2 2433->2437 2446 6c70b364-6c70b366 2434->2446 2447 6c70b367-6c70b374 call 6c70c9e2 2434->2447 2459 6c70b1d4-6c70b1da 2437->2459 2460 6c70b1c9-6c70b1cf 2437->2460 2442 6c70b518-6c70b526 2438->2442 2446->2447 2461 6c70b3d1-6c70b3d8 2447->2461 2462 6c70b376-6c70b37c 2447->2462 2451->2452 2456 6c70b10b-6c70b138 call 6c70d652 2451->2456 2464 6c70b163-6c70b165 2452->2464 2465 6c70b167-6c70b16b 2452->2465 2456->2452 2471 6c70b13a-6c70b145 2456->2471 2466 6c70b1f1-6c70b1f9 call 6c707621 2459->2466 2467 6c70b1dc-6c70b1ef call 6c706807 2459->2467 2460->2459 2468 6c70b3e4-6c70b3eb 2461->2468 2469 6c70b3da-6c70b3de 2461->2469 2462->2461 2470 6c70b37e-6c70b38a call 6c70aff5 2462->2470 2472 6c70b17a-6c70b182 call 6c70ba4c 2464->2472 2473 6c70b178 2465->2473 2474 6c70b16d-6c70b175 2465->2474 2486 6c70b1fe-6c70b20b call 6c70cbdf 2466->2486 2467->2466 2467->2486 2478 6c70b41d-6c70b424 call 6c70cb82 2468->2478 2479 6c70b3ed-6c70b3f7 call 6c70aff5 2468->2479 2469->2468 2477 6c70b4e5-6c70b4f3 call 6c70ac68 2469->2477 2470->2477 2489 6c70b390-6c70b393 2470->2489 2471->2438 2499 6c70b516 2472->2499 2473->2472 2474->2473 2497 6c70b4f5-6c70b4f7 2477->2497 2498 6c70b50c 2477->2498 2478->2477 2496 6c70b42a-6c70b435 2478->2496 2479->2477 2494 6c70b3fd-6c70b400 2479->2494 2502 6c70b243-6c70b250 call 6c70b072 2486->2502 2503 6c70b20d-6c70b210 2486->2503 2489->2477 2495 6c70b399-6c70b3b6 call 6c70abf0 call 6c707388 2489->2495 2494->2477 2504 6c70b406-6c70b41b call 6c70abf0 2494->2504 2532 6c70b3c2-6c70b3c5 call 6c70b57b 2495->2532 2533 6c70b3b8-6c70b3bd 2495->2533 2496->2477 2506 6c70b43b-6c70b444 call 6c70c978 2496->2506 2497->2498 2507 6c70b4f9-6c70b502 2497->2507 2501 6c70b50e-6c70b511 call 6c70ac48 2498->2501 2499->2442 2501->2499 2526 6c70b256 2502->2526 2527 6c70b33a-6c70b34b call 6c706240 * 2 2502->2527 2509 6c70b212-6c70b215 2503->2509 2510 6c70b21e-6c70b236 call 6c70abf0 2503->2510 2524 6c70b3ca-6c70b3cc 2504->2524 2506->2477 2528 6c70b44a-6c70b454 call 6c70b57b 2506->2528 2507->2498 2515 6c70b504-6c70b507 call 6c70b57b 2507->2515 2509->2502 2516 6c70b217-6c70b21c 2509->2516 2530 6c70b258-6c70b27e call 6c70731c call 6c707204 2510->2530 2531 6c70b238-6c70b241 call 6c7073ec 2510->2531 2515->2498 2516->2502 2516->2510 2524->2501 2526->2530 2527->2434 2543 6c70b464-6c70b497 call 6c707247 call 6c705489 * 2 call 6c70ac68 2528->2543 2544 6c70b456-6c70b45f call 6c707388 2528->2544 2549 6c70b283-6c70b299 call 6c70afb5 2530->2549 2531->2530 2532->2524 2533->2532 2574 6c70b499-6c70b4af 2543->2574 2575 6c70b4bf-6c70b4cc call 6c70aff5 2543->2575 2553 6c70b555-6c70b558 call 6c70ac48 2544->2553 2558 6c70b29b-6c70b29f 2549->2558 2559 6c70b2cf-6c70b2d1 2549->2559 2553->2438 2562 6c70b2a1-6c70b2ae call 6c7066bf 2558->2562 2563 6c70b2c7 2558->2563 2561 6c70b309-6c70b335 call 6c706240 * 2 call 6c70ac48 call 6c706240 * 2 2559->2561 2561->2499 2571 6c70b2b0-6c70b2c5 call 6c706240 call 6c707204 2562->2571 2572 6c70b2d3-6c70b2d9 2562->2572 2563->2559 2571->2549 2576 6c70b2db-6c70b2e0 2572->2576 2577 6c70b2ec-6c70b307 call 6c7075e5 2572->2577 2592 6c70b4b1-6c70b4b6 2574->2592 2593 6c70b4bb 2574->2593 2587 6c70b529-6c70b533 call 6c70abf0 2575->2587 2588 6c70b4ce-6c70b4d1 2575->2588 2576->2577 2581 6c70b2e2-6c70b2e8 2576->2581 2577->2561 2581->2577 2605 6c70b535-6c70b538 2587->2605 2606 6c70b53a 2587->2606 2594 6c70b4d3-6c70b4d6 2588->2594 2595 6c70b4d8-6c70b4e4 call 6c706240 2588->2595 2599 6c70b547-6c70b554 call 6c707388 call 6c706240 2592->2599 2593->2575 2594->2587 2594->2595 2595->2477 2599->2553 2610 6c70b541-6c70b544 2605->2610 2606->2610 2610->2599
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C70B077
                                • Part of subcall function 6C70AFF5: __EH_prolog.LIBCMT ref: 6C70AFFA
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: :$\
                              • API String ID: 3519838083-1166558509
                              • Opcode ID: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                              • Instruction ID: 1a646c4676b4c4f8852f1bc9358cb2ef7bbea7c66981c5df515e3e7635a9c9a0
                              • Opcode Fuzzy Hash: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                              • Instruction Fuzzy Hash: 5BE1C2B0B002099ACB11DFA4CA98BEDB7F1EF1531CF10852DD86567A91EB70B789CB15
                              Function 6C757354 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 234COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID: H_prolog__aullrem
                              • String ID: d%K
                              • API String ID: 3415659256-3110269457
                              • Opcode ID: edd8db3a4067630c511c1f9d0118cc4b792e07b2613ebc31a4b030f5161dda76
                              • Instruction ID: 916b2fdf8eba1c1c51f6ad7be866ee29437ab4dbcfeef1aafd3f21ad3c2bfe5f
                              • Opcode Fuzzy Hash: edd8db3a4067630c511c1f9d0118cc4b792e07b2613ebc31a4b030f5161dda76
                              • Instruction Fuzzy Hash: 4E812471A106099FCF00CFA8C684BDEBBF5AF44349F60C069D818AB745DB31D955CBA0
                              Function 6C730C20 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 224COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @$hfJ
                              • API String ID: 3519838083-1391159562
                              • Opcode ID: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                              • Instruction ID: ca9ff5984be41596d291f8d3fb11cefdafdfc5ca8a992a93682f2659b8fa8568
                              • Opcode Fuzzy Hash: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                              • Instruction Fuzzy Hash: 31914CB0A10359DFCB10DF99CA889DEFBF4BF18308F54552EE459A7A91D770AA48CB10
                              Function 6C725C58 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 213COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C725C5D
                                • Part of subcall function 6C72461A: __EH_prolog.LIBCMT ref: 6C72461F
                                • Part of subcall function 6C724A2E: __EH_prolog.LIBCMT ref: 6C724A33
                                • Part of subcall function 6C725EA5: __EH_prolog.LIBCMT ref: 6C725EAA
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: WZJ
                              • API String ID: 3519838083-1089469559
                              • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                              • Instruction ID: 4c77fff1cd288ae727b8ebbfa5d3a635544e5c01fb5cba0a46e79afddd9dd34d
                              • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                              • Instruction Fuzzy Hash: 3B818E31D00159DFCF15DFA4DA98ADDBBB4AF08318F1080AAE516B7791DB34AE49CB60
                              Function 6C72CF9C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: <dJ$Q
                              • API String ID: 3519838083-2252229148
                              • Opcode ID: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                              • Instruction ID: d28ed1e7b21f21a58624a4a19a8fa8266b20a1b3e1b5237b02108d057c1fbc9d
                              • Opcode Fuzzy Hash: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                              • Instruction Fuzzy Hash: A9519EB1A04209EFCF10DF94CA848EDB7B1FF59308F10852EE521ABA50D7759A8ACB14
                              Function 6C7289B9 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $D^J
                              • API String ID: 3519838083-3977321784
                              • Opcode ID: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                              • Instruction ID: c5e177d034740fdfc2bca7ef627c2ce1472ee9efbf9954575094b2475f13e83e
                              • Opcode Fuzzy Hash: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                              • Instruction Fuzzy Hash: 414180A3A056905ED7228F28C6587DCBBB16F16308F14816FC4D147E81DF6F558BC395
                              Function 6C74212C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 102COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: X&L$p|J
                              • API String ID: 3519838083-2944591232
                              • Opcode ID: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                              • Instruction ID: bb0937f903efec88cbbe41d41ed9416885c4cf0abf8908586a214d189d9394c1
                              • Opcode Fuzzy Hash: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                              • Instruction Fuzzy Hash: B631F131785105CBD7009B58DF0DFF977B1EB02368F12C13ADA10E6EA0CBA09AE68B50
                              Function 6C741C24 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 100COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: 0|J$`)L
                              • API String ID: 3519838083-117937767
                              • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                              • Instruction ID: aeff6d59cd5248de75b3e971e9b605a92e6701394dcffec89a9d9eecd7557558
                              • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                              • Instruction Fuzzy Hash: 70419FB1601785DFDF119F60C6987EABBE2FF45208F00843EE45A97710CB31A954CB91
                              Function 6C744CB6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID: __aulldiv
                              • String ID: 3333
                              • API String ID: 3732870572-2924271548
                              • Opcode ID: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                              • Instruction ID: 8d4b6a12cc917ff8ac244be22d787ca29a5929e87b33ba5cd951d6014c8a10f4
                              • Opcode Fuzzy Hash: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                              • Instruction Fuzzy Hash: FF21A6B0A407046ED720CFB98985B9BBAFCEB44714F10CA2EA186D3B40DB70A9049B65
                              Function 6C73D906 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @$LuJ
                              • API String ID: 3519838083-205571748
                              • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                              • Instruction ID: 1cc0cb467f35401b8fbb9bd65f2ba38d70f9b3ecab30e95ff4a0edcbabc6bce0
                              • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                              • Instruction Fuzzy Hash: EF01C0B2E04309DACB10CFE985845AEFBB4FF69314F40942EE169F3A41C3349A04CB59
                              Function 6C7190AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @$xMJ
                              • API String ID: 3519838083-951924499
                              • Opcode ID: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                              • Instruction ID: addd9f758a668dd83aaf7137e0128ae412e61a39c12cffa79f73bb7280365525
                              • Opcode Fuzzy Hash: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                              • Instruction Fuzzy Hash: 00117C71A0420ADBCB00CFE9C59859EF7B4FF28358B50C42ED429E7B00D3349A46CB55
                              Function 6C740431 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID: H_prologctype
                              • String ID: |zJ
                              • API String ID: 3037903784-3782439380
                              • Opcode ID: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                              • Instruction ID: e2622474ac99ebd12105ce7ed8f0abc790afc204f2817f589c17b02c8d7f6327
                              • Opcode Fuzzy Hash: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                              • Instruction Fuzzy Hash: 3CE0E5726411109BE7048F48D904BDEF3A4FF65714F10801FD026A3A40CBB4A8108781
                              Function 6C737143 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID: H_prologctype
                              • String ID: <oJ
                              • API String ID: 3037903784-2791053824
                              • Opcode ID: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                              • Instruction ID: f15a638e0ff770b44e1014bc09ed823659df114f5703885cfff10714e062d552
                              • Opcode Fuzzy Hash: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                              • Instruction Fuzzy Hash: BEE0ED72A01121DBDB089F48DA28BDEF7A4EF85768F11012EA015A7B42CBB1A8048A80
                              Function 6C76C4AB Relevance: 5.2, Strings: 4, Instructions: 237COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID:
                              • String ID: @ K$DJ$T)K$X/K
                              • API String ID: 0-3815299647
                              • Opcode ID: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                              • Instruction ID: 64f273d6c883c7a87002f00fdec9dbcdc48d0d70835b38e576376ba84af97f31
                              • Opcode Fuzzy Hash: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                              • Instruction Fuzzy Hash: E391D1706053458BCF00EE76CB587EAB7B2AF4230EF108869CC669BF85CB75A949C751
                              Function 6C761E19 Relevance: 5.2, Strings: 4, Instructions: 161COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1905171517.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                              • Associated: 00000006.00000002.1905775957.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c610000_Setup64v4.jbxd
                              Similarity
                              • API ID:
                              • String ID: D)K$H)K$P)K$T)K
                              • API String ID: 0-2262112463
                              • Opcode ID: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                              • Instruction ID: ebdc9128e6d3246b2d364fc5b4f33f545d0eacc026add32374d791a383fc0f5a
                              • Opcode Fuzzy Hash: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                              • Instruction Fuzzy Hash: 8051C370A052099BCF00DFA2DA5CADEB7B1BF0531CF108529EC11A7E90DBB5DA89C750

                              Execution Graph

                              Execution Coverage:4%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:1.1%
                              Total number of Nodes:2000
                              Total number of Limit Nodes:41
                              execution_graph 73228 1142d1 73229 1142bd 73228->73229 73230 1142c5 73229->73230 73232 111e0c 73229->73232 73233 111e15 73232->73233 73234 111e1c malloc 73232->73234 73233->73234 73235 111e2a _CxxThrowException 73234->73235 73236 111e3e 73234->73236 73235->73236 73236->73230 73237 14acd3 73238 14acf1 73237->73238 73239 14ace0 73237->73239 73239->73238 73243 14acf8 73239->73243 73244 14c0b3 __EH_prolog 73243->73244 73248 14c0ed 73244->73248 73251 137193 73244->73251 73259 111e40 free 73244->73259 73246 14aceb 73250 111e40 free 73246->73250 73260 111e40 free 73248->73260 73250->73238 73252 13719d __EH_prolog 73251->73252 73261 142db9 free ctype 73252->73261 73254 1371b3 73262 1371d5 free __EH_prolog ctype 73254->73262 73256 1371bf 73263 111e40 free 73256->73263 73258 1371c7 73258->73244 73259->73244 73260->73246 73261->73254 73262->73256 73263->73258 73264 18f190 73265 111e0c ctype 2 API calls 73264->73265 73266 18f1b0 73265->73266 73267 11b5d9 73268 11b5f7 73267->73268 73269 11b5e6 73267->73269 73269->73268 73273 11b5fe 73269->73273 73274 11b608 __EH_prolog 73273->73274 73280 196a40 VirtualFree 73274->73280 73276 11b63d 73281 11764c 73276->73281 73279 111e40 free 73279->73268 73280->73276 73282 117656 CloseHandle 73281->73282 73283 117661 73281->73283 73282->73283 73283->73279 73285 1969d0 73286 1969d4 73285->73286 73287 1969d7 malloc 73285->73287 73288 121ade 73289 121ae8 __EH_prolog 73288->73289 73339 1113f5 73289->73339 73292 121b32 6 API calls 73294 121b8d 73292->73294 73301 121bf8 73294->73301 73357 121ea4 9 API calls 73294->73357 73295 121b24 _CxxThrowException 73295->73292 73297 121bdf 73358 1127bb 73297->73358 73302 121c89 73301->73302 73365 131d73 5 API calls __EH_prolog 73301->73365 73353 121eb9 73302->73353 73307 121cb2 _CxxThrowException 73307->73302 73340 1113ff __EH_prolog 73339->73340 73366 137ebb 73340->73366 73343 111438 73345 111e0c ctype 2 API calls 73343->73345 73350 11144d 73345->73350 73346 1114f4 73346->73292 73356 131d73 5 API calls __EH_prolog 73346->73356 73350->73346 73351 111507 73350->73351 73371 111265 5 API calls 2 library calls 73350->73371 73372 1504d2 73350->73372 73378 111524 malloc _CxxThrowException __EH_prolog ctype 73350->73378 73379 112fec 73351->73379 73387 119313 GetCurrentProcess OpenProcessToken 73353->73387 73356->73295 73357->73297 73359 1127c7 73358->73359 73363 1127e3 73358->73363 73360 111e0c ctype 2 API calls 73359->73360 73359->73363 73361 1127da 73360->73361 73394 111e40 free 73361->73394 73364 111e40 free 73363->73364 73364->73301 73365->73307 73367 137ec6 73366->73367 73368 11142b 73366->73368 73367->73368 73369 111e40 free ctype 73367->73369 73368->73343 73370 111212 free ctype 73368->73370 73369->73367 73370->73343 73371->73350 73373 150513 73372->73373 73374 1504df 73372->73374 73373->73350 73375 1504fd 73374->73375 73376 1504e8 _CxxThrowException 73374->73376 73385 150551 malloc _CxxThrowException free memcpy ctype 73375->73385 73376->73375 73378->73350 73380 112ff8 73379->73380 73381 112ffc 73379->73381 73380->73346 73381->73380 73382 111e0c ctype 2 API calls 73381->73382 73383 113010 73382->73383 73386 111e40 free 73383->73386 73385->73373 73386->73380 73388 119390 73387->73388 73389 11933a LookupPrivilegeValueW 73387->73389 73390 119382 73389->73390 73391 11934c AdjustTokenPrivileges 73389->73391 73393 119385 CloseHandle 73390->73393 73391->73390 73392 119372 GetLastError 73391->73392 73392->73393 73393->73388 73394->73363 73395 13d3c2 73396 13d3e9 73395->73396 73486 11965d 73396->73486 73399 13d883 2 API calls 73400 13d4b1 73399->73400 73490 138d4a 73400->73490 73407 112fec 3 API calls 73408 13d594 73407->73408 73409 13d742 73408->73409 73410 13d5cd 73408->73410 73542 13cd49 malloc _CxxThrowException free 73409->73542 73412 13d7d9 73410->73412 73515 139317 73410->73515 73545 111e40 free 73412->73545 73413 13d754 73416 112fec 3 API calls 73413->73416 73419 13d763 73416->73419 73417 13d7e1 73546 111e40 free 73417->73546 73543 111e40 free 73419->73543 73421 13d5f1 73424 1504d2 5 API calls 73421->73424 73423 13d7e9 73426 13326b free 73423->73426 73427 13d5f9 73424->73427 73425 13d76b 73544 111e40 free 73425->73544 73437 13d69a 73426->73437 73521 13e332 73427->73521 73430 13d773 73433 13326b free 73430->73433 73433->73437 73434 13d610 73528 111e40 free 73434->73528 73436 13d618 73529 13326b 73436->73529 73439 13d2a8 73439->73437 73461 13d883 73439->73461 73442 112fec 3 API calls 73462 13d88d __EH_prolog 73461->73462 73547 112e04 73462->73547 73465 112e04 2 API calls 73466 13d8d2 73465->73466 73467 112e04 2 API calls 73466->73467 73468 13d8de 73467->73468 73550 132b63 73468->73550 73471 132b63 2 API calls 73472 13d34f 73471->73472 73472->73442 73487 119685 73486->73487 73489 119665 73486->73489 73487->73399 73488 11967e VariantClear 73488->73487 73489->73487 73489->73488 73497 138d54 __EH_prolog 73490->73497 73491 138e15 73494 138e2d 73491->73494 73496 138e5e 73491->73496 73499 138e21 73491->73499 73492 138e09 73493 11965d VariantClear 73492->73493 73498 138e11 73493->73498 73495 138e2b 73494->73495 73494->73496 73502 11965d VariantClear 73495->73502 73500 11965d VariantClear 73496->73500 73505 138da4 73497->73505 73558 112b55 malloc _CxxThrowException free _CxxThrowException ctype 73497->73558 73507 138b05 73498->73507 73559 113097 malloc _CxxThrowException free SysStringLen ctype 73499->73559 73500->73498 73504 138e47 73502->73504 73504->73498 73560 138e7c 6 API calls __EH_prolog 73504->73560 73505->73491 73505->73492 73505->73498 73508 138b2e 73507->73508 73509 11965d VariantClear 73508->73509 73510 138b5b 73509->73510 73511 132a72 73510->73511 73512 132a82 73511->73512 73513 112e04 2 API calls 73512->73513 73514 132a9f 73513->73514 73514->73407 73516 139321 __EH_prolog 73515->73516 73520 139360 73516->73520 73561 119686 VariantClear 73516->73561 73517 11965d VariantClear 73518 1393d0 73517->73518 73518->73412 73518->73421 73520->73517 73522 13e33c __EH_prolog 73521->73522 73523 111e0c ctype 2 API calls 73522->73523 73524 13e34a 73523->73524 73526 13d608 73524->73526 73562 13e3d1 malloc _CxxThrowException __EH_prolog 73524->73562 73527 111e40 free 73526->73527 73527->73434 73528->73436 73530 133275 __EH_prolog 73529->73530 73563 132c0b 73530->73563 73533 132c0b ctype free 73534 133296 73533->73534 73568 111e40 free 73534->73568 73536 13329e 73569 111e40 free 73536->73569 73538 1332a6 73570 111e40 free 73538->73570 73540 1332ae 73540->73439 73542->73413 73543->73425 73544->73430 73545->73417 73546->73423 73548 111e0c ctype 2 API calls 73547->73548 73549 112e11 73548->73549 73549->73465 73551 132b6d __EH_prolog 73550->73551 73552 112e04 2 API calls 73551->73552 73553 132b9a 73552->73553 73554 112e04 2 API calls 73553->73554 73555 132ba5 73554->73555 73555->73471 73558->73505 73559->73495 73560->73498 73561->73520 73562->73526 73571 111e40 free 73563->73571 73565 132c16 73572 111e40 free 73565->73572 73567 132c1e 73567->73533 73568->73536 73569->73538 73570->73540 73571->73565 73572->73567 73573 11b144 73574 11b153 73573->73574 73576 11b159 73573->73576 73577 1211b4 73574->73577 73578 1211c1 73577->73578 73579 1211eb 73578->73579 73582 15ae7c 73578->73582 73587 15af27 73578->73587 73579->73576 73583 15ae86 73582->73583 73594 127190 73583->73594 73607 127140 73583->73607 73584 15aebb 73584->73578 73590 15af36 73587->73590 73588 15b010 73588->73578 73589 15aeeb 107 API calls 73589->73590 73590->73588 73590->73589 73701 11bd0c 73590->73701 73706 15ad3a 73590->73706 73710 15aebf 107 API calls 73590->73710 73595 12719a __EH_prolog 73594->73595 73596 1271b0 73595->73596 73599 1271dd 73595->73599 73637 124d78 73596->73637 73611 126fc5 73599->73611 73600 1272b4 73601 124d78 VariantClear 73600->73601 73602 1272c0 73600->73602 73601->73602 73603 1271b7 73602->73603 73604 127140 7 API calls 73602->73604 73603->73584 73604->73603 73605 1272a3 SetFileSecurityW 73605->73600 73606 127236 73606->73600 73606->73603 73606->73605 73608 12718d 73607->73608 73609 12714b 73607->73609 73608->73584 73609->73608 73700 124dff 7 API calls 2 library calls 73609->73700 73612 126fcf __EH_prolog 73611->73612 73640 1244a6 73612->73640 73614 12706a 73643 1268ac 73614->73643 73618 12709e 73667 111e40 free 73618->73667 73620 127029 73620->73614 73662 124dff 7 API calls 2 library calls 73620->73662 73621 127051 73621->73614 73624 1211b4 107 API calls 73621->73624 73624->73614 73625 12712e 73625->73606 73626 1270c0 73663 116096 15 API calls 2 library calls 73626->73663 73628 1270d1 73631 1270e2 73628->73631 73664 124dff 7 API calls 2 library calls 73628->73664 73634 1270e6 73631->73634 73665 126b5e 69 API calls 2 library calls 73631->73665 73632 1270fd 73633 127103 73632->73633 73632->73634 73666 111e40 free 73633->73666 73634->73618 73636 12710b 73636->73625 73693 139262 73637->73693 73641 112e04 2 API calls 73640->73641 73642 1244be 73641->73642 73642->73614 73642->73620 73661 126e71 12 API calls 2 library calls 73642->73661 73644 1268b6 __EH_prolog 73643->73644 73646 126921 73644->73646 73658 1268c5 73644->73658 73669 117d4b 73644->73669 73647 126962 73646->73647 73650 126998 73646->73650 73675 126a17 6 API calls 2 library calls 73646->73675 73647->73650 73676 112dcd malloc _CxxThrowException 73647->73676 73651 1269e1 73650->73651 73668 117c3b SetFileTime 73650->73668 73679 11bcf8 CloseHandle 73651->73679 73653 12697a 73677 126b09 13 API calls __EH_prolog 73653->73677 73658->73618 73658->73626 73659 12698c 73678 111e40 free 73659->73678 73661->73620 73662->73621 73663->73628 73664->73631 73665->73632 73666->73636 73667->73625 73668->73651 73680 1177c8 73669->73680 73671 117d76 73671->73646 73674 124dff 7 API calls 2 library calls 73671->73674 73674->73646 73675->73647 73676->73653 73677->73659 73678->73650 73679->73658 73684 117731 73680->73684 73682 1177db 73682->73671 73683 117d3c SetEndOfFile 73682->73683 73683->73671 73685 117740 73684->73685 73686 11775c SetFilePointer 73684->73686 73685->73686 73687 117780 GetLastError 73686->73687 73690 1177a1 73686->73690 73688 11778c 73687->73688 73687->73690 73692 1176d6 SetFilePointer GetLastError 73688->73692 73690->73682 73691 117796 SetLastError 73691->73690 73692->73691 73694 13926c __EH_prolog 73693->73694 73695 1392fc 73694->73695 73698 1392a4 73694->73698 73697 11965d VariantClear 73695->73697 73696 11965d VariantClear 73699 124d91 73696->73699 73697->73699 73698->73696 73699->73603 73700->73608 73711 117ca2 73701->73711 73705 11bd3d 73705->73590 73707 15ad44 __EH_prolog 73706->73707 73719 126305 73707->73719 73708 15adbf 73708->73590 73710->73590 73714 117caf 73711->73714 73713 117cdb 73713->73705 73715 11b8ec GetLastError 73713->73715 73714->73713 73716 117c68 73714->73716 73715->73705 73717 117c76 73716->73717 73718 117c79 WriteFile 73716->73718 73717->73718 73718->73714 73720 12630f __EH_prolog 73719->73720 73756 1262b9 73720->73756 73722 126427 73726 11965d VariantClear 73722->73726 73724 12644a 73725 11965d VariantClear 73724->73725 73727 12646b 73725->73727 73748 126445 73726->73748 73760 125126 73727->73760 73730 138b05 VariantClear 73731 12648a 73730->73731 73732 124d78 VariantClear 73731->73732 73731->73748 73733 126499 73732->73733 73738 1264ca 73733->73738 73733->73748 73912 125110 9 API calls 73733->73912 73735 1265de 73736 1265e7 73735->73736 73737 12669e 73735->73737 73742 111e0c ctype 2 API calls 73736->73742 73745 1265f6 73736->73745 73743 126754 73737->73743 73744 1266b8 73737->73744 73737->73748 73739 1264da 73738->73739 73738->73748 73913 1142e3 CharUpperW 73738->73913 73739->73735 73739->73748 73914 12789c free memmove ctype 73739->73914 73742->73745 73802 125bea 73743->73802 73746 111e0c ctype 2 API calls 73744->73746 73915 1336ea 73745->73915 73746->73748 73748->73708 73750 12666b 73928 111e40 free 73750->73928 73751 12665c 73927 1131e5 malloc _CxxThrowException free _CxxThrowException 73751->73927 73757 1262c9 73756->73757 73929 138fa4 73757->73929 73761 125130 __EH_prolog 73760->73761 73762 12518e 73761->73762 73763 1251b4 73761->73763 73980 113097 malloc _CxxThrowException free SysStringLen ctype 73761->73980 73766 11965d VariantClear 73762->73766 73763->73762 73765 11965d VariantClear 73763->73765 73767 1251bc 73765->73767 73773 12527f 73766->73773 73767->73762 73768 125206 73767->73768 73769 125289 73767->73769 73981 113097 malloc _CxxThrowException free SysStringLen ctype 73768->73981 73769->73762 73770 125221 73769->73770 73772 11965d VariantClear 73770->73772 73774 12522d 73772->73774 73773->73730 73773->73748 73774->73773 73775 125351 73774->73775 73982 125459 malloc _CxxThrowException __EH_prolog 73774->73982 73775->73773 73782 1253a1 73775->73782 73987 1135e7 memmove 73775->73987 73778 1252ba 73983 118011 5 API calls ctype 73778->73983 73780 1252cf 73793 1252fd 73780->73793 73984 11823d 10 API calls 2 library calls 73780->73984 73782->73773 73988 1143b7 5 API calls 2 library calls 73782->73988 73785 1252e5 73786 112fec 3 API calls 73785->73786 73788 1252f5 73786->73788 73787 12540e 73990 12789c free memmove ctype 73787->73990 73985 111e40 free 73788->73985 73792 1253df 73792->73787 73794 12541c 73792->73794 73989 1142e3 CharUpperW 73792->73989 73986 1254a0 free ctype 73793->73986 73795 1336ea 5 API calls 73794->73795 73796 125427 73795->73796 73797 112fec 3 API calls 73796->73797 73798 125433 73797->73798 73991 111e40 free 73798->73991 73800 12543b 73992 142db9 free ctype 73800->73992 73803 125bf4 __EH_prolog 73802->73803 73993 1254c0 73803->73993 73806 125e17 73806->73748 73807 138b05 VariantClear 73808 125c34 73807->73808 73808->73806 74008 125630 73808->74008 73811 1336ea 5 API calls 73812 125c51 73811->73812 73813 125c60 73812->73813 74111 1257c1 53 API calls 2 library calls 73812->74111 74029 112f1c 73813->74029 73816 125c6c 73819 125caa 73816->73819 74112 126217 4 API calls 2 library calls 73816->74112 73818 125c91 73820 112fec 3 API calls 73818->73820 73822 125d49 73819->73822 73826 112e04 2 API calls 73819->73826 73821 125c9e 73820->73821 74113 111e40 free 73821->74113 73823 125d91 73822->73823 73824 125d55 73822->73824 73831 125da6 73823->73831 74032 1258be 73823->74032 73827 112fec 3 API calls 73824->73827 73829 125cd2 73826->73829 73830 125d66 73827->73830 74114 111e40 free 73829->74114 73833 125d73 73830->73833 74119 115b2d 11 API calls 2 library calls 73830->74119 73832 112fec 3 API calls 73831->73832 73911 125d8c 73831->73911 73834 125dd1 73832->73834 73833->73831 73836 125d7b 73833->73836 73841 125de7 73834->73841 73850 125e41 73834->73850 73834->73911 73840 127140 7 API calls 73836->73840 73836->73911 73839 125cf5 73839->73822 73846 112fec 3 API calls 73839->73846 73840->73911 74120 126b5e 69 API calls 2 library calls 73841->74120 73842 1261fa 74141 111e40 free 73842->74141 73843 125eb0 73847 111e0c ctype 2 API calls 73843->73847 73849 125d0c 73846->73849 73861 125eb7 73847->73861 73848 125e01 73851 125e20 73848->73851 73852 125e07 73848->73852 74115 111089 malloc _CxxThrowException free _CxxThrowException 73849->74115 73850->73843 74123 124115 VariantClear _CxxThrowException __EH_prolog 73850->74123 73857 127140 7 API calls 73851->73857 73851->73911 74121 111e40 free 73852->74121 73856 125e0f 74122 111e40 free 73856->74122 73857->73911 73858 125d16 73860 112f1c 2 API calls 73858->73860 73863 125d25 73860->73863 74105 117c0d 73861->74105 74116 133333 malloc _CxxThrowException free 73863->74116 73865 125e6e 73865->73843 73872 125ea5 73865->73872 73873 125ece 73865->73873 73865->73911 73868 125d31 73876 112fec 3 API calls 73872->73876 74124 115c7e 11 API calls 2 library calls 73873->74124 73876->73843 73879 125ed8 73882 125f01 73879->73882 73883 125edc 73879->73883 74140 111e40 free 73911->74140 73912->73738 73913->73738 73914->73735 73916 1336f4 __EH_prolog 73915->73916 73917 112e04 2 API calls 73916->73917 73919 13370a 73917->73919 73918 133736 73920 112f1c 2 API calls 73918->73920 73919->73918 74460 111089 malloc _CxxThrowException free _CxxThrowException 73919->74460 74461 1131e5 malloc _CxxThrowException free _CxxThrowException 73919->74461 73923 133742 73920->73923 74459 111e40 free 73923->74459 73925 126633 73925->73750 73925->73751 73926 111089 malloc _CxxThrowException free _CxxThrowException 73925->73926 73926->73751 73927->73750 73928->73748 73930 138fae __EH_prolog 73929->73930 73931 137ebb free 73930->73931 73932 138ff2 73931->73932 73963 138b64 73932->73963 73935 126302 73935->73722 73935->73724 73935->73748 73937 139020 73937->73935 73938 112fec 3 API calls 73937->73938 73939 13903a 73938->73939 73950 13904d 73939->73950 73967 138b80 VariantClear 73939->73967 73941 1391b0 73976 138b9c 10 API calls 2 library calls 73941->73976 73942 139244 73978 1143b7 5 API calls 2 library calls 73942->73978 73943 139144 73951 13917b 73943->73951 73970 112f88 73943->73970 73947 1391c0 73947->73935 73956 112f88 3 API calls 73947->73956 73948 139100 73952 11965d VariantClear 73948->73952 73949 1390d6 73949->73948 73954 1390e7 73949->73954 73969 138f2e 9 API calls 73949->73969 73950->73935 73950->73943 73950->73948 73950->73949 73968 113097 malloc _CxxThrowException free SysStringLen ctype 73950->73968 73951->73941 73951->73942 73952->73935 73957 11965d VariantClear 73954->73957 73961 1391ff 73956->73961 73957->73943 73958 139112 73958->73948 73959 138b64 VariantClear 73958->73959 73960 139123 73959->73960 73960->73948 73960->73954 73961->73935 73977 1150ff free ctype 73961->73977 73964 138b05 VariantClear 73963->73964 73965 138b6f 73964->73965 73965->73935 73966 138f2e 9 API calls 73965->73966 73966->73937 73967->73950 73968->73949 73969->73958 73971 112f9a 73970->73971 73972 111e0c ctype 2 API calls 73971->73972 73975 112fbe 73971->73975 73973 112fb4 73972->73973 73979 111e40 free 73973->73979 73975->73951 73976->73947 73977->73935 73978->73935 73979->73975 73980->73763 73981->73770 73982->73778 73983->73780 73984->73785 73985->73793 73986->73775 73987->73775 73988->73792 73989->73792 73990->73794 73991->73800 73992->73773 73994 1254ca __EH_prolog 73993->73994 73995 11965d VariantClear 73994->73995 73998 125507 73994->73998 74000 125528 73995->74000 73996 11965d VariantClear 73997 125567 73996->73997 73997->73806 73997->73807 73998->73996 73999 125572 74001 11965d VariantClear 73999->74001 74000->73998 74000->73999 74002 12558e 74001->74002 74142 124cac VariantClear __EH_prolog 74002->74142 74004 1255a1 74004->73997 74143 124cac VariantClear __EH_prolog 74004->74143 74006 1255b8 74006->73997 74144 124cac VariantClear __EH_prolog 74006->74144 74010 12563a __EH_prolog 74008->74010 74011 125679 74010->74011 74145 133558 10 API calls 2 library calls 74010->74145 74012 112f1c 2 API calls 74011->74012 74028 12571a 74011->74028 74013 125696 74012->74013 74146 133333 malloc _CxxThrowException free 74013->74146 74015 1256a2 74016 1256c5 74015->74016 74017 1256ad 74015->74017 74024 1256b4 74016->74024 74148 114adf wcscmp 74016->74148 74147 127853 5 API calls 2 library calls 74017->74147 74019 125707 74151 1131e5 malloc _CxxThrowException free _CxxThrowException 74019->74151 74021 1256d2 74021->74024 74149 127853 5 API calls 2 library calls 74021->74149 74024->74019 74150 111089 malloc _CxxThrowException free _CxxThrowException 74024->74150 74025 125712 74152 111e40 free 74025->74152 74028->73811 74153 112ba6 74029->74153 74033 1258c8 __EH_prolog 74032->74033 74034 112e04 2 API calls 74033->74034 74035 1258e9 74034->74035 74156 116c72 74035->74156 74039 125905 74043 125b2d 74440 117bf0 74105->74440 74111->73813 74112->73818 74113->73819 74114->73839 74115->73858 74116->73868 74119->73833 74120->73848 74121->73856 74122->73806 74123->73865 74124->73879 74140->73842 74141->73806 74142->74004 74143->74006 74144->73997 74145->74011 74146->74015 74147->74024 74148->74021 74149->74024 74150->74019 74151->74025 74152->74028 74154 111e0c ctype 2 API calls 74153->74154 74155 112bbb 74154->74155 74155->73816 74158 116c7c __EH_prolog 74156->74158 74157 116cd3 74160 116ce2 74157->74160 74164 116d87 74157->74164 74158->74157 74159 116cb7 74158->74159 74161 112f88 3 API calls 74159->74161 74163 112f88 3 API calls 74160->74163 74162 116cc7 74161->74162 74162->74039 74162->74043 74168 116cf5 74163->74168 74171 116f4a 74164->74171 74313 112e47 74164->74313 74174 116fd1 74171->74174 74176 116f7e 74171->74176 74314 112e57 74313->74314 74443 11759a 74440->74443 74459->73925 74460->73919 74461->73919 74462 150343 74467 15035f 74462->74467 74465 150358 74468 150369 __EH_prolog 74467->74468 74484 12139e 74468->74484 74476 1503a2 74501 111e40 free 74476->74501 74478 1503aa 74502 1503d8 74478->74502 74483 111e40 free 74483->74465 74485 1213ae 74484->74485 74487 1213b3 74484->74487 74518 1a7ea0 SetEvent GetLastError 74485->74518 74488 1501c4 74487->74488 74489 1501ce __EH_prolog 74488->74489 74492 150203 74489->74492 74520 111e40 free 74489->74520 74491 15020b 74494 150143 74491->74494 74519 111e40 free 74492->74519 74497 15014d __EH_prolog 74494->74497 74495 150182 74521 111e40 free 74495->74521 74497->74495 74522 111e40 free 74497->74522 74498 15018a 74500 111e40 free 74498->74500 74500->74476 74501->74478 74503 1503e2 __EH_prolog 74502->74503 74504 12139e ctype 2 API calls 74503->74504 74505 1503fb 74504->74505 74523 1a7d50 74505->74523 74507 150403 74508 1a7d50 ctype 2 API calls 74507->74508 74509 15040b 74508->74509 74510 1a7d50 ctype 2 API calls 74509->74510 74511 1503b7 74510->74511 74512 15004a 74511->74512 74513 150054 __EH_prolog 74512->74513 74529 111e40 free 74513->74529 74515 150067 74530 111e40 free 74515->74530 74517 15006f 74517->74465 74517->74483 74518->74487 74519->74491 74520->74489 74521->74498 74522->74497 74524 1a7d59 CloseHandle 74523->74524 74527 1a7d7b 74523->74527 74525 1a7d64 GetLastError 74524->74525 74526 1a7d75 74524->74526 74525->74527 74528 1a7d6e 74525->74528 74526->74527 74527->74507 74528->74507 74529->74515 74530->74517 74531 13a7c5 74539 13a96b 74531->74539 74549 13a7e9 74531->74549 74532 13ade3 74636 111e40 free 74532->74636 74534 13a952 74534->74539 74617 13e0b0 6 API calls 74534->74617 74535 13adeb 74637 111e40 free 74535->74637 74539->74532 74540 13ac1e 74539->74540 74565 13ac6c 74539->74565 74578 13ad88 74539->74578 74582 13ad17 74539->74582 74584 13acbc 74539->74584 74598 12101c 74539->74598 74601 1398f2 74539->74601 74607 13cc6f 74539->74607 74618 139531 5 API calls __EH_prolog 74539->74618 74619 1380c1 malloc _CxxThrowException __EH_prolog 74539->74619 74620 13c820 5 API calls 2 library calls 74539->74620 74621 13814d 6 API calls 74539->74621 74622 138125 free ctype 74539->74622 74623 111e40 free 74540->74623 74541 13ae99 74542 111e0c ctype 2 API calls 74541->74542 74547 13aea9 memset memset 74542->74547 74545 1504d2 malloc _CxxThrowException free _CxxThrowException memcpy 74546 13adf3 74545->74546 74546->74541 74546->74545 74550 13aedd 74547->74550 74548 13ac26 74624 111e40 free 74548->74624 74549->74534 74557 1504d2 5 API calls 74549->74557 74616 13e0b0 6 API calls 74549->74616 74638 111e40 free 74550->74638 74554 13aee5 74639 111e40 free 74554->74639 74557->74549 74558 13aef0 74640 111e40 free 74558->74640 74561 13c430 74642 111e40 free 74561->74642 74564 13c438 74643 111e40 free 74564->74643 74625 111e40 free 74565->74625 74567 13ac2e 74641 111e40 free 74567->74641 74568 13c443 74644 111e40 free 74568->74644 74572 13ac85 74626 111e40 free 74572->74626 74573 13c44e 74645 111e40 free 74573->74645 74576 13c459 74633 138125 free ctype 74578->74633 74630 138125 free ctype 74582->74630 74583 13ad93 74634 111e40 free 74583->74634 74627 138125 free ctype 74584->74627 74588 13adac 74635 111e40 free 74588->74635 74589 13acc7 74628 111e40 free 74589->74628 74590 13ad3c 74631 111e40 free 74590->74631 74594 13ad55 74632 111e40 free 74594->74632 74595 13ace0 74629 111e40 free 74595->74629 74646 11b95a 74598->74646 74602 1398fc __EH_prolog 74601->74602 74653 139987 74602->74653 74604 139970 74604->74539 74605 139911 74605->74604 74657 13ef8d 12 API calls 2 library calls 74605->74657 74697 15f445 74607->74697 74703 155505 74607->74703 74707 15cf91 74607->74707 74608 13cc8b 74609 13cccb 74608->74609 74715 13979e VariantClear __EH_prolog 74608->74715 74609->74539 74611 13ccb1 74611->74609 74716 13cae9 VariantClear 74611->74716 74616->74549 74617->74539 74618->74539 74619->74539 74620->74539 74621->74539 74622->74539 74623->74548 74624->74567 74625->74572 74626->74567 74627->74589 74628->74595 74629->74567 74630->74590 74631->74594 74632->74567 74633->74583 74634->74588 74635->74567 74636->74535 74637->74546 74638->74554 74639->74558 74640->74567 74641->74561 74642->74564 74643->74568 74644->74573 74645->74576 74647 11b969 74646->74647 74648 11b97d 74646->74648 74647->74648 74649 117731 5 API calls 74647->74649 74648->74539 74650 11b9ee 74649->74650 74650->74648 74652 11b8ec GetLastError 74650->74652 74652->74648 74654 139991 __EH_prolog 74653->74654 74658 1680aa 74654->74658 74655 1399a8 74655->74605 74657->74604 74659 1680b4 __EH_prolog 74658->74659 74660 111e0c ctype 2 API calls 74659->74660 74661 1680bf 74660->74661 74662 1680d3 74661->74662 74664 15bdb5 74661->74664 74662->74655 74665 15bdbf __EH_prolog 74664->74665 74670 15be69 74665->74670 74667 15bdef 74668 112e04 2 API calls 74667->74668 74669 15be16 74668->74669 74669->74662 74671 15be73 __EH_prolog 74670->74671 74674 155e2b 74671->74674 74673 15be7f 74673->74667 74675 155e35 __EH_prolog 74674->74675 74680 1508b6 74675->74680 74677 155e41 74685 12dfc9 malloc _CxxThrowException __EH_prolog 74677->74685 74679 155e57 74679->74673 74686 119c60 74680->74686 74682 1508c4 74691 119c8f GetModuleHandleA GetProcAddress 74682->74691 74684 1508f3 __aulldiv 74684->74677 74685->74679 74696 119c4d GetCurrentProcess GetProcessAffinityMask 74686->74696 74688 119c6e 74689 119c80 GetSystemInfo 74688->74689 74690 119c79 74688->74690 74689->74682 74690->74682 74692 119cc4 GlobalMemoryStatusEx 74691->74692 74693 119cef GlobalMemoryStatus 74691->74693 74692->74693 74695 119cce 74692->74695 74694 119d08 74693->74694 74694->74695 74695->74684 74696->74688 74698 15f455 74697->74698 74717 121092 74698->74717 74701 15f478 74701->74608 74704 15550f __EH_prolog 74703->74704 74769 154e8a 74704->74769 74708 15cf9b __EH_prolog 74707->74708 74709 15f445 14 API calls 74708->74709 74710 15d018 74709->74710 74712 15d01f 74710->74712 74992 161511 74710->74992 74712->74608 74713 15d08b 74713->74712 74998 162c5d 11 API calls 2 library calls 74713->74998 74715->74611 74716->74609 74719 11b95a 6 API calls 74717->74719 74718 1210aa 74718->74701 74720 15f1b2 74718->74720 74719->74718 74721 15f1bc __EH_prolog 74720->74721 74730 121168 74721->74730 74723 15f1d3 74724 15f231 memcpy 74723->74724 74725 15f21c _CxxThrowException 74723->74725 74726 15f1e6 74723->74726 74728 15f24c 74724->74728 74725->74724 74726->74701 74727 15f2f0 memmove 74727->74728 74728->74726 74728->74727 74729 15f31a memcpy 74728->74729 74729->74726 74733 12111c 74730->74733 74734 121130 74733->74734 74735 12115f 74734->74735 74738 11b668 74734->74738 74757 11d331 74734->74757 74735->74723 74742 11b675 74738->74742 74741 11b8aa GetLastError 74747 11b6aa 74741->74747 74743 117731 5 API calls 74742->74743 74744 11b81b 74742->74744 74745 11b7e7 74742->74745 74742->74747 74748 11b811 74742->74748 74750 11b7ad 74742->74750 74755 11b864 74742->74755 74766 117b4f ReadFile 74742->74766 74743->74742 74746 11b839 memcpy 74744->74746 74744->74747 74749 117731 5 API calls 74745->74749 74745->74755 74746->74747 74747->74734 74767 11b8ec GetLastError 74748->74767 74752 11b80d 74749->74752 74750->74742 74756 11b8c7 74750->74756 74765 196a20 VirtualAlloc 74750->74765 74752->74748 74752->74755 74761 117b7c 74755->74761 74756->74747 74758 11d355 74757->74758 74759 11d374 74758->74759 74760 11b668 10 API calls 74758->74760 74759->74734 74760->74759 74762 117b89 74761->74762 74768 117b4f ReadFile 74762->74768 74764 117b9a 74764->74741 74764->74747 74765->74750 74766->74742 74767->74747 74768->74764 74770 154e94 __EH_prolog 74769->74770 74771 112e04 2 API calls 74770->74771 74785 154f1d 74770->74785 74772 154ed7 74771->74772 74901 127fc5 74772->74901 74774 154f37 74776 154f41 74774->74776 74777 154f63 74774->74777 74775 154f0a 74778 11965d VariantClear 74775->74778 74779 11965d VariantClear 74776->74779 74780 112f88 3 API calls 74777->74780 74781 154f15 74778->74781 74783 154f4c 74779->74783 74784 154f71 74780->74784 74922 111e40 free 74781->74922 74923 111e40 free 74783->74923 74787 11965d VariantClear 74784->74787 74785->74608 74788 154f80 74787->74788 74924 125bcf malloc _CxxThrowException 74788->74924 74790 154f9a 74791 112e47 2 API calls 74790->74791 74792 154fad 74791->74792 74793 112f1c 2 API calls 74792->74793 74794 154fbd 74793->74794 74795 112e04 2 API calls 74794->74795 74796 154fd1 74795->74796 74797 112e04 2 API calls 74796->74797 74804 154fdd 74797->74804 74798 155404 74969 111e40 free 74798->74969 74800 15540c 74970 111e40 free 74800->74970 74802 155414 74971 111e40 free 74802->74971 74804->74798 74925 125bcf malloc _CxxThrowException 74804->74925 74806 155099 74808 112da9 2 API calls 74806->74808 74807 15541c 74972 111e40 free 74807->74972 74810 1550a9 74808->74810 74812 112fec 3 API calls 74810->74812 74811 155424 74973 111e40 free 74811->74973 74814 1550b6 74812->74814 74926 111e40 free 74814->74926 74815 15542c 74974 111e40 free 74815->74974 74818 1550be 74927 111e40 free 74818->74927 74820 1550cd 74821 112f88 3 API calls 74820->74821 74822 1550e3 74821->74822 74823 1550f1 74822->74823 74824 155100 74822->74824 74928 1130ea 74823->74928 74934 113044 malloc _CxxThrowException free ctype 74824->74934 74827 1550fe 74935 121029 6 API calls 74827->74935 74829 15511a 74830 155120 74829->74830 74831 15516b 74829->74831 74936 111e40 free 74830->74936 74942 12089e malloc _CxxThrowException free _CxxThrowException memcpy 74831->74942 74834 155128 74937 111e40 free 74834->74937 74835 155187 74838 1504d2 5 API calls 74835->74838 74837 155130 74938 111e40 free 74837->74938 74840 1551ba 74838->74840 74943 150516 malloc _CxxThrowException ctype 74840->74943 74841 155138 74939 111e40 free 74841->74939 74843 1551c5 74849 1551f5 74843->74849 74850 15522d 74843->74850 74845 155140 74940 111e40 free 74845->74940 74847 155148 74941 111e40 free 74847->74941 74944 111e40 free 74849->74944 74851 112e04 2 API calls 74850->74851 74853 155235 74851->74853 74864 15532e 74853->74864 74867 1553a3 74853->74867 74885 1504d2 5 API calls 74853->74885 74899 112e04 2 API calls 74853->74899 74950 15545c 5 API calls 2 library calls 74853->74950 74951 121029 6 API calls 74853->74951 74952 12089e malloc _CxxThrowException free _CxxThrowException memcpy 74853->74952 74953 150516 malloc _CxxThrowException ctype 74853->74953 74954 111e40 free 74853->74954 74854 1551fd 74945 111e40 free 74854->74945 74857 155205 74946 111e40 free 74857->74946 74860 15520d 74947 111e40 free 74860->74947 74861 155347 74861->74798 74863 155358 74861->74863 74956 111e40 free 74863->74956 74955 111e40 free 74864->74955 74865 155215 74948 111e40 free 74865->74948 74962 111e40 free 74867->74962 74869 15521d 74949 111e40 free 74869->74949 74870 155360 74957 111e40 free 74870->74957 74874 155368 74958 111e40 free 74874->74958 74877 1553bc 74963 111e40 free 74877->74963 74879 155370 74959 111e40 free 74879->74959 74881 1553c4 74964 111e40 free 74881->74964 74885->74853 74887 1553cc 74965 111e40 free 74887->74965 74892 1553d4 74966 111e40 free 74892->74966 74894 1553dc 74899->74853 74904 127fcf __EH_prolog 74901->74904 74902 12800a 74984 119736 VariantClear 74902->74984 74903 128061 74906 12805c 74903->74906 74919 128025 74903->74919 74904->74903 74904->74906 74907 128019 74904->74907 74910 127ff4 74904->74910 74983 119630 VariantClear 74906->74983 74907->74910 74911 12801e 74907->74911 74909 1280b8 74913 11965d VariantClear 74909->74913 74910->74902 74975 11950d 74910->74975 74914 128042 74911->74914 74915 128022 74911->74915 74917 1280c0 74913->74917 74981 119597 VariantClear 74914->74981 74918 128032 74915->74918 74915->74919 74917->74774 74917->74775 74980 119604 VariantClear 74918->74980 74919->74902 74982 1195df VariantClear 74919->74982 74922->74785 74923->74785 74924->74790 74925->74806 74926->74818 74927->74820 74929 1130fd 74928->74929 74930 111e0c ctype 2 API calls 74929->74930 74933 11311d 74929->74933 74931 113113 74930->74931 74991 111e40 free 74931->74991 74933->74827 74934->74827 74935->74829 74936->74834 74937->74837 74938->74841 74939->74845 74940->74847 74941->74785 74942->74835 74943->74843 74944->74854 74945->74857 74946->74860 74947->74865 74948->74869 74949->74785 74950->74853 74951->74853 74952->74853 74953->74853 74954->74853 74955->74861 74956->74870 74957->74874 74958->74879 74962->74877 74963->74881 74964->74887 74965->74892 74966->74894 74969->74800 74970->74802 74971->74807 74972->74811 74973->74815 74974->74785 74985 119767 74975->74985 74977 119518 SysAllocStringLen 74978 119539 _CxxThrowException 74977->74978 74979 11954f 74977->74979 74978->74979 74979->74902 74980->74902 74981->74902 74982->74902 74983->74902 74984->74909 74986 119770 74985->74986 74987 119779 74985->74987 74986->74977 74990 119686 VariantClear 74987->74990 74989 119780 74989->74977 74990->74989 74991->74933 74993 16151b __EH_prolog 74992->74993 74999 1610d3 74993->74999 74996 161552 _CxxThrowException 74996->74713 74997 161589 74997->74713 74998->74712 75000 1610dd __EH_prolog 74999->75000 75031 15d1b7 75000->75031 75002 1612ef 75002->74996 75002->74997 75003 1611f4 75003->75002 75030 11b95a 6 API calls 75003->75030 75004 16139e 75004->75002 75005 1613c4 75004->75005 75007 111e0c ctype 2 API calls 75004->75007 75008 121168 10 API calls 75005->75008 75007->75005 75012 1613da 75008->75012 75009 121168 10 API calls 75009->75003 75010 1613de 75079 111e40 free 75010->75079 75012->75010 75014 1613f9 75012->75014 75073 15ef67 _CxxThrowException 75012->75073 75038 15f047 75014->75038 75017 1614ba 75077 160943 50 API calls 2 library calls 75017->75077 75018 161450 75042 1606ae 75018->75042 75022 1614e7 75078 142db9 free ctype 75022->75078 75030->75004 75080 15d23c 75031->75080 75033 15d1ed 75087 111e40 free 75033->75087 75035 15d209 75088 111e40 free 75035->75088 75037 15d21c 75037->75002 75037->75003 75037->75009 75039 15f063 75038->75039 75040 15f072 75039->75040 75116 15ef67 _CxxThrowException 75039->75116 75040->75017 75040->75018 75074 15ef67 _CxxThrowException 75040->75074 75043 1606b8 __EH_prolog 75042->75043 75117 1603f4 75043->75117 75048 1608e3 _CxxThrowException 75051 1608f7 75048->75051 75050 1608ae 75245 111e40 free 75050->75245 75054 15b8dc ctype free 75051->75054 75052 11429a 3 API calls 75062 160715 75052->75062 75056 160914 75054->75056 75248 111e40 free 75056->75248 75057 111e0c ctype 2 API calls 75057->75062 75061 16091c 75249 111e40 free 75061->75249 75062->75048 75062->75051 75062->75052 75062->75057 75071 160877 75062->75071 75072 15ef67 _CxxThrowException 75062->75072 75147 1212a5 75062->75147 75152 1581ec 75062->75152 75065 160924 75250 111e40 free 75065->75250 75068 16092c 75251 15c149 free ctype 75068->75251 75238 15b8dc 75071->75238 75072->75062 75073->75014 75074->75018 75077->75022 75078->75010 75079->75002 75089 15d2b8 75080->75089 75083 15d25e 75106 111e40 free 75083->75106 75086 15d275 75086->75033 75087->75035 75088->75037 75108 111e40 free 75089->75108 75091 15d2c8 75109 111e40 free 75091->75109 75093 15d2dc 75110 111e40 free 75093->75110 75095 15d2e7 75111 111e40 free 75095->75111 75097 15d2f2 75112 111e40 free 75097->75112 75099 15d2fd 75113 111e40 free 75099->75113 75101 15d308 75114 111e40 free 75101->75114 75103 15d313 75104 15d246 75103->75104 75115 111e40 free 75103->75115 75104->75083 75107 111e40 free 75104->75107 75106->75086 75107->75083 75108->75091 75109->75093 75110->75095 75111->75097 75112->75099 75113->75101 75114->75103 75115->75104 75116->75040 75118 15f047 _CxxThrowException 75117->75118 75119 160407 75118->75119 75121 15f047 _CxxThrowException 75119->75121 75122 160475 75119->75122 75120 16049a 75123 1604b8 75120->75123 75256 16159a malloc _CxxThrowException free ctype 75120->75256 75124 160421 75121->75124 75122->75120 75255 15fa3f 22 API calls 2 library calls 75122->75255 75126 1604e8 75123->75126 75127 1604cd 75123->75127 75128 16043e 75124->75128 75252 15ef67 _CxxThrowException 75124->75252 75258 167c4a malloc _CxxThrowException free ctype 75126->75258 75257 15fff0 9 API calls 2 library calls 75127->75257 75253 15f93c 7 API calls 2 library calls 75128->75253 75129 160492 75133 15f047 _CxxThrowException 75129->75133 75133->75120 75135 1604db 75139 15f047 _CxxThrowException 75135->75139 75137 1604e3 75142 16054a 75137->75142 75260 15ef67 _CxxThrowException 75137->75260 75138 160446 75140 16046d 75138->75140 75254 15ef67 _CxxThrowException 75138->75254 75139->75137 75141 15f047 _CxxThrowException 75140->75141 75141->75122 75142->75062 75144 1604f3 75144->75137 75259 12089e malloc _CxxThrowException free _CxxThrowException memcpy 75144->75259 75148 1504d2 5 API calls 75147->75148 75149 1212ad 75148->75149 75150 111e0c ctype 2 API calls 75149->75150 75151 1212b4 75150->75151 75151->75062 75153 1581f6 __EH_prolog 75152->75153 75261 15f749 75153->75261 75155 15824e 75317 1591cc free ctype 75155->75317 75156 15823b 75156->75155 75265 158f58 75156->75265 75158 158667 75158->75062 75239 15b8e6 __EH_prolog 75238->75239 75338 111e40 free 75239->75338 75241 15b90d 75339 14e647 free ctype 75241->75339 75243 15b915 75244 111e40 free 75243->75244 75244->75050 75248->75061 75249->75065 75250->75068 75252->75128 75253->75138 75254->75140 75255->75129 75256->75123 75257->75135 75258->75144 75259->75144 75260->75142 75262 15f779 75261->75262 75263 15f797 75262->75263 75264 15f782 _CxxThrowException 75262->75264 75263->75156 75264->75263 75266 158f6a 75265->75266 75318 127cec 75266->75318 75317->75158 75319 127cff 75318->75319 75325 127d3f 75318->75325 75338->75241 75339->75243 75340 13d948 75370 13dac7 75340->75370 75342 13d94f 75343 112e04 2 API calls 75342->75343 75344 13d97b 75343->75344 75345 112e04 2 API calls 75344->75345 75346 13d987 75345->75346 75350 13d9e7 75346->75350 75378 116404 75346->75378 75352 13da36 75350->75352 75353 13da0f 75350->75353 75356 13da94 75352->75356 75363 112da9 2 API calls 75352->75363 75366 1504d2 5 API calls 75352->75366 75405 111524 malloc _CxxThrowException __EH_prolog ctype 75352->75405 75406 111e40 free 75352->75406 75403 111e40 free 75353->75403 75355 13d9bf 75401 111e40 free 75355->75401 75407 111e40 free 75356->75407 75357 13da17 75404 111e40 free 75357->75404 75361 13d9c7 75402 111e40 free 75361->75402 75362 13da9c 75408 111e40 free 75362->75408 75363->75352 75366->75352 75367 13d9cf 75371 13dad1 __EH_prolog 75370->75371 75372 112e04 2 API calls 75371->75372 75373 13db33 75372->75373 75374 112e04 2 API calls 75373->75374 75375 13db3f 75374->75375 75376 112e04 2 API calls 75375->75376 75377 13db55 75376->75377 75377->75342 75409 11631f 75378->75409 75381 116423 75383 112f88 3 API calls 75381->75383 75382 112f88 3 API calls 75382->75381 75384 11643d 75383->75384 75385 127e5a 75384->75385 75386 127e64 __EH_prolog 75385->75386 75465 128179 75386->75465 75389 137ebb free 75390 127e7f 75389->75390 75391 112fec 3 API calls 75390->75391 75392 127e9a 75391->75392 75393 112da9 2 API calls 75392->75393 75394 127ea7 75393->75394 75395 116c72 44 API calls 75394->75395 75396 127eb7 75395->75396 75470 111e40 free 75396->75470 75398 127ecb 75399 127ed8 75398->75399 75471 11757d GetLastError 75398->75471 75399->75350 75399->75355 75401->75361 75402->75367 75403->75357 75404->75367 75405->75352 75406->75352 75407->75362 75408->75367 75410 119245 75409->75410 75413 1190da 75410->75413 75414 1190e4 __EH_prolog 75413->75414 75415 112f88 3 API calls 75414->75415 75416 1190f7 75415->75416 75417 11915d 75416->75417 75422 119109 75416->75422 75418 112e04 2 API calls 75417->75418 75419 119165 75418->75419 75420 1191be 75419->75420 75423 119174 75419->75423 75459 116332 6 API calls 2 library calls 75420->75459 75424 116414 75422->75424 75426 112e47 2 API calls 75422->75426 75427 112f88 3 API calls 75423->75427 75424->75381 75424->75382 75425 11917d 75428 1191ca 75425->75428 75457 11859e malloc _CxxThrowException free _CxxThrowException 75425->75457 75429 119122 75426->75429 75427->75425 75464 111e40 free 75428->75464 75454 118f57 memmove 75429->75454 75432 11912e 75435 11914d 75432->75435 75455 1131e5 malloc _CxxThrowException free _CxxThrowException 75432->75455 75434 119185 75438 112e04 2 API calls 75434->75438 75456 111e40 free 75435->75456 75439 119197 75438->75439 75440 11919f 75439->75440 75441 1191ce 75439->75441 75442 1191b9 75440->75442 75458 111089 malloc _CxxThrowException free _CxxThrowException 75440->75458 75443 112f88 3 API calls 75441->75443 75460 113199 malloc _CxxThrowException free _CxxThrowException 75442->75460 75443->75442 75446 1191e6 75461 118f57 memmove 75446->75461 75448 1191ee 75449 1191f2 75448->75449 75450 112fec 3 API calls 75448->75450 75463 111e40 free 75449->75463 75452 119212 75450->75452 75462 1131e5 malloc _CxxThrowException free _CxxThrowException 75452->75462 75454->75432 75455->75435 75456->75424 75457->75434 75458->75442 75459->75425 75460->75446 75461->75448 75462->75449 75463->75428 75464->75424 75467 128906 75465->75467 75466 127e77 75466->75389 75467->75466 75472 128804 free ctype 75467->75472 75473 111e40 free 75467->75473 75470->75398 75471->75399 75472->75467 75473->75467 75474 196bc6 75475 196bca 75474->75475 75476 196bcd 75474->75476 75476->75475 75477 196bd1 malloc 75476->75477 75477->75475 75478 145475 75479 112fec 3 API calls 75478->75479 75480 1454b4 75479->75480 75483 14c911 75480->75483 75482 1454bb 75484 14c926 GetTickCount 75483->75484 75485 14c92f 75483->75485 75484->75485 75494 14c96d 75485->75494 75512 14cb64 75485->75512 75547 112ab1 strcmp 75485->75547 75489 14c9ce 75492 1127bb 3 API calls 75489->75492 75489->75512 75490 14c95b 75490->75494 75548 113542 wcscmp 75490->75548 75498 14c9e2 75492->75498 75494->75512 75528 14c86a 75494->75528 75495 14ca0a 75496 14ca21 75495->75496 75497 11286d 5 API calls 75495->75497 75505 11286d 5 API calls 75496->75505 75522 14cb10 75496->75522 75500 14ca16 75497->75500 75498->75495 75550 11286d 75498->75550 75557 1128fa malloc _CxxThrowException free memcpy _CxxThrowException 75500->75557 75508 14ca40 75505->75508 75507 14cb59 75569 14cb92 malloc _CxxThrowException free 75507->75569 75511 112fec 3 API calls 75508->75511 75514 14ca4e 75511->75514 75512->75482 75558 112033 75514->75558 75515 14cb50 75517 1127bb 3 API calls 75515->75517 75516 14cb49 75568 111f91 fflush 75516->75568 75517->75507 75520 14caf5 75567 1128fa malloc _CxxThrowException free memcpy _CxxThrowException 75520->75567 75536 14cb74 75522->75536 75523 112fec 3 API calls 75526 14ca6a 75523->75526 75526->75520 75526->75523 75527 112033 10 API calls 75526->75527 75565 113599 memmove 75526->75565 75566 113402 malloc _CxxThrowException free memmove _CxxThrowException 75526->75566 75527->75526 75529 14c88c __aulldiv 75528->75529 75530 14c8d3 strlen 75529->75530 75531 14c900 75530->75531 75532 14c8f1 75530->75532 75533 1128a1 5 API calls 75531->75533 75532->75531 75534 11286d 5 API calls 75532->75534 75535 14c90c 75533->75535 75534->75532 75535->75489 75549 112ab1 strcmp 75535->75549 75537 14cb7c strcmp 75536->75537 75538 14cb1c 75536->75538 75537->75538 75538->75507 75539 14c7d7 75538->75539 75540 14c7ea 75539->75540 75542 14c849 75539->75542 75541 14c7fe fputs 75540->75541 75570 1125cb malloc _CxxThrowException free _CxxThrowException ctype 75540->75570 75541->75542 75543 14c85a fputs 75542->75543 75571 111f91 fflush 75542->75571 75543->75515 75543->75516 75547->75490 75548->75494 75549->75489 75572 111e9d 75550->75572 75553 1128a1 75554 1128b0 75553->75554 75554->75554 75577 11267f 75554->75577 75556 1128bf 75556->75495 75557->75496 75559 11203b 75558->75559 75560 112045 75559->75560 75561 112054 75559->75561 75587 11421e malloc _CxxThrowException free _CxxThrowException _CxxThrowException 75560->75587 75588 1137ff 9 API calls 75561->75588 75564 112052 75564->75526 75565->75526 75566->75526 75567->75522 75568->75515 75569->75512 75570->75541 75571->75543 75573 111ea8 75572->75573 75574 111ead 75572->75574 75576 11263c malloc _CxxThrowException free memcpy _CxxThrowException 75573->75576 75574->75553 75576->75574 75578 1126c2 75577->75578 75579 112693 75577->75579 75578->75556 75580 1126c8 _CxxThrowException 75579->75580 75581 1126bc 75579->75581 75582 1126dd 75580->75582 75586 112595 malloc _CxxThrowException free memcpy ctype 75581->75586 75584 111e0c ctype 2 API calls 75582->75584 75585 1126ea 75584->75585 75585->75556 75586->75578 75587->75564 75588->75564 75589 14adb7 75590 14adc1 __EH_prolog 75589->75590 75605 1126dd 75590->75605 75592 14ae1d 75593 112e04 2 API calls 75592->75593 75594 14ae38 75593->75594 75595 112e04 2 API calls 75594->75595 75596 14ae44 75595->75596 75597 112e04 2 API calls 75596->75597 75598 14ae68 75597->75598 75608 14ad29 75598->75608 75602 14ae94 75603 112e04 2 API calls 75602->75603 75604 14aeb2 75603->75604 75606 111e0c ctype 2 API calls 75605->75606 75607 1126ea 75606->75607 75607->75592 75609 14ad33 __EH_prolog 75608->75609 75610 112e04 2 API calls 75609->75610 75611 14ad5f 75610->75611 75612 112e04 2 API calls 75611->75612 75613 14ad72 75612->75613 75614 14af2d 75613->75614 75615 14af37 __EH_prolog 75614->75615 75626 1234f4 malloc _CxxThrowException __EH_prolog 75615->75626 75617 14afac 75618 112e04 2 API calls 75617->75618 75619 14afbb 75618->75619 75620 112e04 2 API calls 75619->75620 75621 14afca 75620->75621 75622 112e04 2 API calls 75621->75622 75623 14afd9 75622->75623 75624 112e04 2 API calls 75623->75624 75625 14afe8 75624->75625 75625->75602 75626->75617 75627 158eb1 75632 158ed1 75627->75632 75630 158ec9 75633 158edb __EH_prolog 75632->75633 75641 159267 75633->75641 75637 158efd 75646 14e5f1 free ctype 75637->75646 75639 158eb9 75639->75630 75640 111e40 free 75639->75640 75640->75630 75642 159271 __EH_prolog 75641->75642 75647 111e40 free 75642->75647 75644 158ef1 75645 15922b free CloseHandle GetLastError ctype 75644->75645 75645->75637 75646->75639 75647->75644 75648 13cefb 75649 13d0cc 75648->75649 75650 13cf03 75648->75650 75650->75649 75695 13cae9 VariantClear 75650->75695 75652 13cf59 75652->75649 75696 13cae9 VariantClear 75652->75696 75654 13cf71 75654->75649 75697 13cae9 VariantClear 75654->75697 75656 13cf87 75656->75649 75698 13cae9 VariantClear 75656->75698 75658 13cf9d 75658->75649 75699 13cae9 VariantClear 75658->75699 75660 13cfb3 75660->75649 75700 13cae9 VariantClear 75660->75700 75662 13cfc9 75662->75649 75701 114504 malloc _CxxThrowException 75662->75701 75664 13cfdc 75665 112e04 2 API calls 75664->75665 75667 13cfe7 75665->75667 75666 13d009 75669 13d080 75666->75669 75670 13d030 75666->75670 75689 13d07b 75666->75689 75667->75666 75668 112f88 3 API calls 75667->75668 75668->75666 75706 137a0c CharUpperW 75669->75706 75673 112e04 2 API calls 75670->75673 75677 13d038 75673->75677 75674 13d0c4 75710 111e40 free 75674->75710 75676 13d08b 75707 12fdbc 4 API calls 2 library calls 75676->75707 75678 112e04 2 API calls 75677->75678 75680 13d046 75678->75680 75702 12fdbc 4 API calls 2 library calls 75680->75702 75681 13d0a7 75683 112fec 3 API calls 75681->75683 75685 13d0b3 75683->75685 75684 13d057 75686 112fec 3 API calls 75684->75686 75708 111e40 free 75685->75708 75688 13d063 75686->75688 75703 111e40 free 75688->75703 75709 111e40 free 75689->75709 75691 13d06b 75704 111e40 free 75691->75704 75693 13d073 75705 111e40 free 75693->75705 75695->75652 75696->75654 75697->75656 75698->75658 75699->75660 75700->75662 75701->75664 75702->75684 75703->75691 75704->75693 75705->75689 75706->75676 75707->75681 75708->75689 75709->75674 75710->75649 75714 14993d 75798 14b5b1 75714->75798 75717 149963 75804 121f33 75717->75804 75720 149975 75721 1499ce 75720->75721 75722 1499b7 GetStdHandle GetConsoleScreenBufferInfo 75720->75722 75723 111e0c ctype 2 API calls 75721->75723 75722->75721 75724 1499dc 75723->75724 75925 137b48 75724->75925 75726 149a29 75954 14b96d _CxxThrowException 75726->75954 75728 149a30 75955 137018 8 API calls 2 library calls 75728->75955 75730 149a7c 75956 13ddb5 6 API calls 2 library calls 75730->75956 75732 149a66 _CxxThrowException 75732->75730 75733 149aa6 75735 149aaa _CxxThrowException 75733->75735 75744 149ac0 75733->75744 75734 149a37 75734->75730 75734->75732 75735->75744 75736 149b3a 75960 111fa0 fputc 75736->75960 75739 149bfa _CxxThrowException 75762 149be6 75739->75762 75740 149b63 fputs 75961 111fa0 fputc 75740->75961 75743 149b79 strlen strlen 75745 149e25 75743->75745 75746 149baa fputs fputc 75743->75746 75744->75736 75744->75739 75957 137dd7 7 API calls 2 library calls 75744->75957 75958 14c077 6 API calls 75744->75958 75959 111e40 free 75744->75959 75969 111fa0 fputc 75745->75969 75746->75762 75749 149e2c fputs 75970 111fa0 fputc 75749->75970 75751 149f0c 75975 111fa0 fputc 75751->75975 75755 14b67d 12 API calls 75755->75762 75756 149f13 fputs 75976 111fa0 fputc 75756->75976 75759 112e04 2 API calls 75759->75762 75760 14ac3a 75982 14b96d _CxxThrowException 75760->75982 75761 149e42 75761->75751 75791 149ee0 fputs 75761->75791 75971 14b650 fputc fputs fputs fputc 75761->75971 75972 1121d8 fputs 75761->75972 75973 14bde4 fputc fputs 75761->75973 75762->75745 75762->75746 75762->75755 75762->75759 75777 149d2a fputs 75762->75777 75780 1131e5 malloc _CxxThrowException free _CxxThrowException 75762->75780 75782 149d5f fputs 75762->75782 75962 1121d8 fputs 75762->75962 75963 11315e malloc _CxxThrowException free _CxxThrowException 75762->75963 75964 113221 malloc _CxxThrowException free _CxxThrowException 75762->75964 75965 111089 malloc _CxxThrowException free _CxxThrowException 75762->75965 75967 111fa0 fputc 75762->75967 75968 111e40 free 75762->75968 75763 14ac35 75981 14b988 33 API calls __aulldiv 75763->75981 75766 149f29 75786 149f77 fputs 75766->75786 75795 149f9f 75766->75795 75977 14b650 fputc fputs fputs fputc 75766->75977 75978 14b5e9 fputc fputs 75766->75978 75979 14bde4 fputc fputs 75766->75979 75768 14ac42 75983 111e40 free 75768->75983 75966 1121d8 fputs 75777->75966 75780->75762 75782->75762 75980 111fa0 fputc 75786->75980 75974 111fa0 fputc 75791->75974 75795->75760 75795->75763 75799 14994a 75798->75799 75800 14b5bc fputs 75798->75800 75799->75717 75942 111fb3 75799->75942 75994 111fa0 fputc 75800->75994 75802 14b5d5 75802->75799 75803 14b5d9 fputs 75802->75803 75803->75799 75805 121f4f 75804->75805 75806 121f6c 75804->75806 76037 131d73 5 API calls __EH_prolog 75805->76037 75995 1229eb 75806->75995 75810 121f5e _CxxThrowException 75810->75806 75811 121fa3 75813 121fbc 75811->75813 75815 114fc0 5 API calls 75811->75815 75816 121fda 75813->75816 75817 112fec 3 API calls 75813->75817 75814 121f95 _CxxThrowException 75814->75811 75815->75813 75818 122022 wcscmp 75816->75818 75821 122036 75816->75821 75817->75816 75819 1220af 75818->75819 75818->75821 76039 131d73 5 API calls __EH_prolog 75819->76039 75829 1220a9 75821->75829 75830 12219a 75821->75830 75822 1220be _CxxThrowException 75822->75821 75824 1220f4 76041 12393c 6 API calls 2 library calls 75824->76041 75826 122108 75828 122135 75826->75828 76042 122e04 62 API calls 2 library calls 75826->76042 75835 122159 75828->75835 76043 122e04 62 API calls 2 library calls 75828->76043 76040 12393c 6 API calls 2 library calls 75829->76040 76044 131d73 5 API calls __EH_prolog 75830->76044 75833 1221a9 _CxxThrowException 75833->75835 75834 12227f 76000 122aa9 75834->76000 75835->75834 75837 122245 75835->75837 76045 131d73 5 API calls __EH_prolog 75835->76045 75838 112fec 3 API calls 75837->75838 75842 12225c 75838->75842 75841 122237 _CxxThrowException 75841->75837 75842->75834 76046 131d73 5 API calls __EH_prolog 75842->76046 75843 1222d9 75845 122302 75843->75845 75848 112fec 3 API calls 75843->75848 75844 112fec 3 API calls 75844->75843 76018 114fc0 75845->76018 75848->75845 75850 122271 _CxxThrowException 75850->75834 75852 122322 75853 1226c6 75852->75853 75859 1223a1 75852->75859 75854 1228ce 75853->75854 75856 122700 75853->75856 76059 131d73 5 API calls __EH_prolog 75853->76059 75855 12293a 75854->75855 75867 1228d5 75854->75867 75860 1229a5 75855->75860 75861 12293f 75855->75861 76060 1232ec 14 API calls 2 library calls 75856->76060 75870 12247a wcscmp 75859->75870 75886 12248e 75859->75886 75863 1229ae _CxxThrowException 75860->75863 75917 12264d 75860->75917 76077 114eec 16 API calls 75861->76077 75862 1226f2 _CxxThrowException 75862->75856 75864 122713 76061 123a29 75864->76061 75867->75917 76076 131d73 5 API calls __EH_prolog 75867->76076 75869 12294c 76078 114ea1 8 API calls 75869->76078 75872 1224cf wcscmp 75870->75872 75870->75886 75875 1224ef wcscmp 75872->75875 75872->75886 75878 12250f 75875->75878 75875->75886 75876 122953 75879 114fc0 5 API calls 75876->75879 75877 122920 _CxxThrowException 75877->75917 76050 131d73 5 API calls __EH_prolog 75878->76050 75879->75917 75882 12251e _CxxThrowException 75884 12252c 75882->75884 75883 1227cf 75887 122880 75883->75887 75892 12281f 75883->75892 76072 131d73 5 API calls __EH_prolog 75883->76072 75888 122569 75884->75888 76051 122e04 62 API calls 2 library calls 75884->76051 75885 112fec 3 API calls 75889 1227a9 75885->75889 75886->75884 76047 114eec 16 API calls 75886->76047 76048 114ea1 8 API calls 75886->76048 76049 131d73 5 API calls __EH_prolog 75886->76049 75890 12289b 75887->75890 75897 112fec 3 API calls 75887->75897 75894 12258c 75888->75894 76052 122e04 62 API calls 2 library calls 75888->76052 75889->75883 76071 113563 memmove 75889->76071 75890->75917 76075 131d73 5 API calls __EH_prolog 75890->76075 75892->75887 75901 122847 75892->75901 76073 131d73 5 API calls __EH_prolog 75892->76073 75899 1225a4 75894->75899 76053 122a61 malloc _CxxThrowException free _CxxThrowException memcpy 75894->76053 75895 1224c1 _CxxThrowException 75895->75872 75897->75890 76054 114eec 16 API calls 75899->76054 75900 122811 _CxxThrowException 75900->75892 75901->75887 76074 131d73 5 API calls __EH_prolog 75901->76074 75907 122839 _CxxThrowException 75907->75901 75909 1225ad 76055 131b07 49 API calls 75909->76055 75910 1228c0 _CxxThrowException 75910->75854 75911 122872 _CxxThrowException 75911->75887 75913 1225b4 76056 114ea1 8 API calls 75913->76056 75915 1225bb 75916 112fec 3 API calls 75915->75916 75919 1225d6 75915->75919 75916->75919 75917->75720 75918 12261f 75918->75917 75921 112fec 3 API calls 75918->75921 75919->75917 75919->75918 76057 131d73 5 API calls __EH_prolog 75919->76057 75923 12263f 75921->75923 75922 122611 _CxxThrowException 75922->75918 76058 11859e malloc _CxxThrowException free _CxxThrowException 75923->76058 75926 137b52 __EH_prolog 75925->75926 76097 137eec 75926->76097 75928 137ca4 75928->75726 75930 112e04 malloc _CxxThrowException 75937 137b63 75930->75937 75931 1130ea malloc _CxxThrowException free 75931->75937 75933 111e40 free ctype 75933->75937 75935 1212a5 5 API calls 75935->75937 75936 1504d2 5 API calls 75936->75937 75937->75928 75937->75930 75937->75931 75937->75933 75937->75935 75937->75936 75939 11429a 3 API calls 75937->75939 75940 137193 free 75937->75940 75941 137c61 memcpy 75937->75941 76102 1370ea 75937->76102 76105 137a40 75937->76105 76123 137cc3 6 API calls 75937->76123 76124 1374eb malloc _CxxThrowException memcpy __EH_prolog ctype 75937->76124 75939->75937 75940->75937 75941->75937 75943 111fbd __EH_prolog 75942->75943 75944 1126dd 2 API calls 75943->75944 75945 111fcb 75944->75945 75946 112e47 2 API calls 75945->75946 75947 111fda 75946->75947 76131 112010 75947->76131 75949 111fed 76134 111e40 free 75949->76134 75951 111ff5 76135 111e40 free 75951->76135 75953 111ffd 75953->75717 75954->75728 75955->75734 75956->75733 75957->75744 75958->75744 75959->75744 75960->75740 75961->75743 75962->75762 75963->75762 75964->75762 75965->75762 75966->75762 75967->75762 75968->75762 75969->75749 75970->75761 75971->75761 75972->75761 75973->75761 75974->75761 75975->75756 75976->75766 75977->75766 75978->75766 75979->75766 75980->75766 75981->75760 75982->75768 75994->75802 75996 112f1c 2 API calls 75995->75996 75997 1229fe 75996->75997 76079 111e40 free 75997->76079 75999 121f7e 75999->75811 76038 131d73 5 API calls __EH_prolog 75999->76038 76001 122ab3 __EH_prolog 76000->76001 76012 122b0f 76001->76012 76080 112e8a 76001->76080 76004 1222ad 76004->75843 76004->75844 76006 122b04 76085 111e40 free 76006->76085 76007 122bc6 76090 131d73 5 API calls __EH_prolog 76007->76090 76010 122bd6 _CxxThrowException 76010->76004 76012->76004 76012->76007 76015 122b9f 76012->76015 76086 122cb4 48 API calls 2 library calls 76012->76086 76087 122bf5 8 API calls __EH_prolog 76012->76087 76088 122a61 malloc _CxxThrowException free _CxxThrowException memcpy 76012->76088 76015->76004 76089 131d73 5 API calls __EH_prolog 76015->76089 76017 122bb8 _CxxThrowException 76017->76007 76019 114fd2 76018->76019 76024 114fce 76018->76024 76020 137ebb free 76019->76020 76021 114fd9 76020->76021 76022 114fe9 _CxxThrowException 76021->76022 76023 114ffe 76021->76023 76025 115006 76021->76025 76022->76023 76091 150551 malloc _CxxThrowException free memcpy ctype 76023->76091 76028 12384c 76024->76028 76025->76024 76092 111524 malloc _CxxThrowException __EH_prolog ctype 76025->76092 76035 123856 __EH_prolog 76028->76035 76029 123917 76029->75852 76030 112e04 malloc _CxxThrowException 76030->76035 76031 112fec 3 API calls 76031->76035 76032 112f88 3 API calls 76032->76035 76033 1504d2 5 API calls 76033->76035 76035->76029 76035->76030 76035->76031 76035->76032 76035->76033 76036 111e40 free ctype 76035->76036 76093 123b76 malloc _CxxThrowException __EH_prolog ctype 76035->76093 76036->76035 76037->75810 76038->75814 76039->75822 76040->75824 76041->75826 76042->75828 76043->75835 76044->75833 76045->75841 76046->75850 76047->75886 76048->75886 76049->75895 76050->75882 76051->75888 76052->75894 76053->75899 76054->75909 76055->75913 76056->75915 76057->75922 76058->75917 76059->75862 76060->75864 76062 123a3b 76061->76062 76068 122722 76061->76068 76094 123bd9 free ctype 76062->76094 76064 123a42 76065 123a6f 76064->76065 76066 123a52 _CxxThrowException 76064->76066 76067 123a67 76064->76067 76065->76068 76096 123b76 malloc _CxxThrowException __EH_prolog ctype 76065->76096 76066->76067 76095 150551 malloc _CxxThrowException free memcpy ctype 76067->76095 76068->75883 76068->75885 76071->75883 76072->75900 76073->75907 76074->75911 76075->75910 76076->75877 76077->75869 76078->75876 76079->75999 76081 112ea0 76080->76081 76081->76081 76082 112ba6 2 API calls 76081->76082 76083 112eaf 76082->76083 76084 122a61 malloc _CxxThrowException free _CxxThrowException memcpy 76083->76084 76084->76006 76085->76012 76086->76012 76087->76012 76088->76012 76089->76017 76090->76010 76091->76025 76092->76025 76093->76035 76094->76064 76095->76065 76096->76065 76098 137f14 76097->76098 76100 137ef7 76097->76100 76098->75937 76099 137193 free 76099->76100 76100->76098 76100->76099 76125 111e40 free 76100->76125 76103 112e04 2 API calls 76102->76103 76104 137103 76103->76104 76104->75937 76106 137a4a __EH_prolog 76105->76106 76126 11361b 6 API calls 2 library calls 76106->76126 76108 137a78 76127 11361b 6 API calls 2 library calls 76108->76127 76110 137b20 76129 142db9 free ctype 76110->76129 76112 137b2b 76130 142db9 free ctype 76112->76130 76114 112e04 malloc _CxxThrowException 76122 137a83 76114->76122 76115 137b37 76115->75937 76116 112fec 3 API calls 76116->76122 76117 112fec 3 API calls 76119 137aca wcscmp 76117->76119 76118 1504d2 5 API calls 76118->76122 76119->76122 76121 111e40 free ctype 76121->76122 76122->76110 76122->76114 76122->76116 76122->76117 76122->76118 76122->76121 76128 137955 malloc _CxxThrowException __EH_prolog ctype 76122->76128 76123->75937 76124->75937 76125->76100 76126->76108 76127->76122 76128->76122 76129->76112 76130->76115 76132 112033 10 API calls 76131->76132 76133 112022 fputs 76132->76133 76133->75949 76134->75951 76135->75953 76138 1969f0 free 76139 1affb1 __setusermatherr 76140 1affbd 76139->76140 76144 1b0068 _controlfp 76140->76144 76142 1affc2 _initterm __getmainargs _initterm __p___initenv 76143 14c27c 76142->76143 76144->76142 76145 11c3bd 76146 11c3ca 76145->76146 76148 11c3db 76145->76148 76146->76148 76149 111e40 free 76146->76149 76149->76148 76150 117b20 76153 117ab2 76150->76153 76154 117ac5 76153->76154 76155 11759a 12 API calls 76154->76155 76156 117ade 76155->76156 76157 117b03 76156->76157 76158 117aeb SetFileTime 76156->76158 76161 117919 76157->76161 76158->76157 76162 117aac 76161->76162 76163 11793c 76161->76163 76163->76162 76164 117945 DeviceIoControl 76163->76164 76165 1179e6 76164->76165 76166 117969 76164->76166 76167 1179ef DeviceIoControl 76165->76167 76170 117a14 76165->76170 76166->76165 76172 1179a7 76166->76172 76168 117a22 DeviceIoControl 76167->76168 76167->76170 76169 117a44 DeviceIoControl 76168->76169 76168->76170 76169->76170 76170->76162 76178 11780d 8 API calls ctype 76170->76178 76177 119252 GetModuleHandleW GetProcAddress GetDiskFreeSpaceW 76172->76177 76173 117aa5 76175 1177de 5 API calls 76173->76175 76175->76162 76176 1179d0 76176->76165 76177->76176 76178->76173 76179 14c2e6 76180 14c52f 76179->76180 76183 14544f SetConsoleCtrlHandler 76180->76183 76182 14c53b 76183->76182 76184 15bf67 76185 15bf74 76184->76185 76186 15bf85 76184->76186 76185->76186 76190 15bf8c 76185->76190 76191 15bf96 __EH_prolog 76190->76191 76207 15d144 76191->76207 76195 15bfd0 76214 111e40 free 76195->76214 76197 15bfdb 76215 111e40 free 76197->76215 76199 15bfe6 76216 15c072 free ctype 76199->76216 76201 15bff4 76217 12aafa free VariantClear ctype 76201->76217 76203 15c023 76218 1373d2 free VariantClear __EH_prolog ctype 76203->76218 76205 15bf7f 76206 111e40 free 76205->76206 76206->76186 76209 15d14e __EH_prolog 76207->76209 76208 15d1b7 free 76210 15d180 76208->76210 76209->76208 76219 158e04 memset 76210->76219 76212 15bfc5 76213 111e40 free 76212->76213 76213->76195 76214->76197 76215->76199 76216->76201 76217->76203 76218->76205 76219->76212 76220 14a42c 76221 14a435 fputs 76220->76221 76222 14a449 76220->76222 76378 111fa0 fputc 76221->76378 76379 14545d 76222->76379 76226 112e04 2 API calls 76227 14a4a1 76226->76227 76383 131858 76227->76383 76229 14a4c9 76445 111e40 free 76229->76445 76231 14a4d8 76232 14a4ee 76231->76232 76234 14c7d7 ctype 6 API calls 76231->76234 76233 14a50e 76232->76233 76446 1457fb 76232->76446 76456 14c73e 76233->76456 76234->76232 76238 14aae5 76611 142db9 free ctype 76238->76611 76240 14ac17 76612 142db9 free ctype 76240->76612 76241 111e0c ctype 2 API calls 76243 14a53a 76241->76243 76245 14a54d 76243->76245 76582 14b0fa malloc _CxxThrowException __EH_prolog 76243->76582 76244 14ac23 76246 14ac3a 76244->76246 76248 14ac35 76244->76248 76252 112fec 3 API calls 76245->76252 76614 14b96d _CxxThrowException 76246->76614 76613 14b988 33 API calls __aulldiv 76248->76613 76251 14ac42 76615 111e40 free 76251->76615 76257 14a586 76252->76257 76254 14ac4d 76255 133247 free 76254->76255 76256 14ac5d 76255->76256 76616 111e40 free 76256->76616 76474 14ad06 76257->76474 76261 14ac7d 76617 1111c2 free __EH_prolog ctype 76261->76617 76265 14ac89 76618 14be0c free __EH_prolog ctype 76265->76618 76266 123a29 5 API calls 76268 14a62e 76266->76268 76270 112e04 2 API calls 76268->76270 76269 14ac98 76619 142db9 free ctype 76269->76619 76272 14a636 76270->76272 76482 134345 76272->76482 76273 14aca4 76378->76222 76380 145466 76379->76380 76381 145473 76379->76381 76620 11275e malloc _CxxThrowException free ctype 76380->76620 76381->76226 76384 131862 __EH_prolog 76383->76384 76621 13021a 76384->76621 76389 1318b9 76635 131aa5 free __EH_prolog ctype 76389->76635 76391 131935 76640 131aa5 free __EH_prolog ctype 76391->76640 76392 1318c7 76636 142db9 free ctype 76392->76636 76396 131944 76417 131966 76396->76417 76641 131d73 5 API calls __EH_prolog 76396->76641 76397 1318d3 76397->76229 76398 1504d2 5 API calls 76404 1318db 76398->76404 76400 131958 _CxxThrowException 76400->76417 76401 1319be 76644 13f1f1 malloc _CxxThrowException free _CxxThrowException 76401->76644 76403 112e04 2 API calls 76403->76417 76404->76391 76404->76398 76637 130144 malloc _CxxThrowException free _CxxThrowException 76404->76637 76638 111524 malloc _CxxThrowException __EH_prolog ctype 76404->76638 76639 111e40 free 76404->76639 76407 1319d6 76408 137ebb free 76407->76408 76410 1319e1 76408->76410 76409 11631f 9 API calls 76409->76417 76411 1212d4 4 API calls 76410->76411 76413 1319ea 76411->76413 76412 1504d2 5 API calls 76412->76417 76414 137ebb free 76413->76414 76416 1319f7 76414->76416 76418 1212d4 4 API calls 76416->76418 76417->76401 76417->76403 76417->76409 76417->76412 76642 111524 malloc _CxxThrowException __EH_prolog ctype 76417->76642 76643 111e40 free 76417->76643 76427 1319ff 76418->76427 76420 131a4f 76646 111e40 free 76420->76646 76422 111524 malloc _CxxThrowException 76422->76427 76423 131a57 76647 142db9 free ctype 76423->76647 76425 131a64 76648 142db9 free ctype 76425->76648 76427->76420 76427->76422 76429 131a83 76427->76429 76645 1142e3 CharUpperW 76427->76645 76649 131d73 5 API calls __EH_prolog 76429->76649 76431 131a97 _CxxThrowException 76432 131aa5 __EH_prolog 76431->76432 76650 111e40 free 76432->76650 76434 131ac8 76651 1302e8 free ctype 76434->76651 76436 131ad1 76652 131eab free __EH_prolog ctype 76436->76652 76438 131add 76653 111e40 free 76438->76653 76440 131ae5 76654 111e40 free 76440->76654 76442 131aed 76655 142db9 free ctype 76442->76655 76444 131afa 76444->76229 76445->76231 76447 145805 __EH_prolog 76446->76447 76448 145847 76447->76448 76449 1126dd 2 API calls 76447->76449 76448->76233 76450 145819 76449->76450 76783 145678 76450->76783 76454 14583f 76800 111e40 free 76454->76800 76457 14c748 __EH_prolog 76456->76457 76458 14c7d7 ctype 6 API calls 76457->76458 76459 14c75d 76458->76459 76817 111e40 free 76459->76817 76461 14c768 76462 132c0b ctype free 76461->76462 76463 14c775 76462->76463 76818 111e40 free 76463->76818 76465 14c77d 76819 111e40 free 76465->76819 76467 14c785 76820 111e40 free 76467->76820 76469 14c78d 76821 111e40 free 76469->76821 76471 14c795 76472 132c0b ctype free 76471->76472 76473 14a51d 76472->76473 76473->76238 76473->76241 76475 14ad29 2 API calls 76474->76475 76476 14a5d8 76475->76476 76477 14bf3e 76476->76477 76478 112fec 3 API calls 76477->76478 76479 14bf85 76478->76479 76480 112fec 3 API calls 76479->76480 76481 14a5ee 76480->76481 76481->76266 76483 13434f __EH_prolog 76482->76483 76484 112e04 2 API calls 76483->76484 76485 13436d 76484->76485 76486 112e04 2 API calls 76485->76486 76582->76245 76611->76240 76612->76244 76613->76246 76614->76251 76615->76254 76616->76261 76617->76265 76618->76269 76619->76273 76620->76381 76622 130224 __EH_prolog 76621->76622 76656 123d66 76622->76656 76625 13062e 76626 130638 __EH_prolog 76625->76626 76627 1306de 76626->76627 76630 1301bc malloc _CxxThrowException free _CxxThrowException memcpy 76626->76630 76632 1306ee 76626->76632 76672 130703 76626->76672 76742 142db9 free ctype 76626->76742 76743 13019a malloc _CxxThrowException free memcpy 76627->76743 76629 1306e6 76744 131453 26 API calls 2 library calls 76629->76744 76630->76626 76632->76389 76632->76404 76635->76392 76636->76397 76637->76404 76638->76404 76639->76404 76640->76396 76641->76400 76642->76417 76643->76417 76644->76407 76645->76427 76646->76423 76647->76425 76648->76397 76649->76431 76650->76434 76651->76436 76652->76438 76653->76440 76654->76442 76655->76444 76667 1afb10 76656->76667 76658 123d70 GetCurrentProcess 76668 123e04 76658->76668 76660 123d8d OpenProcessToken 76661 123de3 76660->76661 76662 123d9e LookupPrivilegeValueW 76660->76662 76664 123e04 CloseHandle 76661->76664 76662->76661 76663 123dc0 AdjustTokenPrivileges 76662->76663 76663->76661 76665 123dd5 GetLastError 76663->76665 76666 123def 76664->76666 76665->76661 76666->76625 76667->76658 76669 123e11 CloseHandle 76668->76669 76670 123e0d 76668->76670 76671 123e21 76669->76671 76670->76660 76671->76660 76741 13070d __EH_prolog 76672->76741 76673 130b40 76673->76626 76674 130e1d 76780 130416 18 API calls 2 library calls 76674->76780 76676 130ea6 76782 15ec78 free ctype 76676->76782 76677 130d11 76774 117496 7 API calls 2 library calls 76677->76774 76680 130c13 76771 111e40 free 76680->76771 76681 130c83 76681->76674 76681->76677 76683 112da9 2 API calls 76683->76741 76685 130de0 76776 142db9 free ctype 76685->76776 76686 112da9 2 API calls 76723 130ab5 76686->76723 76687 130e47 76687->76676 76781 13117d 68 API calls 2 library calls 76687->76781 76688 112f1c 2 API calls 76716 130d29 76688->76716 76691 130df8 76778 111e40 free 76691->76778 76692 112e04 2 API calls 76692->76741 76693 112e04 2 API calls 76693->76723 76696 130e02 76779 142db9 free ctype 76696->76779 76699 112e04 2 API calls 76699->76716 76700 112fec 3 API calls 76700->76741 76703 112fec 3 API calls 76703->76716 76705 112fec 3 API calls 76705->76723 76709 13050b 44 API calls 76709->76723 76711 130df3 76777 111e40 free 76711->76777 76712 130b26 76763 111e40 free 76712->76763 76713 111e40 free ctype 76713->76716 76716->76685 76716->76688 76716->76691 76716->76699 76716->76703 76716->76711 76716->76713 76775 13117d 68 API calls 2 library calls 76716->76775 76718 130c79 76773 111e40 free 76718->76773 76719 130b30 76764 111e40 free 76719->76764 76723->76680 76723->76686 76723->76693 76723->76705 76723->76709 76723->76718 76726 111e40 free ctype 76723->76726 76762 112f4a malloc _CxxThrowException free ctype 76723->76762 76767 111089 malloc _CxxThrowException free _CxxThrowException 76723->76767 76768 1313eb 5 API calls 2 library calls 76723->76768 76769 130ef4 68 API calls 2 library calls 76723->76769 76770 142db9 free ctype 76723->76770 76772 130021 GetLastError 76723->76772 76724 130b38 76765 111e40 free 76724->76765 76726->76723 76728 142db9 free ctype 76728->76741 76733 1504d2 malloc _CxxThrowException free _CxxThrowException memcpy 76733->76741 76736 130b48 76766 142db9 free ctype 76736->76766 76738 111e40 free ctype 76738->76741 76739 111524 malloc _CxxThrowException 76739->76741 76741->76673 76741->76681 76741->76683 76741->76692 76741->76700 76741->76712 76741->76723 76741->76728 76741->76733 76741->76736 76741->76738 76741->76739 76745 112f4a malloc _CxxThrowException free ctype 76741->76745 76746 111089 malloc _CxxThrowException free _CxxThrowException 76741->76746 76747 1313eb 5 API calls 2 library calls 76741->76747 76748 13050b 76741->76748 76753 130021 GetLastError 76741->76753 76754 1149bd 9 API calls 2 library calls 76741->76754 76755 130306 12 API calls 76741->76755 76756 12ff00 5 API calls 2 library calls 76741->76756 76757 13057d 16 API calls 2 library calls 76741->76757 76758 130f8e 24 API calls 2 library calls 76741->76758 76759 11472e CharUpperW 76741->76759 76760 128984 malloc _CxxThrowException free _CxxThrowException memcpy 76741->76760 76761 130ef4 68 API calls 2 library calls 76741->76761 76742->76626 76743->76629 76744->76632 76745->76741 76746->76741 76747->76741 76749 116c72 44 API calls 76748->76749 76752 13051e 76749->76752 76750 130575 76750->76741 76751 112f88 3 API calls 76751->76750 76752->76750 76752->76751 76753->76741 76754->76741 76755->76741 76756->76741 76757->76741 76758->76741 76759->76741 76760->76741 76761->76741 76762->76723 76763->76719 76764->76724 76765->76673 76766->76712 76767->76723 76768->76723 76769->76723 76770->76723 76771->76673 76772->76723 76773->76681 76774->76716 76775->76716 76776->76673 76777->76691 76778->76696 76779->76673 76780->76687 76781->76687 76782->76673 76784 1456b1 76783->76784 76785 145689 76783->76785 76801 145593 76784->76801 76786 145593 6 API calls 76785->76786 76788 1456a5 76786->76788 76790 1128a1 5 API calls 76788->76790 76790->76784 76793 14570e fputs 76799 111fa0 fputc 76793->76799 76795 1456ef 76796 145593 6 API calls 76795->76796 76797 145701 76796->76797 76798 145711 6 API calls 76797->76798 76798->76793 76799->76454 76800->76448 76802 1455ad 76801->76802 76803 1128a1 5 API calls 76802->76803 76804 1455b8 76803->76804 76805 11286d 5 API calls 76804->76805 76806 1455bf 76805->76806 76807 1128a1 5 API calls 76806->76807 76808 1455c7 76807->76808 76809 145711 76808->76809 76810 145721 76809->76810 76811 1456e0 76809->76811 76812 1128a1 5 API calls 76810->76812 76811->76793 76815 112881 malloc _CxxThrowException free memcpy _CxxThrowException 76811->76815 76813 14572b 76812->76813 76816 1455cd 6 API calls 76813->76816 76815->76795 76816->76811 76817->76461 76818->76465 76819->76467 76820->76469 76821->76471 77435 121368 77437 12136d 77435->77437 77438 12138c 77437->77438 77441 1a7d80 WaitForSingleObject 77437->77441 77444 14f745 77437->77444 77448 1a7ea0 SetEvent GetLastError 77437->77448 77442 1a7d98 77441->77442 77443 1a7d8e GetLastError 77441->77443 77442->77437 77443->77442 77445 14f74f __EH_prolog 77444->77445 77449 14f784 77445->77449 77447 14f765 77447->77437 77448->77437 77450 14f78e __EH_prolog 77449->77450 77451 1212d4 4 API calls 77450->77451 77452 14f7c7 77451->77452 77453 1212d4 4 API calls 77452->77453 77454 14f7d4 77453->77454 77455 14f871 77454->77455 77458 196b23 VirtualAlloc 77454->77458 77459 11c4d6 77454->77459 77455->77447 77458->77455 77463 11c4e9 77459->77463 77460 11c6f3 77460->77455 77461 12111c 10 API calls 77461->77463 77462 1211b4 107 API calls 77462->77463 77463->77460 77463->77461 77463->77462 77464 11c695 memmove 77463->77464 77464->77463 77465 196ba3 VirtualFree 77466 1a7da0 WaitForSingleObject 77467 1a7dbb GetLastError 77466->77467 77468 1a7dc1 77466->77468 77467->77468 77469 1a7dce CloseHandle 77468->77469 77470 1a7ddf 77468->77470 77469->77470 77471 1a7dd9 GetLastError 77469->77471 77471->77470

                              Executed Functions

                              Function 00119313 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 55COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1028 119313-119338 GetCurrentProcess OpenProcessToken 1029 119390 1028->1029 1030 11933a-11934a LookupPrivilegeValueW 1028->1030 1033 119393-119398 1029->1033 1031 119382 1030->1031 1032 11934c-119370 AdjustTokenPrivileges 1030->1032 1035 119385-11938e CloseHandle 1031->1035 1032->1031 1034 119372-119380 GetLastError 1032->1034 1034->1035 1035->1033
                              APIs
                              • GetCurrentProcess.KERNEL32(00000020,00121EC5,?,7597AB50,?,?,?,?,00121EC5,00121CEF), ref: 00119329
                              • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,00121EC5,00121CEF), ref: 00119330
                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeRestorePrivilege,?), ref: 00119342
                              • AdjustTokenPrivileges.KERNELBASE(00121EC5,00000000,?,00000000,00000000,00000000), ref: 00119368
                              • GetLastError.KERNEL32 ref: 00119372
                              • CloseHandle.KERNELBASE(00121EC5,?,?,?,?,00121EC5,00121CEF), ref: 00119388
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                              • String ID: SeRestorePrivilege
                              • API String ID: 3398352648-1684392131
                              • Opcode ID: fa48d3318f8b77bd6ae256379fe62ad4e6064a39aceeedead84421cb826a8db1
                              • Instruction ID: e0c4705cc09d13d57f506ebe432b2134771425f8ef273cc156d88d3235419db1
                              • Opcode Fuzzy Hash: fa48d3318f8b77bd6ae256379fe62ad4e6064a39aceeedead84421cb826a8db1
                              • Instruction Fuzzy Hash: 5B018076A45218ABCB106BF59C59BDEBF7CEF05340F040264F951E2190D7748688DBE0
                              Function 00123D66 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 53COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1036 123d66-123d9c call 1afb10 GetCurrentProcess call 123e04 OpenProcessToken 1041 123de3-123dfe call 123e04 1036->1041 1042 123d9e-123dbe LookupPrivilegeValueW 1036->1042 1042->1041 1043 123dc0-123dd3 AdjustTokenPrivileges 1042->1043 1043->1041 1045 123dd5-123de1 GetLastError 1043->1045 1045->1041
                              APIs
                              • __EH_prolog.LIBCMT ref: 00123D6B
                              • GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00123D7D
                              • OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00123D94
                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeSecurityPrivilege,?), ref: 00123DB6
                              • AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00123DCB
                              • GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00123DD5
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: ProcessToken$AdjustCurrentErrorH_prologLastLookupOpenPrivilegePrivilegesValue
                              • String ID: SeSecurityPrivilege
                              • API String ID: 3475889169-2333288578
                              • Opcode ID: a6781aa8c6c8e072746b9794507ffec960fe6d704b63bb468089c10456107574
                              • Instruction ID: 1aad9fb0c1a20b9c484a1429949d80f0342ba2f7152667c82fd3442930a53154
                              • Opcode Fuzzy Hash: a6781aa8c6c8e072746b9794507ffec960fe6d704b63bb468089c10456107574
                              • Instruction Fuzzy Hash: 841130B59401299FDB10EFE5DC85AFEFB7CFB04344F404629F422E2591D7348A088A70
                              Function 001581EC Relevance: 8.0, APIs: 3, Strings: 1, Instructions: 995COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 001581F1
                                • Part of subcall function 0015F749: _CxxThrowException.MSVCRT(?,001C4A58), ref: 0015F792
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: ExceptionH_prologThrow
                              • String ID:
                              • API String ID: 461045715-3916222277
                              • Opcode ID: 05999411d718d75ffda6d18d910627294943c5d407db1fac8c70cc46e87f8753
                              • Instruction ID: bee5b41d29872943eac68244b5b1a0f42909f7d9d0d3749fbea40127d3dcd516
                              • Opcode Fuzzy Hash: 05999411d718d75ffda6d18d910627294943c5d407db1fac8c70cc46e87f8753
                              • Instruction Fuzzy Hash: 35927C30901249DFDF15DFA8C884BAEBBB1BF58305F244099EC65BB291CB709E49CB61
                              Function 00116868 Relevance: 4.6, APIs: 3, Instructions: 60fileCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0011686D
                                • Part of subcall function 00116848: FindClose.KERNELBASE(00000000,?,00116880), ref: 00116853
                              • FindFirstFileW.KERNELBASE(?,-00000268,?,00000000), ref: 001168A5
                              • FindFirstFileW.KERNELBASE(?,-00000268,00000000,?,00000000), ref: 001168DE
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: Find$FileFirst$CloseH_prolog
                              • String ID:
                              • API String ID: 3371352514-0
                              • Opcode ID: 38fc61cfe33475ae0dea4ef9bc854b5c1e3c9ea7ae0310c33378afaf6b760455
                              • Instruction ID: 7a4a164b8e4ea7631812e581b3c86bdbd3d0760a8f5a06872e720d7e4c94a602
                              • Opcode Fuzzy Hash: 38fc61cfe33475ae0dea4ef9bc854b5c1e3c9ea7ae0310c33378afaf6b760455
                              • Instruction Fuzzy Hash: CF119031500219DFCB18EFA8D8515EDB779EF60324F104679E96157191DB329EC6DB40
                              Function 0014A013 Relevance: 56.7, APIs: 15, Strings: 17, Instructions: 690COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 0 14a013-14a01a 1 14a020-14a02d call 121ac8 0->1 2 14a37a-14a544 call 1504d2 call 111524 call 1504d2 call 111524 call 111e0c 0->2 7 14a033-14a03a 1->7 8 14a22e-14a235 1->8 62 14a546-14a54f call 14b0fa 2->62 63 14a551 2->63 12 14a054-14a089 call 1492d3 7->12 13 14a03c-14a042 7->13 10 14a367-14a375 call 14b55f 8->10 11 14a23b-14a24d call 14b4f6 8->11 28 14ac23-14ac2a 10->28 29 14a24f-14a253 11->29 30 14a259-14a2fb call 137ebb call 1127bb call 1126dd call 133d70 call 14ad99 call 1127bb 11->30 26 14a099 12->26 27 14a08b-14a091 12->27 13->12 18 14a044-14a04f call 1130ea 13->18 18->12 33 14a09d-14a0de call 112fec call 14b369 26->33 27->26 32 14a093-14a097 27->32 34 14ac2c-14ac33 28->34 35 14ac3a-14ac66 call 14b96d call 111e40 call 133247 28->35 29->30 94 14a303-14a362 call 14b6ab call 142db9 call 111e40 * 2 call 14bff8 30->94 95 14a2fd 30->95 32->33 57 14a0e0-14a0e4 33->57 58 14a0ea-14a0fa 33->58 34->35 39 14ac35 34->39 67 14ac6e-14acb5 call 111e40 call 1111c2 call 14be0c call 142db9 35->67 68 14ac68-14ac6a 35->68 45 14ac35 call 14b988 39->45 45->35 57->58 64 14a0fc-14a102 58->64 65 14a10d 58->65 71 14a553-14a55c 62->71 63->71 64->65 72 14a104-14a10b 64->72 66 14a114-14a19e call 112fec call 137ebb call 14ad99 65->66 102 14a1a2 call 13f8e0 66->102 68->67 77 14a564-14a5c1 call 112fec call 14b277 71->77 78 14a55e-14a560 71->78 72->66 96 14a5c3-14a5c7 77->96 97 14a5cd-14a652 call 14ad06 call 14bf3e call 123a29 call 112e04 call 134345 77->97 78->77 94->28 95->94 96->97 137 14a654-14a671 call 13375c call 14b96d 97->137 138 14a676-14a6c8 call 132096 97->138 106 14a1a7-14a1b1 102->106 110 14a1c0-14a1c9 106->110 111 14a1b3-14a1bb call 14c7d7 106->111 117 14a1d1-14a229 call 14b6ab call 142db9 call 111e40 call 14bfa4 call 14940b 110->117 118 14a1cb 110->118 111->110 117->28 118->117 137->138 143 14a6cd-14a6d6 138->143 146 14a6e2-14a6e5 143->146 147 14a6d8-14a6dd call 14c7d7 143->147 150 14a6e7-14a6ee 146->150 151 14a72e-14a73a 146->151 147->146 154 14a6f0-14a71d call 111fa0 fputs call 111fa0 call 111fb3 call 111fa0 150->154 155 14a722-14a725 150->155 152 14a73c-14a74a call 111fa0 151->152 153 14a79e-14a7aa 151->153 167 14a755-14a799 fputs call 112201 call 111fa0 fputs call 112201 call 111fa0 152->167 168 14a74c-14a753 152->168 156 14a7ac-14a7b2 153->156 157 14a7d9-14a7e5 153->157 154->155 155->151 158 14a727 155->158 156->157 161 14a7b4-14a7d4 fputs call 112201 call 111fa0 156->161 163 14a7e7-14a7ed 157->163 164 14a818-14a81a 157->164 158->151 161->157 169 14a7f3-14a813 fputs call 112201 call 111fa0 163->169 170 14a899-14a8a5 163->170 164->170 172 14a81c-14a82b 164->172 167->153 168->153 168->167 169->164 176 14a8a7-14a8ad 170->176 177 14a8e9-14a8ed 170->177 179 14a851-14a85d 172->179 180 14a82d-14a84c fputs call 112201 call 111fa0 172->180 184 14a8ef 176->184 188 14a8af-14a8c2 call 111fa0 176->188 183 14a8f6-14a8f8 177->183 177->184 179->170 182 14a85f-14a872 call 111fa0 179->182 180->179 182->170 208 14a874-14a894 fputs call 112201 call 111fa0 182->208 193 14a8fe-14a90a 183->193 194 14aaaf-14aaeb call 1343b3 call 111e40 call 14c104 call 14ad82 183->194 184->183 188->184 207 14a8c4-14a8e4 fputs call 112201 call 111fa0 188->207 202 14a910-14a91f 193->202 203 14aa73-14aa89 call 111fa0 193->203 248 14aaf1-14aaf7 194->248 249 14ac0b-14ac1e call 142db9 * 2 194->249 202->203 210 14a925-14a929 202->210 203->194 219 14aa8b-14aaaa fputs call 112201 call 111fa0 203->219 207->177 208->170 210->194 216 14a92f-14a93d 210->216 223 14a93f-14a964 fputs call 112201 call 111fa0 216->223 224 14a96a-14a971 216->224 219->194 223->224 225 14a973-14a97a 224->225 226 14a98f-14a9a8 fputs call 112201 224->226 225->226 232 14a97c-14a982 225->232 239 14a9ad-14a9bd call 111fa0 226->239 232->226 237 14a984-14a98d 232->237 237->226 242 14aa06-14aa1f fputs call 112201 237->242 239->242 252 14a9bf-14aa01 fputs call 112201 call 111fa0 fputs call 112201 call 111fa0 239->252 250 14aa24-14aa29 call 111fa0 242->250 248->249 249->28 257 14aa2e-14aa4b fputs call 112201 250->257 252->242 262 14aa50-14aa5b call 111fa0 257->262 262->194 269 14aa5d-14aa71 call 111fa0 call 14710e 262->269 269->194
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: fputs$ExceptionThrow
                              • String ID: 7zCon.sfx$Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Size: $Sub items Errors: $Warnings: $N
                              • API String ID: 3665150552-429544124
                              • Opcode ID: 776ec82b7e3d44d57b6ce14aa01a9ec1e2a59ddabacefe5c14e36471efd98ba5
                              • Instruction ID: c876fc7ed12a4cd893dc72098d52e2e5c022c039d896492ee2e55b44e3d36534
                              • Opcode Fuzzy Hash: 776ec82b7e3d44d57b6ce14aa01a9ec1e2a59ddabacefe5c14e36471efd98ba5
                              • Instruction Fuzzy Hash: 1652AE31D05259DFCF2ADBA4C895BEDFBB5AF64304F1440AAE049672A1DB346E88CF11
                              Function 0014A42C Relevance: 56.5, APIs: 15, Strings: 17, Instructions: 503COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 274 14a42c-14a433 275 14a435-14a444 fputs call 111fa0 274->275 276 14a449-14a4df call 14545d call 112e04 call 131858 call 111e40 274->276 275->276 286 14a4e1-14a4e9 call 14c7d7 276->286 287 14a4ee-14a4f1 276->287 286->287 288 14a4f3-14a4fa 287->288 289 14a50e-14a520 call 14c73e 287->289 288->289 291 14a4fc-14a509 call 1457fb 288->291 295 14a526-14a544 call 111e0c 289->295 296 14ac0b-14ac2a call 142db9 * 2 289->296 291->289 304 14a546-14a54f call 14b0fa 295->304 305 14a551 295->305 306 14ac2c-14ac33 296->306 307 14ac3a-14ac66 call 14b96d call 111e40 call 133247 296->307 309 14a553-14a55c 304->309 305->309 306->307 310 14ac35 call 14b988 306->310 327 14ac6e-14acb5 call 111e40 call 1111c2 call 14be0c call 142db9 307->327 328 14ac68-14ac6a 307->328 313 14a564-14a5c1 call 112fec call 14b277 309->313 314 14a55e-14a560 309->314 310->307 325 14a5c3-14a5c7 313->325 326 14a5cd-14a652 call 14ad06 call 14bf3e call 123a29 call 112e04 call 134345 313->326 314->313 325->326 348 14a654-14a671 call 13375c call 14b96d 326->348 349 14a676-14a6d6 call 132096 326->349 328->327 348->349 355 14a6e2-14a6e5 349->355 356 14a6d8-14a6dd call 14c7d7 349->356 358 14a6e7-14a6ee 355->358 359 14a72e-14a73a 355->359 356->355 362 14a6f0-14a71d call 111fa0 fputs call 111fa0 call 111fb3 call 111fa0 358->362 363 14a722-14a725 358->363 360 14a73c-14a74a call 111fa0 359->360 361 14a79e-14a7aa 359->361 375 14a755-14a799 fputs call 112201 call 111fa0 fputs call 112201 call 111fa0 360->375 376 14a74c-14a753 360->376 364 14a7ac-14a7b2 361->364 365 14a7d9-14a7e5 361->365 362->363 363->359 366 14a727 363->366 364->365 369 14a7b4-14a7d4 fputs call 112201 call 111fa0 364->369 371 14a7e7-14a7ed 365->371 372 14a818-14a81a 365->372 366->359 369->365 377 14a7f3-14a813 fputs call 112201 call 111fa0 371->377 378 14a899-14a8a5 371->378 372->378 380 14a81c-14a82b 372->380 375->361 376->361 376->375 377->372 384 14a8a7-14a8ad 378->384 385 14a8e9-14a8ed 378->385 387 14a851-14a85d 380->387 388 14a82d-14a84c fputs call 112201 call 111fa0 380->388 392 14a8ef 384->392 396 14a8af-14a8c2 call 111fa0 384->396 391 14a8f6-14a8f8 385->391 385->392 387->378 390 14a85f-14a872 call 111fa0 387->390 388->387 390->378 416 14a874-14a894 fputs call 112201 call 111fa0 390->416 401 14a8fe-14a90a 391->401 402 14aaaf-14aaeb call 1343b3 call 111e40 call 14c104 call 14ad82 391->402 392->391 396->392 415 14a8c4-14a8e4 fputs call 112201 call 111fa0 396->415 410 14a910-14a91f 401->410 411 14aa73-14aa89 call 111fa0 401->411 402->296 456 14aaf1-14aaf7 402->456 410->411 418 14a925-14a929 410->418 411->402 427 14aa8b-14aaaa fputs call 112201 call 111fa0 411->427 415->385 416->378 418->402 424 14a92f-14a93d 418->424 431 14a93f-14a964 fputs call 112201 call 111fa0 424->431 432 14a96a-14a971 424->432 427->402 431->432 433 14a973-14a97a 432->433 434 14a98f-14a9a8 fputs call 112201 432->434 433->434 440 14a97c-14a982 433->440 447 14a9ad-14a9bd call 111fa0 434->447 440->434 445 14a984-14a98d 440->445 445->434 450 14aa06-14aa4b fputs call 112201 call 111fa0 fputs call 112201 445->450 447->450 458 14a9bf-14aa01 fputs call 112201 call 111fa0 fputs call 112201 call 111fa0 447->458 466 14aa50-14aa5b call 111fa0 450->466 456->296 458->450 466->402 473 14aa5d-14aa71 call 111fa0 call 14710e 466->473 473->402
                              APIs
                              • fputs.MSVCRT(Scanning the drive for archives:), ref: 0014A43E
                                • Part of subcall function 00111FA0: fputc.MSVCRT ref: 00111FA7
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: fputcfputs
                              • String ID: Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Scanning the drive for archives:$Size: $Warnings: $!"$N
                              • API String ID: 269475090-3104439828
                              • Opcode ID: b119b3766005a9a23cf604248adf0d6a628d18e5d019fc1e7c2b0a52a0f7e99c
                              • Instruction ID: 73953b16e86b41eaf7187b9677b678160cbb3f8a7396e2a9971aa91b603681f7
                              • Opcode Fuzzy Hash: b119b3766005a9a23cf604248adf0d6a628d18e5d019fc1e7c2b0a52a0f7e99c
                              • Instruction Fuzzy Hash: 4C22AF31904258EFDF2AEBA4C895BEDFBB1AF64300F54409EE449672A1DB746E84CF11
                              Function 0014993D Relevance: 44.3, APIs: 16, Strings: 9, Instructions: 569COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 478 14993d-149950 call 14b5b1 481 149952-14995e call 111fb3 478->481 482 149963-14997e call 121f33 478->482 481->482 486 149980-14998a 482->486 487 14998f-149998 482->487 486->487 488 1499a8 487->488 489 14999a-1499a6 487->489 490 1499ab-1499b5 488->490 489->488 489->490 491 1499d5-149a04 call 111e0c call 14acb6 490->491 492 1499b7-1499cc GetStdHandle GetConsoleScreenBufferInfo 490->492 500 149a06-149a08 491->500 501 149a0c-149a24 call 137b48 491->501 492->491 493 1499ce-1499d2 492->493 493->491 500->501 503 149a29-149a48 call 14b96d call 137018 call 121aa4 501->503 510 149a7c-149aa8 call 13ddb5 503->510 511 149a4a-149a4c 503->511 518 149ac0-149ade 510->518 519 149aaa-149abb _CxxThrowException 510->519 513 149a66-149a77 _CxxThrowException 511->513 514 149a4e-149a55 511->514 513->510 514->513 516 149a57-149a64 call 121ac8 514->516 516->510 516->513 521 149ae0-149b04 call 137dd7 518->521 522 149b3a-149b55 518->522 519->518 529 149bfa-149c0b _CxxThrowException 521->529 530 149b0a-149b0e 521->530 525 149b57 522->525 526 149b5c-149ba4 call 111fa0 fputs call 111fa0 strlen * 2 522->526 525->526 540 149e25-149e4d call 111fa0 fputs call 111fa0 526->540 541 149baa-149be4 fputs fputc 526->541 533 149c10 529->533 530->529 532 149b14-149b38 call 14c077 call 111e40 530->532 532->521 532->522 536 149c12-149c25 533->536 544 149be6-149bf0 536->544 545 149c27-149c33 536->545 554 149e53 540->554 555 149f0c-149f34 call 111fa0 fputs call 111fa0 540->555 541->544 541->545 544->533 547 149bf2-149bf8 544->547 551 149c35-149c3d 545->551 552 149c81-149cb1 call 14b67d call 112e04 545->552 547->536 556 149c3f-149c4a 551->556 557 149c6b-149c80 call 1121d8 551->557 592 149d10-149d28 call 14b67d 552->592 593 149cb3-149cb7 552->593 558 149e5a-149e6f call 14b650 554->558 579 14ac23-14ac2a 555->579 580 149f3a 555->580 560 149c54 556->560 561 149c4c-149c52 556->561 557->552 572 149e71-149e79 558->572 573 149e7b-149e7e call 1121d8 558->573 566 149c56-149c69 560->566 561->566 566->556 566->557 585 149e83-149f06 call 14bde4 fputs call 111fa0 572->585 573->585 583 14ac2c-14ac33 579->583 584 14ac3a-14ac66 call 14b96d call 111e40 call 133247 579->584 586 149f41-149f9d call 14b650 call 14b5e9 call 14bde4 fputs call 111fa0 580->586 583->584 588 14ac35 call 14b988 583->588 617 14ac6e-14acb5 call 111e40 call 1111c2 call 14be0c call 142db9 584->617 618 14ac68-14ac6a 584->618 585->555 585->558 662 149f9f 586->662 588->584 620 149d2a-149d4a fputs call 1121d8 592->620 621 149d4b-149d53 592->621 599 149cc1-149cdd call 1131e5 593->599 600 149cb9-149cbc call 11315e 593->600 613 149d05-149d0e 599->613 614 149cdf-149d00 call 113221 call 1131e5 call 111089 599->614 600->599 613->592 613->593 614->613 618->617 620->621 624 149dff-149e1f call 111fa0 call 111e40 621->624 625 149d59-149d5d 621->625 624->540 624->541 631 149d6e-149d82 625->631 632 149d5f-149d6d fputs 625->632 638 149d84-149d88 631->638 639 149df0-149df9 631->639 632->631 644 149d95-149d9f 638->644 645 149d8a-149d94 638->645 639->624 639->625 652 149da5-149db1 644->652 653 149da1-149da3 644->653 645->644 660 149db3-149db6 652->660 661 149db8 652->661 653->652 659 149dd8-149dee 653->659 659->638 659->639 665 149dbb-149dce 660->665 661->665 662->579 670 149dd5 665->670 671 149dd0-149dd3 665->671 670->659 671->659
                              APIs
                                • Part of subcall function 0014B5B1: fputs.MSVCRT ref: 0014B5CA
                                • Part of subcall function 0014B5B1: fputs.MSVCRT ref: 0014B5E1
                              • GetStdHandle.KERNEL32(000000F5,?,?,?,?,?,?,?), ref: 001499BD
                              • GetConsoleScreenBufferInfo.KERNELBASE(00000000,?,?,?,?,?,?), ref: 001499C4
                              • _CxxThrowException.MSVCRT(?,001C55B8), ref: 00149A77
                              • _CxxThrowException.MSVCRT(?,001C55B8), ref: 00149ABB
                                • Part of subcall function 00111FB3: __EH_prolog.LIBCMT ref: 00111FB8
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: ExceptionThrowfputs$BufferConsoleH_prologHandleInfoScreen
                              • String ID: $ || $Codecs:$Formats:$Hashers:$KSNFMGOPBELHXCc+a+m+r+$P$offset=$N
                              • API String ID: 377453556-3661318601
                              • Opcode ID: 0768447f57cc9819981e621dd26e3862af7354fbbbd064f92289799f3c9ca951
                              • Instruction ID: bce67f65e6196665f7b996521660c39e33622aa65bc896f1a338460184d52814
                              • Opcode Fuzzy Hash: 0768447f57cc9819981e621dd26e3862af7354fbbbd064f92289799f3c9ca951
                              • Instruction Fuzzy Hash: FE228F71D00209DFDF15EFA4D885BEDBBB1EF58310F20005AE555AB2A2CB359A85CF61
                              Function 00121ADE Relevance: 40.5, APIs: 16, Strings: 7, Instructions: 288COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 672 121ade-121b14 call 1afb10 call 1113f5 677 121b32-121b8b _fileno _isatty _fileno _isatty _fileno _isatty 672->677 678 121b16-121b2d call 131d73 _CxxThrowException 672->678 680 121b9d-121b9f 677->680 681 121b8d-121b91 677->681 678->677 682 121ba0-121bcd 680->682 681->680 684 121b93-121b97 681->684 685 121bf9-121c12 682->685 686 121bcf-121bf8 call 121ea4 call 1127bb call 111e40 682->686 684->680 687 121b99-121b9b 684->687 689 121c20 685->689 690 121c14-121c18 685->690 686->685 687->682 693 121c27-121c2b 689->693 690->689 692 121c1a-121c1e 690->692 692->689 692->693 695 121c34-121c3e 693->695 696 121c2d 693->696 698 121c40-121c43 695->698 699 121c49-121c53 695->699 696->695 698->699 700 121c55-121c58 699->700 701 121c5e-121c68 699->701 700->701 703 121c73-121c79 701->703 704 121c6a-121c6d 701->704 706 121c7b-121c87 703->706 707 121cc9-121cd2 703->707 704->703 708 121c95-121ca1 call 121ed1 706->708 709 121c89-121c93 706->709 710 121cd4-121ce6 707->710 711 121cea call 121eb9 707->711 718 121ca3-121cbb call 131d73 _CxxThrowException 708->718 719 121cc0-121cc3 708->719 709->707 710->711 714 121cef-121cf8 711->714 716 121d37-121d40 714->716 717 121cfa-121d0a 714->717 723 121e93-121ea1 716->723 724 121d46-121d52 716->724 720 121dc2-121dd4 wcscmp 717->720 721 121d10 717->721 718->719 719->707 725 121d17-121d1f call 119399 720->725 727 121dda-121de6 call 121ed1 720->727 721->725 724->723 728 121d58-121d93 call 1126dd call 11280c call 113221 call 113bbf 724->728 725->716 737 121d21-121d32 call 196a60 call 119313 725->737 727->725 735 121dec-121e04 call 131d73 _CxxThrowException 727->735 756 121d95-121d9c 728->756 757 121d9f-121da3 728->757 744 121e09-121e0c 735->744 737->716 747 121e31-121e4a call 121f0c GetCurrentProcess SetProcessAffinityMask 744->747 748 121e0e 744->748 761 121e83-121e92 call 113172 call 111e40 747->761 762 121e4c-121e82 GetLastError call 113221 call 1158a9 call 1131e5 call 111e40 747->762 751 121e10-121e12 748->751 752 121e14-121e2c call 131d73 _CxxThrowException 748->752 751->747 751->752 752->747 756->757 757->744 760 121da5-121dbd call 131d73 _CxxThrowException 757->760 760->720 761->723 762->761
                              APIs
                              • __EH_prolog.LIBCMT ref: 00121AE3
                                • Part of subcall function 001113F5: __EH_prolog.LIBCMT ref: 001113FA
                              • _CxxThrowException.MSVCRT(?,001C6010), ref: 00121B2D
                              • _fileno.MSVCRT ref: 00121B3E
                              • _isatty.MSVCRT ref: 00121B47
                              • _fileno.MSVCRT ref: 00121B5D
                              • _isatty.MSVCRT ref: 00121B60
                              • _fileno.MSVCRT ref: 00121B73
                              • _CxxThrowException.MSVCRT(?,001C6010), ref: 00121CBB
                              • _CxxThrowException.MSVCRT(?,001C6010), ref: 00121DBD
                              • wcscmp.MSVCRT ref: 00121DCA
                              • _CxxThrowException.MSVCRT(?,001C6010), ref: 00121E04
                              • _isatty.MSVCRT ref: 00121B76
                                • Part of subcall function 00131D73: __EH_prolog.LIBCMT ref: 00131D78
                              • _CxxThrowException.MSVCRT(?,001C6010), ref: 00121E2C
                              • GetCurrentProcess.KERNEL32(00000000,00000000,?,Set process affinity mask: ,?), ref: 00121E3B
                              • SetProcessAffinityMask.KERNEL32(00000000), ref: 00121E42
                              • GetLastError.KERNEL32(?,Set process affinity mask: ,?), ref: 00121E4C
                              Strings
                              • Unsupported switch postfix -bb, xrefs: 00121CA8
                              • unsupported value -stm, xrefs: 00121E19
                              • SeLockMemoryPrivilege, xrefs: 00121D28
                              • Unsupported switch postfix -stm, xrefs: 00121DAA
                              • Unsupported switch postfix for -slp, xrefs: 00121DF1
                              • Set process affinity mask: , xrefs: 00121D74
                              • : ERROR : , xrefs: 00121E52
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: ExceptionThrow$H_prolog_fileno_isatty$Process$AffinityCurrentErrorLastMaskwcscmp
                              • String ID: : ERROR : $SeLockMemoryPrivilege$Set process affinity mask: $Unsupported switch postfix -bb$Unsupported switch postfix -stm$Unsupported switch postfix for -slp$unsupported value -stm
                              • API String ID: 1826148334-1115009270
                              • Opcode ID: 2c1a872a813dc52c56c6bbfac19ed90374f74a7a5411e7a92a6561fd80f0b0d2
                              • Instruction ID: 04a7c082abeda70cad4ccb4b6d9ee8f4288ced962cd470a5bbc926b6b0e069f5
                              • Opcode Fuzzy Hash: 2c1a872a813dc52c56c6bbfac19ed90374f74a7a5411e7a92a6561fd80f0b0d2
                              • Instruction Fuzzy Hash: A4C1D531900345EFDB15DFB8D888BD9BBF5AF39310F0484A9E495A7292C774A9A4CB60
                              Function 00148012 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 240COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 777 148012-148032 call 1afb10 780 148285 777->780 781 148038-14806c fputs call 148341 777->781 782 148287-148295 780->782 785 14806e-148071 781->785 786 1480c8-1480cd 781->786 789 148073-148089 fputs call 111fa0 785->789 790 14808b-14808d 785->790 787 1480d6-1480df 786->787 788 1480cf-1480d4 786->788 793 1480e2-148110 call 148341 call 148622 787->793 788->793 789->786 791 148096-14809f 790->791 792 14808f-148094 790->792 795 1480a2-1480c7 call 112e47 call 1485c6 call 111e40 791->795 792->795 804 148112-148119 call 14831f 793->804 805 14811e-14812f call 148565 793->805 795->786 804->805 805->782 812 148135-14813f 805->812 813 148141-148148 call 1482bb 812->813 814 14814d-14815b 812->814 813->814 814->782 817 148161-148164 814->817 818 1481b6-1481c0 817->818 819 148166-148186 817->819 820 148276-14827f 818->820 821 1481c6-1481e1 fputs 818->821 823 14818c-148196 call 148565 819->823 824 148298-14829d 819->824 820->780 820->781 821->820 827 1481e7-1481fb 821->827 829 14819b-14819d 823->829 828 1482b1-1482b9 SysFreeString 824->828 830 148273 827->830 831 1481fd-14821f 827->831 828->782 829->824 832 1481a3-1481b4 SysFreeString 829->832 830->820 834 148221-148245 831->834 835 14829f-1482a1 831->835 832->818 832->819 838 148247-148271 call 1484a7 call 11965d SysFreeString 834->838 839 1482a3-1482ab call 11965d 834->839 836 1482ae 835->836 836->828 838->830 838->831 839->836
                              APIs
                              • __EH_prolog.LIBCMT ref: 00148017
                              • fputs.MSVCRT ref: 0014804D
                                • Part of subcall function 00148341: __EH_prolog.LIBCMT ref: 00148346
                                • Part of subcall function 00148341: fputs.MSVCRT ref: 0014835B
                                • Part of subcall function 00148341: fputs.MSVCRT ref: 00148364
                              • fputs.MSVCRT ref: 0014807A
                                • Part of subcall function 00111FA0: fputc.MSVCRT ref: 00111FA7
                                • Part of subcall function 0011965D: VariantClear.OLEAUT32(?), ref: 0011967F
                              • SysFreeString.OLEAUT32(00000000), ref: 001481AA
                              • fputs.MSVCRT ref: 001481CD
                              • SysFreeString.OLEAUT32(00000000), ref: 00148267
                              • SysFreeString.OLEAUT32(00000000), ref: 001482B1
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: fputs$FreeString$H_prolog$ClearVariantfputc
                              • String ID: --$----$Path$Type$Warning: The archive is open with offset
                              • API String ID: 2889736305-3797937567
                              • Opcode ID: 69b21ca43d6be98c1f36243fdca643cebbb4581687f1d19bbfa1ff353cbabb53
                              • Instruction ID: e607a78f1dca7c46f20cefae26a70520d4307293c9853259c431e6f3e772b575
                              • Opcode Fuzzy Hash: 69b21ca43d6be98c1f36243fdca643cebbb4581687f1d19bbfa1ff353cbabb53
                              • Instruction Fuzzy Hash: 8E914831A10605EFDB18DFA8CD95EAEB7B5FF58310F20412DE512A72A1DB70AD46CB60
                              Function 00146766 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 135COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 846 146766-146792 call 1afb10 EnterCriticalSection 849 146794-146799 call 14c7d7 846->849 850 1467af-1467b7 846->850 854 14679e-1467ac 849->854 852 1467be-1467c3 850->852 853 1467b9 call 111f91 850->853 856 146892-1468a8 852->856 857 1467c9-1467d5 852->857 853->852 854->850 860 146941 856->860 861 1468ae-1468b4 856->861 858 146817-14682f 857->858 859 1467d7-1467dd 857->859 862 146831-146842 call 111fa0 858->862 863 146873-14687b 858->863 859->858 865 1467df-1467eb 859->865 864 146943-14695a 860->864 861->860 866 1468ba-1468c2 861->866 862->863 880 146844-14686c fputs call 112201 862->880 868 146881-146887 863->868 869 146933-14693f call 14c5cd 863->869 870 1467f3-146801 865->870 871 1467ed 865->871 866->869 872 1468c4-1468e6 call 111fa0 fputs 866->872 868->869 875 14688d 868->875 869->864 870->863 877 146803-146815 fputs 870->877 871->870 884 1468e8-1468f9 fputs 872->884 885 1468fb-146917 call 124f2a call 111fb3 call 111e40 872->885 881 14692e call 111f91 875->881 883 14686e call 111fa0 877->883 880->883 881->869 883->863 889 14691c-146928 call 111fa0 884->889 885->889 889->881
                              APIs
                              • __EH_prolog.LIBCMT ref: 0014676B
                              • EnterCriticalSection.KERNEL32(001D2938), ref: 00146781
                              • fputs.MSVCRT ref: 0014680B
                              • LeaveCriticalSection.KERNEL32(001D2938), ref: 00146944
                                • Part of subcall function 0014C7D7: fputs.MSVCRT ref: 0014C840
                              • fputs.MSVCRT ref: 00146851
                                • Part of subcall function 00112201: fputs.MSVCRT ref: 0011221E
                              • fputs.MSVCRT ref: 001468D9
                              • fputs.MSVCRT ref: 001468F6
                                • Part of subcall function 00111FA0: fputc.MSVCRT ref: 00111FA7
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: fputs$CriticalSection$EnterH_prologLeavefputc
                              • String ID: v$Sub items Errors:
                              • API String ID: 2670240366-2468115448
                              • Opcode ID: 78009d92382bab501fa07f3c0cd6ca770f326769b9a2614c4b139058981a9950
                              • Instruction ID: 653f589f7f3c6e04fe3e0ac7497f6a2919752540e7b649056472a0838f894c5f
                              • Opcode Fuzzy Hash: 78009d92382bab501fa07f3c0cd6ca770f326769b9a2614c4b139058981a9950
                              • Instruction Fuzzy Hash: E651CB32505701DFCB28AF64D890AEAB7E2FF95318F10453EE19A97261CB306C85CB91
                              Function 00146359 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 252COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 898 146359-146373 call 1afb10 901 146375-146385 call 14c7d7 898->901 902 14639e-1463af call 145a4d 898->902 901->902 907 146387-14639b 901->907 908 1463b5-1463cd 902->908 909 1465ee-1465f1 902->909 907->902 912 1463d2-1463d4 908->912 913 1463cf 908->913 910 146624-14663c 909->910 911 1465f3-1465fb 909->911 916 146643-14664b 910->916 917 14663e call 111f91 910->917 914 146601-146607 call 148012 911->914 915 1466ea call 14c5cd 911->915 918 1463d6-1463d9 912->918 919 1463df-1463e7 912->919 913->912 928 14660c-14660e 914->928 927 1466ef-1466fd 915->927 916->915 924 146651-14668f fputs call 11211a call 111fa0 call 148685 916->924 917->916 918->919 923 1464b1-1464bc call 146700 918->923 925 146411-146413 919->925 926 1463e9-1463f2 call 111fa0 919->926 945 1464c7-1464cf 923->945 946 1464be-1464c1 923->946 924->927 981 146691-146697 924->981 929 146415-14641d 925->929 930 146442-146446 925->930 926->925 950 1463f4-14640c call 11210c call 111fa0 926->950 928->927 934 146614-14661f call 111fa0 928->934 935 14641f-146425 call 146134 929->935 936 14642a-14643b 929->936 938 146497-14649f 930->938 939 146448-146450 930->939 934->915 935->936 936->930 938->923 942 1464a1-1464ac call 111fa0 call 111f91 938->942 947 146452-14647a fputs call 111fa0 call 111fb3 call 111fa0 939->947 948 14647f-146490 939->948 942->923 956 1464d1-1464da call 111fa0 945->956 957 1464f9-1464fb 945->957 946->945 955 1465a2-1465a6 946->955 947->948 948->938 950->925 964 1465a8-1465b6 955->964 965 1465da-1465e6 955->965 956->957 986 1464dc-1464f4 call 11210c call 111fa0 956->986 961 1464fd-146505 957->961 962 14652a-14652e 957->962 970 146507-14650d call 146134 961->970 971 146512-146523 961->971 973 146530-146538 962->973 974 14657f-146587 962->974 975 1465d3 964->975 976 1465b8-1465ca call 146244 964->976 965->908 979 1465ec 965->979 970->971 971->962 983 146567-146578 973->983 984 14653a-146562 fputs call 111fa0 call 111fb3 call 111fa0 973->984 974->955 980 146589-146595 call 111fa0 974->980 975->965 976->975 1000 1465cc-1465ce call 111f91 976->1000 979->909 980->955 1003 146597-14659d call 111f91 980->1003 989 1466df-1466e5 call 111f91 981->989 990 146699-14669f 981->990 983->974 984->983 986->957 989->915 997 1466a1-1466b1 fputs 990->997 998 1466b3-1466ce call 124f2a call 111fb3 call 111e40 990->998 1004 1466d3-1466da call 111fa0 997->1004 998->1004 1000->975 1003->955 1004->989
                              APIs
                              • __EH_prolog.LIBCMT ref: 0014635E
                              • fputs.MSVCRT ref: 0014645F
                                • Part of subcall function 0014C7D7: fputs.MSVCRT ref: 0014C840
                              • fputs.MSVCRT ref: 00146547
                              • fputs.MSVCRT ref: 0014665F
                              • fputs.MSVCRT ref: 001466AE
                                • Part of subcall function 00111F91: fflush.MSVCRT ref: 00111F93
                                • Part of subcall function 00111FB3: __EH_prolog.LIBCMT ref: 00111FB8
                                • Part of subcall function 00111E40: free.MSVCRT ref: 00111E44
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: fputs$H_prolog$fflushfree
                              • String ID: Can't allocate required memory$ERRORS:$WARNINGS:
                              • API String ID: 1750297421-1898165966
                              • Opcode ID: 19bfef4368e831d51040508679bcf3aff5c540a4b0d01e6297fa4a352aa072f8
                              • Instruction ID: c7f67b6f875f4f9fde8d655d4a4260b7e8c3a2067c157ab80514447348e50168
                              • Opcode Fuzzy Hash: 19bfef4368e831d51040508679bcf3aff5c540a4b0d01e6297fa4a352aa072f8
                              • Instruction Fuzzy Hash: EEB17D316017019FDB28EF64D9A1BEAB7E2BF55308F04453DE55A572A2CB30AC89CF52
                              Function 00119C8F Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 47libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1016 119c8f-119cc2 GetModuleHandleA GetProcAddress 1017 119cc4-119ccc GlobalMemoryStatusEx 1016->1017 1018 119cef-119d06 GlobalMemoryStatus 1016->1018 1017->1018 1019 119cce-119cd7 1017->1019 1020 119d08 1018->1020 1021 119d0b-119d0d 1018->1021 1022 119ce5 1019->1022 1023 119cd9 1019->1023 1020->1021 1024 119d11-119d15 1021->1024 1027 119ce8-119ced 1022->1027 1025 119ce0-119ce3 1023->1025 1026 119cdb-119cde 1023->1026 1025->1027 1026->1022 1026->1025 1027->1024
                              APIs
                              • GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 00119CB3
                              • GetProcAddress.KERNEL32(00000000), ref: 00119CBA
                              • GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 00119CC8
                              • GlobalMemoryStatus.KERNEL32(?), ref: 00119CFA
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: GlobalMemoryStatus$AddressHandleModuleProc
                              • String ID: $@$GlobalMemoryStatusEx$kernel32.dll
                              • API String ID: 180289352-802862622
                              • Opcode ID: 2c8b8f47cf4601bc129cacb96cceb58a2844572ba404d5c3c0fa20ec98404650
                              • Instruction ID: 073f7cc098377af71561342daaae1a36bcba41004347b4a401d44664d6002522
                              • Opcode Fuzzy Hash: 2c8b8f47cf4601bc129cacb96cceb58a2844572ba404d5c3c0fa20ec98404650
                              • Instruction Fuzzy Hash: D7111B70900319DBDF28DFA4D869BEDBBF5BF14705F104428E496A7640E778A984CF94
                              Function 001AFF3A Relevance: 10.6, APIs: 7, Instructions: 57COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: _initterm$__getmainargs__p___initenv__p__commode__p__fmode__set_app_type
                              • String ID:
                              • API String ID: 4012487245-0
                              • Opcode ID: 947e9392333fced258435eb142da0c4e589a2531cc907becaccf4aad6db74602
                              • Instruction ID: fb2e8c2255388bfbe53b7569a5a94d5ff3e155811ccbada659db32ba51108f7d
                              • Opcode Fuzzy Hash: 947e9392333fced258435eb142da0c4e589a2531cc907becaccf4aad6db74602
                              • Instruction Fuzzy Hash: 1E211A75902708EFCB11AFA8DC45EDEBB79FB1D720F10421AF521A2AE1D7B45481CB60
                              Function 001AFFB1 Relevance: 10.5, APIs: 7, Instructions: 43COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: _initterm$FilterXcpt__getmainargs__p___initenv__setusermatherr_controlfpexit
                              • String ID:
                              • API String ID: 279829931-0
                              • Opcode ID: 7a36161fc2187f705a4631e3ea9cdd36975091e1b590b053e5bbbbbb35f28916
                              • Instruction ID: 6901db8c8012c08311258bb46c6207ee344de4ee77cb37bb2072965c91b80292
                              • Opcode Fuzzy Hash: 7a36161fc2187f705a4631e3ea9cdd36975091e1b590b053e5bbbbbb35f28916
                              • Instruction Fuzzy Hash: 4D011AB2901208EFDB05AFE4DC45CEEBB79FB1C300B10411AF511B6661DBB59881CB70
                              Function 00131858 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 213COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • __EH_prolog.LIBCMT ref: 0013185D
                                • Part of subcall function 0013021A: __EH_prolog.LIBCMT ref: 0013021F
                                • Part of subcall function 0013062E: __EH_prolog.LIBCMT ref: 00130633
                              • _CxxThrowException.MSVCRT(?,001C6010), ref: 00131961
                                • Part of subcall function 00131AA5: __EH_prolog.LIBCMT ref: 00131AAA
                              Strings
                              • Duplicate archive path:, xrefs: 00131A8D
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$ExceptionThrow
                              • String ID: Duplicate archive path:
                              • API String ID: 2366012087-4000988232
                              • Opcode ID: d7ce89b53493bdc4c8b5b39fceadf321c9503a9f4ecc08a90a7a7ac9dd1dce4f
                              • Instruction ID: b28fd1a83724dbe4f9cbd39fc3bfd8c2a095492f76f48d1ccf850bd18db1f443
                              • Opcode Fuzzy Hash: d7ce89b53493bdc4c8b5b39fceadf321c9503a9f4ecc08a90a7a7ac9dd1dce4f
                              • Instruction Fuzzy Hash: 15815935D00258EFCF15EFE4D491ADDBBB5AF29310F1040A9E516B72A2DB30AE45CB60
                              Function 0015F1B2 Relevance: 7.7, APIs: 5, Instructions: 168COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1518 15f1b2-15f1ce call 1afb10 call 121168 1522 15f1d3-15f1d5 1518->1522 1523 15f1db-15f1e4 call 15f3e4 1522->1523 1524 15f36a-15f378 1522->1524 1527 15f1e6-15f1e8 1523->1527 1528 15f1ed-15f1f2 1523->1528 1527->1524 1529 15f1f4-15f1f9 1528->1529 1530 15f203-15f21a 1528->1530 1529->1530 1531 15f1fb-15f1fe 1529->1531 1533 15f231-15f248 memcpy 1530->1533 1534 15f21c-15f22c _CxxThrowException 1530->1534 1531->1524 1535 15f24c-15f257 1533->1535 1534->1533 1536 15f25c-15f25e 1535->1536 1537 15f259 1535->1537 1538 15f281-15f299 1536->1538 1539 15f260-15f26f 1536->1539 1537->1536 1546 15f311-15f313 1538->1546 1547 15f29b-15f2a0 1538->1547 1540 15f271 1539->1540 1541 15f279-15f27b 1539->1541 1543 15f277 1540->1543 1544 15f273-15f275 1540->1544 1541->1538 1545 15f315-15f318 1541->1545 1543->1541 1544->1541 1544->1543 1548 15f357-15f368 1545->1548 1546->1548 1547->1545 1549 15f2a2-15f2b5 call 15f37b 1547->1549 1548->1524 1553 15f2b7-15f2cf call 1ae1a0 1549->1553 1554 15f2f0-15f30c memmove 1549->1554 1557 15f2d1-15f2eb call 15f37b 1553->1557 1558 15f31a-15f355 memcpy 1553->1558 1554->1535 1557->1553 1562 15f2ed 1557->1562 1558->1548 1562->1554
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: f76c74ca42640d212c1556928e4f6be8e3e03400f5dfca2dac8d04969b72ed8b
                              • Instruction ID: 4ad4f1a82dbb275029e28a84da6663f7c9d6ff58d8439ac841e23f9f8a70fb5d
                              • Opcode Fuzzy Hash: f76c74ca42640d212c1556928e4f6be8e3e03400f5dfca2dac8d04969b72ed8b
                              • Instruction Fuzzy Hash: B4519C7AA00315DFDB14DFA4C894BBEB3B5FB98351F14842DE911AB241D770E90ACB60
                              Function 00116C72 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 398COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1563 116c72-116c8e call 1afb10 1566 116c90-116c94 1563->1566 1567 116c96-116c9e 1563->1567 1566->1567 1568 116cd3-116cdc call 118664 1566->1568 1569 116ca0-116ca4 1567->1569 1570 116ca6-116cae 1567->1570 1575 116ce2-116d02 call 1167f0 call 112f88 call 1187df 1568->1575 1576 116d87-116d92 call 1188c6 1568->1576 1569->1568 1569->1570 1570->1568 1572 116cb0-116cb5 1570->1572 1572->1568 1574 116cb7-116cce call 1167f0 call 112f88 1572->1574 1588 11715d-11715f 1574->1588 1602 116d04-116d09 1575->1602 1603 116d4a-116d61 call 117b41 1575->1603 1586 116d98-116d9e 1576->1586 1587 116f4c-116f62 call 1187fa 1576->1587 1586->1587 1591 116da4-116dc7 call 112e47 * 2 1586->1591 1597 116f64-116f66 1587->1597 1598 116f67-116f74 call 1185e2 1587->1598 1595 117118-117126 1588->1595 1609 116dd4-116dda 1591->1609 1610 116dc9-116dcf 1591->1610 1597->1598 1611 116fd1-116fd8 1598->1611 1612 116f76-116f7c 1598->1612 1602->1603 1607 116d0b-116d38 call 119252 1602->1607 1614 116d63-116d65 1603->1614 1615 116d67-116d6b 1603->1615 1607->1603 1622 116d3a-116d45 1607->1622 1616 116df1-116df9 call 113221 1609->1616 1617 116ddc-116def call 112407 1609->1617 1610->1609 1618 116fe4-116feb 1611->1618 1619 116fda-116fde 1611->1619 1612->1611 1620 116f7e-116f8a call 116bf5 1612->1620 1623 116d7a-116d82 call 11764c 1614->1623 1624 116d78 1615->1624 1625 116d6d-116d75 1615->1625 1636 116dfe-116e0b call 1187df 1616->1636 1617->1616 1617->1636 1629 11701d-117024 call 118782 1618->1629 1630 116fed-116ff7 call 116bf5 1618->1630 1619->1618 1628 1170e5-1170ea call 116868 1619->1628 1620->1628 1644 116f90-116f93 1620->1644 1622->1588 1648 117116 1623->1648 1624->1623 1625->1624 1640 1170ef-1170f3 1628->1640 1629->1628 1645 11702a-117035 1629->1645 1630->1628 1650 116ffd-117000 1630->1650 1656 116e43-116e50 call 116c72 1636->1656 1657 116e0d-116e10 1636->1657 1646 1170f5-1170f7 1640->1646 1647 11710c 1640->1647 1644->1628 1651 116f99-116fb6 call 1167f0 call 112f88 1644->1651 1645->1628 1653 11703b-117044 call 118578 1645->1653 1646->1647 1654 1170f9-117102 1646->1654 1655 11710e-117111 call 116848 1647->1655 1648->1595 1650->1628 1658 117006-11701b call 1167f0 1650->1658 1680 116fc2-116fc5 call 11717b 1651->1680 1681 116fb8-116fbd 1651->1681 1653->1628 1677 11704a-117054 call 11717b 1653->1677 1654->1647 1662 117104-117107 call 11717b 1654->1662 1655->1648 1678 116e56 1656->1678 1679 116f3a-116f4b call 111e40 * 2 1656->1679 1665 116e12-116e15 1657->1665 1666 116e1e-116e36 call 1167f0 1657->1666 1674 116fca-116fcc 1658->1674 1662->1647 1665->1656 1667 116e17-116e1c 1665->1667 1682 116e58-116e7e call 112f1c call 112e04 1666->1682 1683 116e38-116e41 call 112fec 1666->1683 1667->1656 1667->1666 1674->1655 1693 117064-117097 call 112e47 call 111089 * 2 call 116868 1677->1693 1694 117056-11705f call 112f88 1677->1694 1678->1682 1679->1587 1680->1674 1681->1680 1702 116e83-116e99 call 116bb5 1682->1702 1683->1682 1725 117099-1170af wcscmp 1693->1725 1726 1170bf-1170cc call 116bf5 1693->1726 1705 117155-117158 call 116848 1694->1705 1709 116e9b-116e9f 1702->1709 1710 116ecf-116ed1 1702->1710 1705->1588 1712 116ea1-116eae call 1122bf 1709->1712 1713 116ec7-116ec9 SetLastError 1709->1713 1715 116f09-116f35 call 111e40 * 2 call 116848 call 111e40 * 2 1710->1715 1722 116eb0-116ec5 call 111e40 call 112e04 1712->1722 1723 116ed3-116ed9 1712->1723 1713->1710 1715->1648 1722->1702 1732 116edb-116ee0 1723->1732 1733 116eec-116f07 call 1131e5 1723->1733 1729 1170b1-1170b6 1725->1729 1730 1170bb 1725->1730 1744 117129-117133 call 1167f0 1726->1744 1745 1170ce-1170d1 1726->1745 1737 117147-117154 call 112f88 call 111e40 1729->1737 1730->1726 1732->1733 1739 116ee2-116ee8 1732->1739 1733->1715 1737->1705 1739->1733 1756 117135-117138 1744->1756 1757 11713a 1744->1757 1750 1170d3-1170d6 1745->1750 1751 1170d8-1170e4 call 111e40 1745->1751 1750->1744 1750->1751 1751->1628 1761 117141-117144 1756->1761 1757->1761 1761->1737
                              APIs
                              • __EH_prolog.LIBCMT ref: 00116C77
                              • SetLastError.KERNEL32(00000002,-00000050,0000000F,-00000038,:$DATA,?,00000000,?), ref: 00116EC9
                                • Part of subcall function 00116C72: wcscmp.MSVCRT ref: 001170A5
                                • Part of subcall function 00116BF5: __EH_prolog.LIBCMT ref: 00116BFA
                                • Part of subcall function 00116BF5: GetFileAttributesW.KERNEL32(?,?,?,00000000,?), ref: 00116C1A
                                • Part of subcall function 00116BF5: GetFileAttributesW.KERNEL32(?,00000000,?,?,00000000,?), ref: 00116C49
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: AttributesFileH_prolog$ErrorLastwcscmp
                              • String ID: :$DATA
                              • API String ID: 3316598575-2587938151
                              • Opcode ID: fb410cd47967588829ab23810c2285e42d75dd44d512d4ff608787d286bf649f
                              • Instruction ID: 0362a7b8f15345001bf0ea279c5fa2f9c828f7bbe69b421cdb7ceb8649bf3971
                              • Opcode Fuzzy Hash: fb410cd47967588829ab23810c2285e42d75dd44d512d4ff608787d286bf649f
                              • Instruction Fuzzy Hash: 3BE105309043099ACF2DEFA4C891BEDB7B1BF25314F108539E856672D1EB7269CACB51
                              Function 00126FC5 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00126FCA
                                • Part of subcall function 00126E71: __EH_prolog.LIBCMT ref: 00126E76
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: Incorrect reparse stream$Unknown reparse stream$can't delete file
                              • API String ID: 3519838083-394804653
                              • Opcode ID: 38fe5c8f6f664f674f9760876cf7dcbda86dd53c19a4b8ded059243e86c1bed7
                              • Instruction ID: 48d604392d5798ece38aafa9490c83f910ca1404f621b7e13550760f22cedb16
                              • Opcode Fuzzy Hash: 38fe5c8f6f664f674f9760876cf7dcbda86dd53c19a4b8ded059243e86c1bed7
                              • Instruction Fuzzy Hash: 1C41C972909264DFCF25DFA4A4905EFFBF5AF59300F54446EE086A3281C7306E68C765
                              Function 001484A7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: fputs$H_prolog
                              • String ID: =
                              • API String ID: 2614055831-2525689732
                              • Opcode ID: a7cf416bdc71315fd7162198f17150bb42a170edd774172ddbc9fa7c68564d52
                              • Instruction ID: 36c83773f8d11ab5203ae0483852bfb758c9a4ad72226a699c3561c4409cae2d
                              • Opcode Fuzzy Hash: a7cf416bdc71315fd7162198f17150bb42a170edd774172ddbc9fa7c68564d52
                              • Instruction Fuzzy Hash: 50214A32A05118ABCF0AEB94D952BEDBBB5EF68310F20002AF401761A1DF756E95CB95
                              Function 00148341 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00148346
                              • fputs.MSVCRT ref: 0014835B
                              • fputs.MSVCRT ref: 00148364
                                • Part of subcall function 001483BF: __EH_prolog.LIBCMT ref: 001483C4
                                • Part of subcall function 001483BF: fputs.MSVCRT ref: 00148401
                                • Part of subcall function 001483BF: fputs.MSVCRT ref: 00148437
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: fputs$H_prolog
                              • String ID: =
                              • API String ID: 2614055831-2525689732
                              • Opcode ID: e3cc185c2b0e0b796fb811b28e76d811e54d24122c5890b88398a30954d5feb8
                              • Instruction ID: faf3e9fa166195f6e54847f8f5a45ff9310f127a2c44f1bce7a4f9d2ea3d451d
                              • Opcode Fuzzy Hash: e3cc185c2b0e0b796fb811b28e76d811e54d24122c5890b88398a30954d5feb8
                              • Instruction Fuzzy Hash: 07018631A00005ABCF1ABFA8D812AEDBF75FF94750F00402AF901A21A1CF748A96DBD1
                              Function 001A7DA0 Relevance: 6.0, APIs: 4, Instructions: 38synchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,?,00000000,0012AB57), ref: 001A7DAA
                              • GetLastError.KERNEL32(?,00000000,0012AB57), ref: 001A7DBB
                              • CloseHandle.KERNELBASE(00000000,?,00000000,0012AB57), ref: 001A7DCF
                              • GetLastError.KERNEL32(?,00000000,0012AB57), ref: 001A7DD9
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: ErrorLast$CloseHandleObjectSingleWait
                              • String ID:
                              • API String ID: 1796208289-0
                              • Opcode ID: 0d2e5e6b9c4f79460170362e1e002f52bc5246ffb9ba9a072c4d93975de4ffb0
                              • Instruction ID: 68c3e6a01df830b0481d4c250ac926bddfb19fcf0f6279d835778d88d976c158
                              • Opcode Fuzzy Hash: 0d2e5e6b9c4f79460170362e1e002f52bc5246ffb9ba9a072c4d93975de4ffb0
                              • Instruction Fuzzy Hash: 1CF012B970C20287EB206AFD9C84F3666DCAF57374B210B25F561D31D0DB60CD408660
                              Function 00132096 Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 722COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0013209B
                                • Part of subcall function 0011757D: GetLastError.KERNEL32(0011D14C), ref: 0011757D
                                • Part of subcall function 00132C6C: __EH_prolog.LIBCMT ref: 00132C71
                                • Part of subcall function 00111E40: free.MSVCRT ref: 00111E44
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$ErrorLastfree
                              • String ID: Cannot find archive file$The item is a directory
                              • API String ID: 683690243-1569138187
                              • Opcode ID: 1593aed0565c6728686fbc3f5b170a9b778193e288b888c79c932e1ad9e286e9
                              • Instruction ID: 46a39ae3f9531f30872557f9e704c2ac5d6782dc617a7e81f55964e31782fbb0
                              • Opcode Fuzzy Hash: 1593aed0565c6728686fbc3f5b170a9b778193e288b888c79c932e1ad9e286e9
                              • Instruction Fuzzy Hash: 6D724770D00258DFCB25EFA8C984BDEBBB1BF59304F25409AE859A7252C7709E81CF51
                              Function 0014C911 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: CountTickfputs
                              • String ID: .
                              • API String ID: 290905099-4150638102
                              • Opcode ID: 52cc9f0231ef8601e34d2efb8e2f97ed4cc736e27d230049b8274a5da0256332
                              • Instruction ID: 3d757ec68caad6858c60087640631ac442db00260165c6dccdc632d80f1a7f9e
                              • Opcode Fuzzy Hash: 52cc9f0231ef8601e34d2efb8e2f97ed4cc736e27d230049b8274a5da0256332
                              • Instruction Fuzzy Hash: BF715930600B049FCB65EF68C491AAAB7F6AF91704F10492DE09797A61DB70F989CB51
                              Function 001508B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00119C8F: GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 00119CB3
                                • Part of subcall function 00119C8F: GetProcAddress.KERNEL32(00000000), ref: 00119CBA
                                • Part of subcall function 00119C8F: GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 00119CC8
                              • __aulldiv.LIBCMT ref: 0015093F
                              • __aulldiv.LIBCMT ref: 0015094B
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: __aulldiv$AddressGlobalHandleMemoryModuleProcStatus
                              • String ID: 3333
                              • API String ID: 3520896023-2924271548
                              • Opcode ID: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                              • Instruction ID: 2567488b7680ff6675d7e9819246980282d0ec41e8d23ea557d0235b57692961
                              • Opcode Fuzzy Hash: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                              • Instruction Fuzzy Hash: 4221EAB0900304AFE730DFEA8881B5BB6F9FB98711F00892EB189D7241C770A9448755
                              Function 0013A7C5 Relevance: 5.1, APIs: 2, Strings: 1, Instructions: 606COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00111E40: free.MSVCRT ref: 00111E44
                              • memset.MSVCRT ref: 0013AEBA
                              • memset.MSVCRT ref: 0013AECD
                                • Part of subcall function 001504D2: _CxxThrowException.MSVCRT(?,001C4A58), ref: 001504F8
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: memset$ExceptionThrowfree
                              • String ID: Split
                              • API String ID: 1404239998-1882502421
                              • Opcode ID: 686af6ee5143d224d6239507116108e773f15fed7e3b341512667aecf6afdf61
                              • Instruction ID: 2d56abe90e1647eea83669626e4dc9e248266a30ba288ff2817a0ee25b767721
                              • Opcode Fuzzy Hash: 686af6ee5143d224d6239507116108e773f15fed7e3b341512667aecf6afdf61
                              • Instruction Fuzzy Hash: DF425A30A00248DFDF25DFA4C994BEDBBB6BF19304F5440A9E589A7251CB71AE85CF12
                              Function 0011759A Relevance: 4.6, APIs: 3, Instructions: 64fileCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0011759F
                                • Part of subcall function 0011764C: CloseHandle.KERNELBASE(00000000,?,001175AF,00000002,?,00000000,00000000), ref: 00117657
                              • CreateFileW.KERNELBASE(00000000,00000000,?,00000000,00000002,00000000,00000000,?,00000000,00000002,?,00000000,00000000), ref: 001175E5
                              • CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,00000000,?,00000000,00000002), ref: 00117626
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: CreateFile$CloseH_prologHandle
                              • String ID:
                              • API String ID: 449569272-0
                              • Opcode ID: c50081cdfd2580e0becf308ac58742c6827eac332d7d3d92c718de632d8a3129
                              • Instruction ID: db82a04660d1d9580aa6e7ec36079867447d2fcdf432fbba399da93d92dd4201
                              • Opcode Fuzzy Hash: c50081cdfd2580e0becf308ac58742c6827eac332d7d3d92c718de632d8a3129
                              • Instruction Fuzzy Hash: 3311937280420AEFCF15AFA8DC408EEBB7AFF14354B108939F961562E1C7359DA1DB90
                              Function 001483BF Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                              Download Yara Rule
                              APIs
                              • fputs.MSVCRT ref: 00148437
                              • fputs.MSVCRT ref: 00148401
                                • Part of subcall function 00111FB3: __EH_prolog.LIBCMT ref: 00111FB8
                              • __EH_prolog.LIBCMT ref: 001483C4
                                • Part of subcall function 00111FA0: fputc.MSVCRT ref: 00111FA7
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prologfputs$fputc
                              • String ID:
                              • API String ID: 678540050-0
                              • Opcode ID: d81e244137c8ef9690035280432ccf9529f652226162dc9064f18a68c1661c1c
                              • Instruction ID: a5791f75df8960c291b5d43a2fee302cc18ce9b16f609fe9443cf8b7df610be5
                              • Opcode Fuzzy Hash: d81e244137c8ef9690035280432ccf9529f652226162dc9064f18a68c1661c1c
                              • Instruction Fuzzy Hash: 05118632B04106ABCF0DB7A4EC136EEBB75EFA4750F10003DF601A22E1DF6519968AD4
                              Function 00117731 Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                              Download Yara Rule
                              APIs
                              • SetFilePointer.KERNELBASE(00000002,?,00000000,?,00000002,00000002,?,00000002,?,001177DB,?,?,00000000,?,00117832,?), ref: 00117773
                              • GetLastError.KERNEL32(?,001177DB,?,?,00000000,?,00117832,?,?,?,?,00000000), ref: 00117780
                              • SetLastError.KERNEL32(00000000,?,?,001177DB,?,?,00000000,?,00117832,?,?,?,?,00000000), ref: 00117797
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: ErrorLast$FilePointer
                              • String ID:
                              • API String ID: 1156039329-0
                              • Opcode ID: 0dbe629dac1dcdde16410feedb494562f65b4ee1379254804b058a584881fa4a
                              • Instruction ID: ca1949e6156aefe2ec97446c44b2b07c3c7041d21d66f34ec6ff0025e35b5ed9
                              • Opcode Fuzzy Hash: 0dbe629dac1dcdde16410feedb494562f65b4ee1379254804b058a584881fa4a
                              • Instruction Fuzzy Hash: E111BB34600305AFEF198F68DC49BEA37F5AB04360F148539F812973D1D7B09D809B50
                              Function 00115A8C Relevance: 4.6, APIs: 3, Instructions: 54COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00115A91
                              • SetFileAttributesW.KERNELBASE(?,?,?,?,00000000), ref: 00115AB7
                              • SetFileAttributesW.KERNEL32(?,?,00000000,?,?,00000000), ref: 00115AEC
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: AttributesFile$H_prolog
                              • String ID:
                              • API String ID: 3790360811-0
                              • Opcode ID: 451f6038e1e436e378da5ef8d8cb396392c38231d88df9b7b03e1f97ad65b0fb
                              • Instruction ID: ac5314d1d6128aaf5de3fdc253096dc601c9c29639c22334ae6fa384e912ab6e
                              • Opcode Fuzzy Hash: 451f6038e1e436e378da5ef8d8cb396392c38231d88df9b7b03e1f97ad65b0fb
                              • Instruction Fuzzy Hash: 7401F532E00215EBCF0DABE4A8816FEB777EF90350F14443AEC11A3151CB354C91D650
                              Function 00145883 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 22COMMON
                              Download Yara Rule
                              APIs
                              • EnterCriticalSection.KERNEL32(001D2938), ref: 0014588B
                              • LeaveCriticalSection.KERNEL32(001D2938), ref: 001458BC
                                • Part of subcall function 0014C911: GetTickCount.KERNEL32 ref: 0014C926
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: CriticalSection$CountEnterLeaveTick
                              • String ID: v
                              • API String ID: 1056156058-3261393531
                              • Opcode ID: 7e040e0423a176d2a6859a3d21b8c04a6d9e127a4a20fb9a7fe8c500e883434e
                              • Instruction ID: 9009a5601589e33d8c49014886528fa27e1979eb76c3f3add8b59622bbcb1323
                              • Opcode Fuzzy Hash: 7e040e0423a176d2a6859a3d21b8c04a6d9e127a4a20fb9a7fe8c500e883434e
                              • Instruction Fuzzy Hash: 44E0ED79605210DFC304EF19D908E9A77A5AFE8311F05066EF40597362CB309845CAA1
                              Function 00125BEA Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 481COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00125BEF
                                • Part of subcall function 001254C0: __EH_prolog.LIBCMT ref: 001254C5
                                • Part of subcall function 00125630: __EH_prolog.LIBCMT ref: 00125635
                                • Part of subcall function 001336EA: __EH_prolog.LIBCMT ref: 001336EF
                                • Part of subcall function 001257C1: __EH_prolog.LIBCMT ref: 001257C6
                                • Part of subcall function 001258BE: __EH_prolog.LIBCMT ref: 001258C3
                              Strings
                              • Cannot seek to begin of file, xrefs: 0012610F
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: Cannot seek to begin of file
                              • API String ID: 3519838083-2298593816
                              • Opcode ID: b634809333594029a185b922ba6fcbe00ecc2b5690f013f1dfe3413f8b5fa35b
                              • Instruction ID: b5ced183d3fe75c2e7b20b63a4e3c02c2e796666409f4ac48f169b169069bce7
                              • Opcode Fuzzy Hash: b634809333594029a185b922ba6fcbe00ecc2b5690f013f1dfe3413f8b5fa35b
                              • Instruction Fuzzy Hash: 7A1246309047599FDF2ADFA4D484BEEBBF6AF64300F14002DE446972D2DB70AAA4CB51
                              Function 00154E8A Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 468COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00154E8F
                                • Part of subcall function 0011965D: VariantClear.OLEAUT32(?), ref: 0011967F
                                • Part of subcall function 00111E40: free.MSVCRT ref: 00111E44
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: ClearH_prologVariantfree
                              • String ID: file
                              • API String ID: 904627215-2359244304
                              • Opcode ID: 4e32251d1c6055def47c009851ae09f8e7c5f84f25d45976f4001f18f38aa824
                              • Instruction ID: 1ed4b2ce0f994603d5f4f5f4ffd1f38e5bf20579c5fc3e0474bc9c0f0a7b4b05
                              • Opcode Fuzzy Hash: 4e32251d1c6055def47c009851ae09f8e7c5f84f25d45976f4001f18f38aa824
                              • Instruction Fuzzy Hash: 9F126130901209EFCF16EFE4C995ADDBBB6BF54345F204078E815AB252DB71AE89CB50
                              Function 00132CDB Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 388COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00132CE0
                                • Part of subcall function 00115E10: __EH_prolog.LIBCMT ref: 00115E15
                                • Part of subcall function 001241EC: _CxxThrowException.MSVCRT(?,001C4A58), ref: 0012421A
                                • Part of subcall function 0011965D: VariantClear.OLEAUT32(?), ref: 0011967F
                              Strings
                              • Cannot create output directory, xrefs: 00133070
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$ClearExceptionThrowVariant
                              • String ID: Cannot create output directory
                              • API String ID: 814188403-1181934277
                              • Opcode ID: c2c808489579c15299860147d06d9f82e7ed630914115457adddee489afb29e0
                              • Instruction ID: 9fdad5070bf6231a8ecef4272b48a67045964014b23a7ecd52eee4df9c484807
                              • Opcode Fuzzy Hash: c2c808489579c15299860147d06d9f82e7ed630914115457adddee489afb29e0
                              • Instruction Fuzzy Hash: ABF18070901289EFDF29EFA4C891AEDBBB5BF29300F1440A9F455A7251DB30AE85CB51
                              Function 0014C7D7 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • fputs.MSVCRT ref: 0014C840
                                • Part of subcall function 001125CB: _CxxThrowException.MSVCRT(?,001C4A58), ref: 001125ED
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: ExceptionThrowfputs
                              • String ID:
                              • API String ID: 1334390793-399585960
                              • Opcode ID: b84beaaa30e75201752b40d4fa7203d557c737881b16a1e6ad4e3f7d84d5affa
                              • Instruction ID: 073b3568ae89906622e097b1f0c7bc89798a249f78d1bae5de4c7069f5d6d115
                              • Opcode Fuzzy Hash: b84beaaa30e75201752b40d4fa7203d557c737881b16a1e6ad4e3f7d84d5affa
                              • Instruction Fuzzy Hash: FF11EF71604705AFDB25CF58C8C1BAAFBE6EF49304F04447EE1868B250D7B1B844CBA0
                              Function 00146086 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: fputs
                              • String ID: Open
                              • API String ID: 1795875747-71445658
                              • Opcode ID: 92b36118f1e7e865bcdd5f4da48589b0f531bc50599d27a3f15d9b95d2e66ce9
                              • Instruction ID: c64587a706a40cdaad69a7c4f4dc66e8368be0ba7fd901c6fe18a2a2eefba9ca
                              • Opcode Fuzzy Hash: 92b36118f1e7e865bcdd5f4da48589b0f531bc50599d27a3f15d9b95d2e66ce9
                              • Instruction Fuzzy Hash: E611AC721017049FC724EF34EC91ADABBE1EF65310F50892EE19A83262DB31A884CF50
                              Function 001258BE Relevance: 3.3, APIs: 2, Instructions: 253COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 001258C3
                                • Part of subcall function 00116C72: __EH_prolog.LIBCMT ref: 00116C77
                                • Part of subcall function 00111E40: free.MSVCRT ref: 00111E44
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$free
                              • String ID:
                              • API String ID: 2654054672-0
                              • Opcode ID: 074e29c20ce7217f878eb0e5c0297bc8948aeadfef0fb12d2b31a088159773c8
                              • Instruction ID: 9c85251c1e3dc5c342a02db29f3a80425d9a3b99574aad0bea74a8849ff9f336
                              • Opcode Fuzzy Hash: 074e29c20ce7217f878eb0e5c0297bc8948aeadfef0fb12d2b31a088159773c8
                              • Instruction Fuzzy Hash: 3B910635900525DFCF29EBE4E8C2AEEBBB3EF64344F104169E542A7251DB315DA4CB60
                              Function 001606AE Relevance: 3.2, APIs: 2, Instructions: 206COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 001606B3
                              • _CxxThrowException.MSVCRT(?,001CD480), ref: 001608F2
                                • Part of subcall function 00111E0C: malloc.MSVCRT ref: 00111E1F
                                • Part of subcall function 00111E0C: _CxxThrowException.MSVCRT(?,001C4B28), ref: 00111E39
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: ExceptionThrow$H_prologmalloc
                              • String ID:
                              • API String ID: 3044594480-0
                              • Opcode ID: 5ffe3854371811aca31b5c76bf20d7b6470b245aa2a709b1bad2c21204721e12
                              • Instruction ID: 161c754832bc8a3fd9f7e181c00adbc040c4ef473192c7e0f43e10384c3ff053
                              • Opcode Fuzzy Hash: 5ffe3854371811aca31b5c76bf20d7b6470b245aa2a709b1bad2c21204721e12
                              • Instruction Fuzzy Hash: B5917F71D00249DFCF26DFA8C881AEEBBB5BF19304F1440A9E855A7252C730AE54CFA1
                              Function 00127190 Relevance: 3.1, APIs: 2, Instructions: 138COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 259baa46a395bcb92ef9d8d97668d655809612e97432ebd3b0cecd0cccc770fb
                              • Instruction ID: 20a2e875117a4f46ba9f303a26b9249c8d4f016d322b0b62e9fbe0317973daa2
                              • Opcode Fuzzy Hash: 259baa46a395bcb92ef9d8d97668d655809612e97432ebd3b0cecd0cccc770fb
                              • Instruction Fuzzy Hash: 81519D74508B90EFDB26DF64D490AEBBBF1BF55300F18889DE4D64B282D730A994DB50
                              Function 00137B48 Relevance: 3.1, APIs: 2, Instructions: 122COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00137B4D
                              • memcpy.MSVCRT(00000000,001D27DC,00000000,00000000,?,?,00000000,00000000,00000000,00000002), ref: 00137C65
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prologmemcpy
                              • String ID:
                              • API String ID: 2991061955-0
                              • Opcode ID: 4196d1203a61548e4ba8eea5745d66edef01b15419837bc8fcc47c3eb7e8f102
                              • Instruction ID: 4baa8f44b00a39fb90de2cda437d2f38c1d2cb5bc0bad50061ee1701b12bfe1a
                              • Opcode Fuzzy Hash: 4196d1203a61548e4ba8eea5745d66edef01b15419837bc8fcc47c3eb7e8f102
                              • Instruction Fuzzy Hash: C8418CB1905219DBCF25EFA4C951AEEB7F4BF28300F104429E456B7292DB30AE49CB60
                              Function 00161511 Relevance: 3.0, APIs: 2, Instructions: 39COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00161516
                                • Part of subcall function 001610D3: __EH_prolog.LIBCMT ref: 001610D8
                              • _CxxThrowException.MSVCRT(?,001CD480), ref: 00161561
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$ExceptionThrow
                              • String ID:
                              • API String ID: 2366012087-0
                              • Opcode ID: c234af7f1abc407077d87fff48e2c19c4db95464b19affd7310d2c181819f6f2
                              • Instruction ID: b494ef9960efb2c0d093fa83048df4533c3f6cafdfb2e95ea90372a98a28e83f
                              • Opcode Fuzzy Hash: c234af7f1abc407077d87fff48e2c19c4db95464b19affd7310d2c181819f6f2
                              • Instruction Fuzzy Hash: 9E01A236500288BEDF129F94CC15BEEBFB8EF96354F08405EF8459A111C3B5E961C7A1
                              Function 001457FB Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00145800
                              • fputs.MSVCRT ref: 00145830
                                • Part of subcall function 00111FA0: fputc.MSVCRT ref: 00111FA7
                                • Part of subcall function 00111E40: free.MSVCRT ref: 00111E44
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prologfputcfputsfree
                              • String ID:
                              • API String ID: 195749403-0
                              • Opcode ID: 55d3c94f6151994cc3ce6b0091a5590f7470ea58117da2627d01206d99306e50
                              • Instruction ID: 6e63b506efae4be66aa672b845966c507ef6ae69f15d939315dc5e1b72c4938c
                              • Opcode Fuzzy Hash: 55d3c94f6151994cc3ce6b0091a5590f7470ea58117da2627d01206d99306e50
                              • Instruction Fuzzy Hash: E6F05832900509DBCB1AAB94E9027EEBBB1EF24350F00443EE502A25E2DB346996CB84
                              Function 0011950D Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON
                              Download Yara Rule
                              APIs
                              • SysAllocStringLen.OLEAUT32(?,?), ref: 0011952C
                              • _CxxThrowException.MSVCRT(?,001C55B8), ref: 0011954A
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: AllocExceptionStringThrow
                              • String ID:
                              • API String ID: 3773818493-0
                              • Opcode ID: 5813db903106a768010975a1f0033598172cb8178764393caee5629503f7381a
                              • Instruction ID: c7184b34f21f5243b91c09d449d32fc9b9047c510e13e62e51ad64ee7c135312
                              • Opcode Fuzzy Hash: 5813db903106a768010975a1f0033598172cb8178764393caee5629503f7381a
                              • Instruction Fuzzy Hash: 85F0ED72750304ABD714EFA8D859D86BBEDEF15780740857EF949CB610E775E8808BD0
                              Function 0014B5B1 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: fputs$fputc
                              • String ID:
                              • API String ID: 1185151155-0
                              • Opcode ID: cad293ae447510853d792497f4dfdb08a31addfb0a3bbcc3ddddc912504eb7ea
                              • Instruction ID: e8da88e4d676c5bf09312666ac1a4980741b590d391115f4e1aff8ac760956d4
                              • Opcode Fuzzy Hash: cad293ae447510853d792497f4dfdb08a31addfb0a3bbcc3ddddc912504eb7ea
                              • Instruction Fuzzy Hash: 70E0C237209110AF961B2B48BC41D957BD5DBC9371325002FE740E7670AF137C595AA4
                              Function 001A7E00 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: ErrorLast_beginthreadex
                              • String ID:
                              • API String ID: 4034172046-0
                              • Opcode ID: fa6e37250d7dbdcc5330b6f7ac7df33fef08dbd0c64c9207b68895b6abdf9303
                              • Instruction ID: a31d0a9855bce71530be4837777f710ee01fc4464fc33d840325dc7b3df9ee1b
                              • Opcode Fuzzy Hash: fa6e37250d7dbdcc5330b6f7ac7df33fef08dbd0c64c9207b68895b6abdf9303
                              • Instruction Fuzzy Hash: 5CE08CBA3082026EE3109B608C02F67729CEBA1B40F40846DBA45C61C0E7608E00C7A1
                              Function 00119C4D Relevance: 3.0, APIs: 2, Instructions: 7COMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(?,?,00119C6E), ref: 00119C52
                              • GetProcessAffinityMask.KERNEL32(00000000), ref: 00119C59
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: Process$AffinityCurrentMask
                              • String ID:
                              • API String ID: 1231390398-0
                              • Opcode ID: 652f4e677f2b80da82a9e19d55be8d980669b64f1cd73fdf848fe0ac0110b6d7
                              • Instruction ID: db762712913a3ca07c564dd1e0cf49e97da4cf7c87876dfb5eb695ba4b1c100a
                              • Opcode Fuzzy Hash: 652f4e677f2b80da82a9e19d55be8d980669b64f1cd73fdf848fe0ac0110b6d7
                              • Instruction Fuzzy Hash: 6AB092BA404200FBCE00ABA09D0CC1A3B2CAB042013004744B509C2410C736C0858BB0
                              Function 0011B668 Relevance: 2.7, APIs: 2, Instructions: 222COMMON
                              Download Yara Rule
                              APIs
                              • memcpy.MSVCRT(?,00000000,00000000,00000000,00040000,?), ref: 0011B843
                              • GetLastError.KERNEL32 ref: 0011B8AA
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: ErrorLastmemcpy
                              • String ID:
                              • API String ID: 2523627151-0
                              • Opcode ID: 76fbcc31b8473959d0363d13f00cadba9fa9ffd82eaa6d136f5073cf8ce0207e
                              • Instruction ID: 632bc41995136c8a32c7ddd86278f9b609ac6e271a4f93df9f7b2c2d081a70d8
                              • Opcode Fuzzy Hash: 76fbcc31b8473959d0363d13f00cadba9fa9ffd82eaa6d136f5073cf8ce0207e
                              • Instruction Fuzzy Hash: D7812B31A087059FDB68CE25C9C0AEAB7F6BF94714F14493DE88687A90D734F985CB50
                              Function 00111E0C Relevance: 2.5, APIs: 2, Instructions: 18COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: ExceptionThrowmalloc
                              • String ID:
                              • API String ID: 2436765578-0
                              • Opcode ID: 341252619ba82bc8b3543554f6e6414896d5296e6e71558dbce6fd76d573eb82
                              • Instruction ID: b9da739dd87c9dd5c16da037c38beb74534f2e7f6ba663f8fd2fb3e513d940dd
                              • Opcode Fuzzy Hash: 341252619ba82bc8b3543554f6e6414896d5296e6e71558dbce6fd76d573eb82
                              • Instruction Fuzzy Hash: 1DE08C3400424CBACF116FA0D814BD83B689B11355F009029FD089E101C370C6D18750
                              Function 0015B05D Relevance: 2.2, APIs: 1, Instructions: 653COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: aaf53d094235bc9864af57176a232f568116a85eca7797d9f169dfe86094c1fb
                              • Instruction ID: d20543ecdd2a554e612c5f89fdc11c27a2552af9ef1485aecb4be5ada8f1a8ca
                              • Opcode Fuzzy Hash: aaf53d094235bc9864af57176a232f568116a85eca7797d9f169dfe86094c1fb
                              • Instruction Fuzzy Hash: B652C030908249DFDF15CFA8C5D4BADBBB5AF49305F284099E815AB291DB74DE49CB20
                              Function 00126305 Relevance: 1.9, APIs: 1, Instructions: 377COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: f5351ec8b4c83e62d16b2a7b4d6342e25aaeb6396a627a47a7a9840fcd3c22fe
                              • Instruction ID: 8097c69caf8f88f8b62697c77cc52f64862aec29e5214b1398f27605ace35370
                              • Opcode Fuzzy Hash: f5351ec8b4c83e62d16b2a7b4d6342e25aaeb6396a627a47a7a9840fcd3c22fe
                              • Instruction Fuzzy Hash: 14F1F070900795DFCF25CF64E490AEABBF1BF28304F14486EE49A9B291D730ADA4CB51
                              Function 001610D3 Relevance: 1.8, APIs: 1, Instructions: 336COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 3b0475ad8f3fa013aad4e7f51500e063eb62c5edc7d9b242fa9383b12ec4f29f
                              • Instruction ID: 270c7439f04ff1754e6fbc7ecd36b1030086e7bd7cd1cbefea9c0293fe648174
                              • Opcode Fuzzy Hash: 3b0475ad8f3fa013aad4e7f51500e063eb62c5edc7d9b242fa9383b12ec4f29f
                              • Instruction Fuzzy Hash: EED19D70A00745AFDF28CFA4C880BEEBBF1BF18314F14852DE85697651D775A864CB90
                              Function 0015CF91 Relevance: 1.6, APIs: 1, Instructions: 139COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0015CF96
                                • Part of subcall function 00161511: __EH_prolog.LIBCMT ref: 00161516
                                • Part of subcall function 00161511: _CxxThrowException.MSVCRT(?,001CD480), ref: 00161561
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$ExceptionThrow
                              • String ID:
                              • API String ID: 2366012087-0
                              • Opcode ID: fd081f8112d852c7d88a05f8b8957180088dd4325d111d56d5861f0f3c9bd79f
                              • Instruction ID: 14c054e6a42f2fe5654dfcbeacd9a7882060083c80a7fc4c11e5fbfc8be15171
                              • Opcode Fuzzy Hash: fd081f8112d852c7d88a05f8b8957180088dd4325d111d56d5861f0f3c9bd79f
                              • Instruction Fuzzy Hash: 4A517370900249DFCB21CFA8D8C8B9EBBB4AF49305F14449DF85AD7242C7759E49CB21
                              Function 0014F784 Relevance: 1.6, APIs: 1, Instructions: 129COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: a59c275594affd46ad88f6c5f9303eb46ee3d8db52178bce2a20de9ddc8490b5
                              • Instruction ID: bf87f57851283488818d2744ea46b54c97199e785e095f5f1acf2418f30b8353
                              • Opcode Fuzzy Hash: a59c275594affd46ad88f6c5f9303eb46ee3d8db52178bce2a20de9ddc8490b5
                              • Instruction Fuzzy Hash: A9513B74A00716DFCB14CFA4C4909BAFBB2FF89344B10496DE592AB761D731A916CF90
                              Function 0015AD3A Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 55895db9eaa79275a41486c6342f4faeb8b1dc6511182c8d63637a5c18e0dad3
                              • Instruction ID: 6db11e6d3f6b94f37d3cba8817ca356be9ab8fbc11c9edd7face53e09c4a5da4
                              • Opcode Fuzzy Hash: 55895db9eaa79275a41486c6342f4faeb8b1dc6511182c8d63637a5c18e0dad3
                              • Instruction Fuzzy Hash: AF41AF70A40746EFDB24DFA4C484B6ABBB0FF44311F548A6DD8668B691C370ED89CB91
                              Function 00124250 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00124255
                                • Part of subcall function 0012440B: __EH_prolog.LIBCMT ref: 00124410
                                • Part of subcall function 00111E0C: malloc.MSVCRT ref: 00111E1F
                                • Part of subcall function 00111E0C: _CxxThrowException.MSVCRT(?,001C4B28), ref: 00111E39
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$ExceptionThrowmalloc
                              • String ID:
                              • API String ID: 3744649731-0
                              • Opcode ID: 2f4eac801e1ad1d1cf027b325da3670d9af41608c23200465ce4c67458f7744b
                              • Instruction ID: 9cbeaccf0a1fb6ff19bd138081c1a0ab96a2a8a48afa7f0d8da63e9dc3629429
                              • Opcode Fuzzy Hash: 2f4eac801e1ad1d1cf027b325da3670d9af41608c23200465ce4c67458f7744b
                              • Instruction Fuzzy Hash: BF51EAB0401744CFC329DF69D2846DAFBF0BF29304F5588AEC49A97752E7B4A608CB61
                              Function 0013D0E1 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0013D0E6
                                • Part of subcall function 00111E0C: malloc.MSVCRT ref: 00111E1F
                                • Part of subcall function 00111E0C: _CxxThrowException.MSVCRT(?,001C4B28), ref: 00111E39
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: ExceptionH_prologThrowmalloc
                              • String ID:
                              • API String ID: 3978722251-0
                              • Opcode ID: 71b0173d5037e4892d91d29259dbb12c78e8129da5e6b8740d7924a08999cff2
                              • Instruction ID: fd925df50825a77415d5d044ffe5a340db24afef9ed5e0102b447e931de2283e
                              • Opcode Fuzzy Hash: 71b0173d5037e4892d91d29259dbb12c78e8129da5e6b8740d7924a08999cff2
                              • Instruction Fuzzy Hash: 1A41F671A002159FCB15DFB8E9447AEFBF4BF59310F2441A9E446E7282CBB09E44CB90
                              Function 00127FC5 Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00127FCA
                                • Part of subcall function 0011950D: SysAllocStringLen.OLEAUT32(?,?), ref: 0011952C
                                • Part of subcall function 0011950D: _CxxThrowException.MSVCRT(?,001C55B8), ref: 0011954A
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: AllocExceptionH_prologStringThrow
                              • String ID:
                              • API String ID: 1940201546-0
                              • Opcode ID: a5f7a4b8dc3994834af5c1c354fe4e53b7aa6c6fd626d50234e62d3a467959cc
                              • Instruction ID: 4d6fa849694d0addf788176cc94ebf4125a4ffc1227d31b7ac7ff1060d524152
                              • Opcode Fuzzy Hash: a5f7a4b8dc3994834af5c1c354fe4e53b7aa6c6fd626d50234e62d3a467959cc
                              • Instruction Fuzzy Hash: 1731C332821169CACF1CAFA4E8619FEB770FF24300F454129F112B7162DF35AA18C769
                              Function 0014ADB7 Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0014ADBC
                                • Part of subcall function 0014AD29: __EH_prolog.LIBCMT ref: 0014AD2E
                                • Part of subcall function 0014AF2D: __EH_prolog.LIBCMT ref: 0014AF32
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 5def997e602f72574291285e8d375ff8cd79c40b4806236e677f1cce93492348
                              • Instruction ID: c44ffbd12294116cd38b53d03fc76f25b68582db0c2eaff0981eded173ed7e1e
                              • Opcode Fuzzy Hash: 5def997e602f72574291285e8d375ff8cd79c40b4806236e677f1cce93492348
                              • Instruction Fuzzy Hash: 6441CB7148ABC0DEC326DF7881556CAFFE0AF35200F94899EC4EA43652D774A60CC76A
                              Function 0013062E Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 232675cf625781f8bff7f5b162fc38296227c948e2c32171f65e26f16ecc6741
                              • Instruction ID: 6a8e3d6a98d7e26a8582945ed04bd592a4849978e04d383cccf9d633f1cc4eb6
                              • Opcode Fuzzy Hash: 232675cf625781f8bff7f5b162fc38296227c948e2c32171f65e26f16ecc6741
                              • Instruction Fuzzy Hash: C931F8B0900209DBCB15EF95C9A18EEBBF5FF98364F20811DE42667255D7319E41CBA0
                              Function 001398F2 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 001398F7
                                • Part of subcall function 00139987: __EH_prolog.LIBCMT ref: 0013998C
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 53af2b160266951ed027b958ad41b230d826f7a62f85a0f99523fa6c158104a9
                              • Instruction ID: f9549cfa98d24956e10e25a1684ebd9690db083a37ab891ad1e6b7a6dc12a0a3
                              • Opcode Fuzzy Hash: 53af2b160266951ed027b958ad41b230d826f7a62f85a0f99523fa6c158104a9
                              • Instruction Fuzzy Hash: 39113735600205DFDB14CF69C884BAAB3A9FF99354F14895CE856DB2A1CB75E801CB60
                              Function 0013021A Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0013021F
                                • Part of subcall function 00123D66: __EH_prolog.LIBCMT ref: 00123D6B
                                • Part of subcall function 00123D66: GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00123D7D
                                • Part of subcall function 00123D66: OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00123D94
                                • Part of subcall function 00123D66: LookupPrivilegeValueW.ADVAPI32(00000000,SeSecurityPrivilege,?), ref: 00123DB6
                                • Part of subcall function 00123D66: AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00123DCB
                                • Part of subcall function 00123D66: GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00123DD5
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prologProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                              • String ID:
                              • API String ID: 1532160333-0
                              • Opcode ID: ac4c46a162e0af06574692ae7c40dc104bb0ebe602f26fb07e373011096fc198
                              • Instruction ID: 5e1122ff840af5a59cf27eff4ea98d745c047a6ec26be70194bdbde4d5774f3a
                              • Opcode Fuzzy Hash: ac4c46a162e0af06574692ae7c40dc104bb0ebe602f26fb07e373011096fc198
                              • Instruction Fuzzy Hash: 15214AB1846B90CFC321CF6B82D0686FFF4BB29600B94996ED0DA83B12C374A508CF55
                              Function 00131C6F Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00131C74
                                • Part of subcall function 00116C72: __EH_prolog.LIBCMT ref: 00116C77
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: efb6f4a7a18b2d394d8e8ddc82c2a9ff7820508e6ecf0a2fe03bdbc7bd454719
                              • Instruction ID: a4a41578f1a969b1d66463fd828d186339647496edf52af6c2fd4e599208e846
                              • Opcode Fuzzy Hash: efb6f4a7a18b2d394d8e8ddc82c2a9ff7820508e6ecf0a2fe03bdbc7bd454719
                              • Instruction Fuzzy Hash: 30116D31A00204ABCF19FBE4D952BEDBB79AF24354F004078E94673192DB715D8AC6A4
                              Function 00127E5A Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00127E5F
                                • Part of subcall function 00116C72: __EH_prolog.LIBCMT ref: 00116C77
                                • Part of subcall function 00111E40: free.MSVCRT ref: 00111E44
                                • Part of subcall function 0011757D: GetLastError.KERNEL32(0011D14C), ref: 0011757D
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$ErrorLastfree
                              • String ID:
                              • API String ID: 683690243-0
                              • Opcode ID: a7fdc2844edbd21dae9421d9c9d03d702f32f97cf882c4e931233db8559f716a
                              • Instruction ID: 6cb8b84a8c70c80b4dcad30b6d37cc611d60349e31817aef8dd6595bd1cad151
                              • Opcode Fuzzy Hash: a7fdc2844edbd21dae9421d9c9d03d702f32f97cf882c4e931233db8559f716a
                              • Instruction Fuzzy Hash: 8F0104726457009FC729EFB8D492ADFBBB2EF65310F00463EE88353692CB346959CA50
                              Function 0015BF8C Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0015BF91
                                • Part of subcall function 0015D144: __EH_prolog.LIBCMT ref: 0015D149
                                • Part of subcall function 00111E40: free.MSVCRT ref: 00111E44
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$free
                              • String ID:
                              • API String ID: 2654054672-0
                              • Opcode ID: 4eb8dc87ddd32c2a1f1d5b43545cabd603eb4bb06c6aec90867fa0eb6fad465e
                              • Instruction ID: 6bec398ece712c0717ed88a032a7c702839461716843fb2d731db964874a12e2
                              • Opcode Fuzzy Hash: 4eb8dc87ddd32c2a1f1d5b43545cabd603eb4bb06c6aec90867fa0eb6fad465e
                              • Instruction Fuzzy Hash: 2B117071441714EFC725EFA4D905BCAFBF4BF21344F00492CE4A6A7592D7B1AA08CB80
                              Function 0015BDB5 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0015BDBA
                                • Part of subcall function 0015BE69: __EH_prolog.LIBCMT ref: 0015BE6E
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: e6346022ff4d6f0780e54ec8362b524f7f711d4f5ae7fdcb8811068dbf1b89e8
                              • Instruction ID: 3c8a45a002b4aaf875a9acfbf805f5d2d2ecffd55ba0252b3b3b76aac6c6618c
                              • Opcode Fuzzy Hash: e6346022ff4d6f0780e54ec8362b524f7f711d4f5ae7fdcb8811068dbf1b89e8
                              • Instruction Fuzzy Hash: B311C3B1541744DFC324DF69C688AC6FBE4FB29304F54886ED4AAA7612C7B0A548CB90
                              Function 00117AB2 Relevance: 1.5, APIs: 1, Instructions: 40timeCOMMON
                              Download Yara Rule
                              APIs
                              • SetFileTime.KERNEL32(00000002,00000000,000000FF,00000000,00000000,80000000,00000000,?,00111AD1,00000000,00000002,00000002,?,00117B3E,?,00000000), ref: 00117AFD
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: FileTime
                              • String ID:
                              • API String ID: 1425588814-0
                              • Opcode ID: a0d10118b9d57a79606c3dafd4edc680f5f6d93a024b2dce87b2aef9ff87f020
                              • Instruction ID: ebc8c11098c50d797f38e2d823e87140d569d877fbd8c205ce97219e2c048582
                              • Opcode Fuzzy Hash: a0d10118b9d57a79606c3dafd4edc680f5f6d93a024b2dce87b2aef9ff87f020
                              • Instruction Fuzzy Hash: C0018F30108248BFDF2A8F54CC05BEA3FB59B15320F148159B8A5522E1C7709E90D754
                              Function 0014ACF8 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0014C0B8
                                • Part of subcall function 00137193: __EH_prolog.LIBCMT ref: 00137198
                                • Part of subcall function 00111E40: free.MSVCRT ref: 00111E44
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$free
                              • String ID:
                              • API String ID: 2654054672-0
                              • Opcode ID: f97c5a7db34f3755b06e08e6ee29e744dc46b17078f416eadb311c60472a5e9b
                              • Instruction ID: bec8e765a1f1191db5cf6d4cc0a09a65bf005e05971ae1786b1e4a06e21b095d
                              • Opcode Fuzzy Hash: f97c5a7db34f3755b06e08e6ee29e744dc46b17078f416eadb311c60472a5e9b
                              • Instruction Fuzzy Hash: 87F02476942311EBC7269F99D841BAEF3A8EF64320F10002FF401A7612CBB19C008AD0
                              Function 0015035F Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00150364
                                • Part of subcall function 001501C4: __EH_prolog.LIBCMT ref: 001501C9
                                • Part of subcall function 00150143: __EH_prolog.LIBCMT ref: 00150148
                                • Part of subcall function 00111E40: free.MSVCRT ref: 00111E44
                                • Part of subcall function 001503D8: __EH_prolog.LIBCMT ref: 001503DD
                                • Part of subcall function 0015004A: __EH_prolog.LIBCMT ref: 0015004F
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$free
                              • String ID:
                              • API String ID: 2654054672-0
                              • Opcode ID: 76145ef759e2ca75184b006a781779c8bcfa4e161f191119ddb672bd451dc81c
                              • Instruction ID: 953dfb9e34fedcc1ba0822d8b7b4ad41cedc8e0af158cf23fa40bbcc4030be24
                              • Opcode Fuzzy Hash: 76145ef759e2ca75184b006a781779c8bcfa4e161f191119ddb672bd451dc81c
                              • Instruction Fuzzy Hash: 12F0F431914B50EFCB1AEBA8D4227DDBBE5AF24314F10465DE862636D2CBB49B088745
                              Function 00148565 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 5f6e2423f5e1bfa64eb027d4212941140a75b3fcb1266f10335faa2fe5b5abbd
                              • Instruction ID: 864687258c9e73cab95de4577ead34047c48c72d52efb1b9bc1eb594a4850f42
                              • Opcode Fuzzy Hash: 5f6e2423f5e1bfa64eb027d4212941140a75b3fcb1266f10335faa2fe5b5abbd
                              • Instruction Fuzzy Hash: 23F0AF32E0011AABCB04DF98C8409EFBB74FF94790B00806AF415E7260CB348A01CB90
                              Function 00155505 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0015550A
                                • Part of subcall function 00154E8A: __EH_prolog.LIBCMT ref: 00154E8F
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 69bae1803474c84d07f3b80d161dbc540fb451c888f95396609cc56af1f71867
                              • Instruction ID: 221b439cc0bc4a713e740d73e59f747844990ba0d1f56d58ee8f736cd50f978d
                              • Opcode Fuzzy Hash: 69bae1803474c84d07f3b80d161dbc540fb451c888f95396609cc56af1f71867
                              • Instruction Fuzzy Hash: 29F0ED36610904EBCB018F48D821BDE7BBAFF84361F11442AF811AB201EBB1DD008BA0
                              Function 00139987 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: df588189e7083fbd36f599d614da354d5a602631cd47bf936500d44ebfcb1ce0
                              • Instruction ID: 46ab28477285f7316b1c83c700a9c14c8b91a45d8fdcb339219c6d5f93c72aec
                              • Opcode Fuzzy Hash: df588189e7083fbd36f599d614da354d5a602631cd47bf936500d44ebfcb1ce0
                              • Instruction Fuzzy Hash: 95E0E576A00208AFCB14EF98D855F9ABBB8EF59364F11885EF40A97241C775AA10CB64
                              Function 00155E2B Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00155E30
                                • Part of subcall function 001508B6: __aulldiv.LIBCMT ref: 0015093F
                                • Part of subcall function 0012DFC9: __EH_prolog.LIBCMT ref: 0012DFCE
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$__aulldiv
                              • String ID:
                              • API String ID: 604474441-0
                              • Opcode ID: 1facc275488136ccd7f19a3a98c545a0409d1fc83996ec657d45ecf792f7feee
                              • Instruction ID: 5c29773320077d0be6cb4c1a9fc1938f8e4c983beb2099ab4f69353f628bd24d
                              • Opcode Fuzzy Hash: 1facc275488136ccd7f19a3a98c545a0409d1fc83996ec657d45ecf792f7feee
                              • Instruction Fuzzy Hash: CEE03970E00760DFC755EBA8A64168EB6F4BB18700F00486EA443D3B41DBB4A9008B90
                              Function 00158ED1 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00158ED6
                                • Part of subcall function 00159267: __EH_prolog.LIBCMT ref: 0015926C
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 1876fc1488522802083fa4b16c1a73d435df22da8b9436aabc0d8d476bc0ba38
                              • Instruction ID: 93a96b71c65c24c5c8a53377eb98bcc76d59da13213a0872870a724b07a30d4a
                              • Opcode Fuzzy Hash: 1876fc1488522802083fa4b16c1a73d435df22da8b9436aabc0d8d476bc0ba38
                              • Instruction Fuzzy Hash: DEE09271910520DACB09EB64D522BDDB7A8EF14704F00065DA413A2582CFB46608C791
                              Function 00117C68 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                              Download Yara Rule
                              APIs
                              • WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00117C8B
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: FileWrite
                              • String ID:
                              • API String ID: 3934441357-0
                              • Opcode ID: 16fc22db9859990f4d4dc4989371550b1b75814ce08e4970e4827fb9ef13b984
                              • Instruction ID: 2e4bd46fb39af2264ff04a98054fcc7083e6dc7a7a88d443e82e41f83abaa240
                              • Opcode Fuzzy Hash: 16fc22db9859990f4d4dc4989371550b1b75814ce08e4970e4827fb9ef13b984
                              • Instruction Fuzzy Hash: 23E01A75600209FBCF11CFA5D801BCE7BB9EB09754F20C16AF919AA2A0D739DA50DF54
                              Function 0015BE69 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0015BE6E
                                • Part of subcall function 00155E2B: __EH_prolog.LIBCMT ref: 00155E30
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: d0794f90a226fac27194b698f71c098a861cb92771a57356f0a3a02f9a8dc176
                              • Instruction ID: d536556094f7766873bc1cdbf2e238f4fc6fb1ee98738fe6f51854036206d8ac
                              • Opcode Fuzzy Hash: d0794f90a226fac27194b698f71c098a861cb92771a57356f0a3a02f9a8dc176
                              • Instruction Fuzzy Hash: 32E09B71924A60CBD315E764C0117DDB7F8BB10705F00845FE4A6D3181DFB45608C765
                              Function 00112201 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: fputs
                              • String ID:
                              • API String ID: 1795875747-0
                              • Opcode ID: 414668342c670f9490c39782c697211cc002b1639d4480f6f46454514228aa8e
                              • Instruction ID: 20fb5ee26625dcda5878a468e0698b4607d5b8664cfd65035700d76e51ba1ffa
                              • Opcode Fuzzy Hash: 414668342c670f9490c39782c697211cc002b1639d4480f6f46454514228aa8e
                              • Instruction Fuzzy Hash: D1D01232504119ABCF156B98DC05CDDB7BCEF18214700442AF541F2150EB75E9548B94
                              Function 0014F745 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0014F74A
                                • Part of subcall function 0014F784: __EH_prolog.LIBCMT ref: 0014F789
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: d2a4a73d96312899b6d1f23382cb9e2910fae33416684a66f1dfefe5572c0a1b
                              • Instruction ID: a8d6ad53bbcb1a403f8a101fc5b680b45d139eb147ff0a53fcab38351700acae
                              • Opcode Fuzzy Hash: d2a4a73d96312899b6d1f23382cb9e2910fae33416684a66f1dfefe5572c0a1b
                              • Instruction Fuzzy Hash: 0AD01275A50204BFD7149B85D912BEFB778EB41755F10052EF00171281C3B9590086A4
                              Function 00117B4F Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                              Download Yara Rule
                              APIs
                              • ReadFile.KERNELBASE(00000002,?,?,00000000,00000000,00000002,?,0011785F,00000000,00004000,00000000,00000002,?,?,?), ref: 00117B65
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: FileRead
                              • String ID:
                              • API String ID: 2738559852-0
                              • Opcode ID: 4b6b8055c576f0c936ad62af6daf7f809ffab2b511048cec356c0c056f77b089
                              • Instruction ID: 117425773905657a9983bc8a5ebc8a4b03eaaa15f2b1d4c8b2bb621c59136135
                              • Opcode Fuzzy Hash: 4b6b8055c576f0c936ad62af6daf7f809ffab2b511048cec356c0c056f77b089
                              • Instruction Fuzzy Hash: 7EE0EC75200208FBDF01CF94CC01F8E7BB9AB49754F208158F905A6160C375AA54EB50
                              Function 001680AA Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 001680AF
                                • Part of subcall function 00111E0C: malloc.MSVCRT ref: 00111E1F
                                • Part of subcall function 00111E0C: _CxxThrowException.MSVCRT(?,001C4B28), ref: 00111E39
                                • Part of subcall function 0015BDB5: __EH_prolog.LIBCMT ref: 0015BDBA
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$ExceptionThrowmalloc
                              • String ID:
                              • API String ID: 3744649731-0
                              • Opcode ID: 83e68a90c2e3ffb6f22088c6cf88a17564f175c3c9827cfbac86a53650e2af3b
                              • Instruction ID: c9fe5876a2e938726e42688a3a5162402625c05c9f99e22d56d1007b77156532
                              • Opcode Fuzzy Hash: 83e68a90c2e3ffb6f22088c6cf88a17564f175c3c9827cfbac86a53650e2af3b
                              • Instruction Fuzzy Hash: E4D05E71B05201AFCB0CEFF499227AEB6F0AB58344F00497DB416E7781EF7089118A24
                              Function 00116848 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                              Download Yara Rule
                              APIs
                              • FindClose.KERNELBASE(00000000,?,00116880), ref: 00116853
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: CloseFind
                              • String ID:
                              • API String ID: 1863332320-0
                              • Opcode ID: d843b324af26d03efaf7bef1f252a6c880c7da4bf013e0da4409b9ec1cc2ca61
                              • Instruction ID: 2bb0524611c52ffd1815858bf415d370e67c0e97659e2ac42533cda4b916cb41
                              • Opcode Fuzzy Hash: d843b324af26d03efaf7bef1f252a6c880c7da4bf013e0da4409b9ec1cc2ca61
                              • Instruction Fuzzy Hash: 9FD01231104322868A686E3EB8489C673D96F063343210BAAF0B0D31E2E7628CC39A90
                              Function 00112010 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: fputs
                              • String ID:
                              • API String ID: 1795875747-0
                              • Opcode ID: 6f86ace5de5cf2966691ded9598812641f06d09306faff3a84682f6ef993eb64
                              • Instruction ID: af558c866363558dc4e26a3101acb5c91dffa89b65562069181ec912dc858643
                              • Opcode Fuzzy Hash: 6f86ace5de5cf2966691ded9598812641f06d09306faff3a84682f6ef993eb64
                              • Instruction Fuzzy Hash: D9D0C93600C251AF96296F05EC09C8BBBA5FFE9320721092FF480A21609B626865DAA0
                              Function 00111FA0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: fputc
                              • String ID:
                              • API String ID: 1992160199-0
                              • Opcode ID: 862b39dd2629ad2aaeb77192192623bfaa585146a18dbbd2c8e4b8e888f48b04
                              • Instruction ID: 14bcb28f9898432a4669ce239a3b1aead73699f2c94e7bfc311d3b74404f9f4f
                              • Opcode Fuzzy Hash: 862b39dd2629ad2aaeb77192192623bfaa585146a18dbbd2c8e4b8e888f48b04
                              • Instruction Fuzzy Hash: 1EB092323082209BE6181A9CBC0AAC06794DB09732B21015BF544D21909A911C824AE5
                              Function 00117C3B Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON
                              Download Yara Rule
                              APIs
                              • SetFileTime.KERNELBASE(?,?,?,?,00117C65,00000000,00000000,?,0011F238,?,?,?,?), ref: 00117C49
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: FileTime
                              • String ID:
                              • API String ID: 1425588814-0
                              • Opcode ID: 56597cc3e518ce025ba615842780ad996b75c108f9be2908bf3a010679b6ce7f
                              • Instruction ID: ba6a11e89f480e32c7c4ae5af15c29517e325d330d3d09d7b57f6837006a6707
                              • Opcode Fuzzy Hash: 56597cc3e518ce025ba615842780ad996b75c108f9be2908bf3a010679b6ce7f
                              • Instruction Fuzzy Hash: 42C04C36258105FF8F020F74CC04C1ABBA2EBA9711F10CA18F159D4470C7328024EB02
                              Function 00117D3C Relevance: 1.5, APIs: 1, Instructions: 6fileCOMMON
                              Download Yara Rule
                              APIs
                              • SetEndOfFile.KERNELBASE(?,00117D81,?,?,?), ref: 00117D3E
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: File
                              • String ID:
                              • API String ID: 749574446-0
                              • Opcode ID: 837adc8b3c14b61feea55208273855d5775ceef3c70ad7b3a0de5c528bf638f3
                              • Instruction ID: f68f0269f1e6d15ae6132253264dd486b17366e4e46c4af721266e3fbd3941e6
                              • Opcode Fuzzy Hash: 837adc8b3c14b61feea55208273855d5775ceef3c70ad7b3a0de5c528bf638f3
                              • Instruction Fuzzy Hash: C5A002B02E511BCF8F111F38DC098243AA5BB5370776027A5B003DA8F5DF224459AA41
                              Function 0011C4D6 Relevance: 1.5, APIs: 1, Instructions: 205COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: memmove
                              • String ID:
                              • API String ID: 2162964266-0
                              • Opcode ID: 998632b0e97e9a76e77e1433c828318fa84e7c7a38b3b774cfc6cf25ee0d87fd
                              • Instruction ID: b00e8820c97a7724a6ff7a07307cb59c395c613cf7c436c89d033f305aadb633
                              • Opcode Fuzzy Hash: 998632b0e97e9a76e77e1433c828318fa84e7c7a38b3b774cfc6cf25ee0d87fd
                              • Instruction Fuzzy Hash: 94813C75E44249AFCF18CFA8C484AEEBBB2AF48304F24847AD511A7341D775AAD4CF91
                              Function 00123E04 Relevance: 1.3, APIs: 1, Instructions: 17COMMON
                              Download Yara Rule
                              APIs
                              • CloseHandle.KERNELBASE(00000000,00000000,00123D8D,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00123E12
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: CloseHandle
                              • String ID:
                              • API String ID: 2962429428-0
                              • Opcode ID: bf95177467757567fd59087a90bf1e424c794ade5302d1dd3e0b3c3d70560858
                              • Instruction ID: 74a6b0844bde60ef9aadf68cba590568450eff6d1074ab7c2d9fd61553c25c32
                              • Opcode Fuzzy Hash: bf95177467757567fd59087a90bf1e424c794ade5302d1dd3e0b3c3d70560858
                              • Instruction Fuzzy Hash: 10D0123161422187DB705E2CF8047D163DD6F14321B164459F890DB140E768CCD75A90
                              Function 00196BC6 Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: malloc
                              • String ID:
                              • API String ID: 2803490479-0
                              • Opcode ID: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                              • Instruction ID: e15225bde3a8fbc8b07c075cbd7b0a07408725f3a02b161b68d138556ea9dd5c
                              • Opcode Fuzzy Hash: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                              • Instruction Fuzzy Hash: 51D012B5B1360506DF494A784C5AB6B31942F5031AF2885BDE813CB299FB1DC6199268
                              Function 0011764C Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                              Download Yara Rule
                              APIs
                              • CloseHandle.KERNELBASE(00000000,?,001175AF,00000002,?,00000000,00000000), ref: 00117657
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: CloseHandle
                              • String ID:
                              • API String ID: 2962429428-0
                              • Opcode ID: 2e7e3c9744bde325252c8524656f53a5458a11277e27e68bef6f949ec9fb2b67
                              • Instruction ID: a0eb34165ba514c8dece54034452d7bbe1a8dc2e30e958c95c0cb1dc71c8c3e1
                              • Opcode Fuzzy Hash: 2e7e3c9744bde325252c8524656f53a5458a11277e27e68bef6f949ec9fb2b67
                              • Instruction Fuzzy Hash: 78D01231148622469A681E3C78459C233E85B163343710769F0B0D33E1D3608CC38690
                              Function 00196B23 Relevance: 1.3, APIs: 1, Instructions: 9memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAlloc.KERNELBASE(00000000), ref: 00196B31
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: AllocVirtual
                              • String ID:
                              • API String ID: 4275171209-0
                              • Opcode ID: 946351fe0094c63449bf90966cde40e74385b12d2497e35f45b61923717edbc7
                              • Instruction ID: 381b3a8e92a3bdcbd22eb9a7690e06fcfe60b5884b0b5e5ed7333f852dafebbb
                              • Opcode Fuzzy Hash: 946351fe0094c63449bf90966cde40e74385b12d2497e35f45b61923717edbc7
                              • Instruction Fuzzy Hash: 2EC08CE1A4D280DFDF0223108C817603B208B93300F0A00C1E4045B092C2041808C762
                              Function 001969D0 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: malloc
                              • String ID:
                              • API String ID: 2803490479-0
                              • Opcode ID: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                              • Instruction ID: b04dc239e3c79fce3677e003573e07154866d4b4b99f11a0cb69ff40bdb5b0aa
                              • Opcode Fuzzy Hash: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                              • Instruction Fuzzy Hash: B7A024CD51104001DD1D11703C114171000137030F7C004FC7401C0101F715C5041015
                              Function 00196AF0 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: malloc
                              • String ID:
                              • API String ID: 2803490479-0
                              • Opcode ID: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                              • Instruction ID: 85f89c62dc9eb80f8d8b6b4e486ae33403863baaf1e4fe150f62db0307cd079b
                              • Opcode Fuzzy Hash: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                              • Instruction Fuzzy Hash: 72A022CCF0000002EE0A20B83C02823302333F0B0ABE8C8BCB8008220AFF28CC083023
                              Function 00196BA3 Relevance: 1.3, APIs: 1, Instructions: 6COMMON
                              Download Yara Rule
                              APIs
                              • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00196BAC
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: FreeVirtual
                              • String ID:
                              • API String ID: 1263568516-0
                              • Opcode ID: 5432e10390e72314530adaf609b49457d85df2315d278a7f199b66fe4e4f1343
                              • Instruction ID: b6335beb14093702aca5612e7ec6804a8c3c7d23ebaa48527e9ed70ee1149e4f
                              • Opcode Fuzzy Hash: 5432e10390e72314530adaf609b49457d85df2315d278a7f199b66fe4e4f1343
                              • Instruction Fuzzy Hash: 49A0027C680700B7ED6077306D8FF5937247790F05F3086447241694D05BE470849A9C
                              Function 001969F0 Relevance: 1.3, APIs: 1, Instructions: 4COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                              • Instruction ID: 8441b3c82bc07c0366fe6befcbb753545bb0949bd59ed3a47fa321b3b4f1b616
                              • Opcode Fuzzy Hash: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                              • Instruction Fuzzy Hash:
                              Function 00196B10 Relevance: 1.3, APIs: 1, Instructions: 4COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                              • Instruction ID: 2ffbf666b131d7d15875e795a7fa20b6e5c98ef2c7d43b5a29869672e7d3c40b
                              • Opcode Fuzzy Hash: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                              • Instruction Fuzzy Hash:
                              Function 00111E40 Relevance: 1.3, APIs: 1, Instructions: 4COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 1ec4dee85919a324ee5a543774ab68d1832c44ab6d18f064be04509af4a52201
                              • Instruction ID: d7adaa6891f29575ed21c433d2f9f2d862a7aca310c4aa852401dfc80dd56928
                              • Opcode Fuzzy Hash: 1ec4dee85919a324ee5a543774ab68d1832c44ab6d18f064be04509af4a52201
                              • Instruction Fuzzy Hash: A2A00271405102DBDA052B14ED094897B61EB95627B214569F057608718B3148A0BA51

                              Non-executed Functions

                              Function 001957D0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 84libraryloaderthreadCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcessId.KERNEL32(?,001D31C8,?,00000000), ref: 001957EA
                                • Part of subcall function 001AF050: memcpy.MSVCRT(?,?,?,00000000,?,?,?,001A8202,?,?,?,001A932B,?,?,00000000,00000000), ref: 001AF07F
                              • GetCurrentThreadId.KERNEL32 ref: 00195803
                                • Part of subcall function 001AF050: memcpy.MSVCRT(?,?,00000040,00000000,?,?,?,001A8202,?,?,?,001A932B,?,?,00000000,00000000), ref: 001AF09B
                                • Part of subcall function 001AF050: memcpy.MSVCRT(?,?,?,?,?,?), ref: 001AF0D0
                              • LoadLibraryW.KERNEL32(advapi32.dll,00000004,?,00000000), ref: 00195821
                              • GetProcAddress.KERNEL32(00000000,SystemFunction036), ref: 00195833
                              • FreeLibrary.KERNEL32(00000000,?,00000000), ref: 00195865
                              • QueryPerformanceCounter.KERNEL32(?,?,00000000), ref: 00195876
                              • GetTickCount.KERNEL32 ref: 0019588F
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: memcpy$CurrentLibrary$AddressCountCounterFreeLoadPerformanceProcProcessQueryThreadTick
                              • String ID: SystemFunction036$advapi32.dll
                              • API String ID: 3940253874-1354007664
                              • Opcode ID: acc137bdf7a402f785b20fcbba8cc67cd2f84e507da7bff82950c9a11225e927
                              • Instruction ID: d578576411517972a6a46e05596a66f5a9bf4287fb6e5fbb61f6cdf0c47e7739
                              • Opcode Fuzzy Hash: acc137bdf7a402f785b20fcbba8cc67cd2f84e507da7bff82950c9a11225e927
                              • Instruction Fuzzy Hash: 54317F352043069BD710EB70E995B6E73A5BBD5704F004A2CB585A61A2EB74DA0ACBA3
                              Function 00119252 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNEL32(kernel32.dll,GetDiskFreeSpaceExW,74DEF5D0,00000002,00000000,?,?,?,?,?,?,001179D0,00111AD1,00117B3E,?,00000002), ref: 0011926E
                              • GetProcAddress.KERNEL32(00000000), ref: 00119275
                              • GetDiskFreeSpaceW.KERNEL32(00000002,?,00117B3E,001179D0,00111AD1,?,?,?,?,?,?,001179D0,00111AD1,00117B3E,?,00000002), ref: 001192C5
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: AddressDiskFreeHandleModuleProcSpace
                              • String ID: GetDiskFreeSpaceExW$kernel32.dll
                              • API String ID: 1197914913-1127948838
                              • Opcode ID: e443829a0e8d3fa0dc8dc6decd9129739a05f8245af265c6ba686fc6839a8fe1
                              • Instruction ID: 7456be20227fbf5ea31edd7e980916ea303a8281c16268140f8df8868b66419f
                              • Opcode Fuzzy Hash: e443829a0e8d3fa0dc8dc6decd9129739a05f8245af265c6ba686fc6839a8fe1
                              • Instruction Fuzzy Hash: 5F2157B2900209AFCB11CFA4C841AEEBBF8FF58300F04846AE555E3250E330A945CBA0
                              Function 001182FB Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00118300
                              • GetFileInformationByHandle.KERNEL32(000000FF,?,?,00000000,00000001,00000003,02200000,?,?,?), ref: 0011834F
                              • DeviceIoControl.KERNEL32(000000FF,000900A8,00000000,00000000,00000000,00004000,?,00000000), ref: 0011837C
                              • memcpy.MSVCRT(?,?,?,?,?,00000000,00000001,00000003,02200000,?,?,?), ref: 0011839B
                                • Part of subcall function 00111E40: free.MSVCRT ref: 00111E44
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: ControlDeviceFileH_prologHandleInformationfreememcpy
                              • String ID:
                              • API String ID: 1689166341-0
                              • Opcode ID: 24102dcb2d7691b05ff0dff4f06937130f18978d4292dc5ce583b2900f2747f6
                              • Instruction ID: 75ffa488c56102b7d808c702085f8f664d2de43ba4da2f48ee6e5674e37ce55a
                              • Opcode Fuzzy Hash: 24102dcb2d7691b05ff0dff4f06937130f18978d4292dc5ce583b2900f2747f6
                              • Instruction Fuzzy Hash: 88218372940204AFDF199F94DC81AEEBBB9EF65750F14403DF955B6291CB314E84C660
                              Function 0015D496 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 333COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0015D49B
                                • Part of subcall function 0015EBC9: __EH_prolog.LIBCMT ref: 0015EBCE
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: Copy$LZMA2
                              • API String ID: 3519838083-1006940721
                              • Opcode ID: 4e8c88c86a442b903f5a4cc09d0a1412a1613937101ec34c3c7bb01046796b23
                              • Instruction ID: a000ecc3f7e112f6bd3911438fb1869a5b6e9db0774f94829b13e253ba44c029
                              • Opcode Fuzzy Hash: 4e8c88c86a442b903f5a4cc09d0a1412a1613937101ec34c3c7bb01046796b23
                              • Instruction Fuzzy Hash: ADD1BF70D00204CFDB35DFA4E495BADB7B2BF98316F158069E825AF285DB70988ACB54
                              Function 00117496 Relevance: 4.6, APIs: 3, Instructions: 88COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0011749B
                              • GetLogicalDriveStringsW.KERNEL32(00000000,00000000,00000050,?,00000000), ref: 001174B8
                              • GetLogicalDriveStringsW.KERNEL32(00000000,00000000,?,00000000), ref: 001174E6
                                • Part of subcall function 00111E40: free.MSVCRT ref: 00111E44
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: DriveLogicalStrings$H_prologfree
                              • String ID:
                              • API String ID: 396970233-0
                              • Opcode ID: 3ca8e4bf001850d0ca046398d26cf46f50b8c2f21df00c906c835039f54a76a8
                              • Instruction ID: 4fd8ee1b4c40943f192fe9e78c5a193e5972044c1725339d3576a6a9f9e304b2
                              • Opcode Fuzzy Hash: 3ca8e4bf001850d0ca046398d26cf46f50b8c2f21df00c906c835039f54a76a8
                              • Instruction Fuzzy Hash: 57218272E042099BDB18EFE5D8826EEF7B9EF54350F204039E511A3281D77499858BA4
                              Function 001B0090 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: Version
                              • String ID:
                              • API String ID: 1889659487-0
                              • Opcode ID: 5107a5e788363ac4842ab4ee1ffe32e2e76950d2cb1fe0df12dbbc6671bbb21c
                              • Instruction ID: 77536ee35663a0c958a878c6eeed5616c97294828767a31cf2288f46e45e6574
                              • Opcode Fuzzy Hash: 5107a5e788363ac4842ab4ee1ffe32e2e76950d2cb1fe0df12dbbc6671bbb21c
                              • Instruction Fuzzy Hash: B0D012729115054BD701762CC81A3DB77A1FB64340FC80954E8A5C1173FB69C695C2D2
                              Function 00119C60 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00119C4D: GetCurrentProcess.KERNEL32(?,?,00119C6E), ref: 00119C52
                                • Part of subcall function 00119C4D: GetProcessAffinityMask.KERNEL32(00000000), ref: 00119C59
                              • GetSystemInfo.KERNEL32(?), ref: 00119C84
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: Process$AffinityCurrentInfoMaskSystem
                              • String ID:
                              • API String ID: 3251479945-0
                              • Opcode ID: 596dc2c6981a3fbed77458aa5f611e8a5105b4f5a9baea2d145678d382f71fea
                              • Instruction ID: 016b94d7ff9011328673c0d2d7b915b05e929cb90ec0f1cb3aac0e21d26f4130
                              • Opcode Fuzzy Hash: 596dc2c6981a3fbed77458aa5f611e8a5105b4f5a9baea2d145678d382f71fea
                              • Instruction Fuzzy Hash: 73D01234A0010D97CF0CF7E5D466AEE77F85E54208F040068D552A3190DB60E684C6D1
                              Function 0011AB2A Relevance: 1.5, APIs: 1, Instructions: 3timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemTimeAsFileTime.KERNEL32(?,0014B9BE,00000000,00000000,759A8E30), ref: 0011AB2B
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: Time$FileSystem
                              • String ID:
                              • API String ID: 2086374402-0
                              • Opcode ID: da6372755576b8562968c95598d18dafdb878e4fc70b103daec2de55039c3145
                              • Instruction ID: 9dde252a8a4676af0194c48a45ec1ace715b905d8c7e7913f832c57af0f04abb
                              • Opcode Fuzzy Hash: da6372755576b8562968c95598d18dafdb878e4fc70b103daec2de55039c3145
                              • Instruction Fuzzy Hash:
                              Function 0014B988 Relevance: 56.2, APIs: 17, Strings: 15, Instructions: 209libraryloadertimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(00000000,?,001C10E8,?), ref: 0014B99E
                              • GetProcessTimes.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0014AC3A,00000000), ref: 0014B9A5
                                • Part of subcall function 0011AB2A: GetSystemTimeAsFileTime.KERNEL32(?,0014B9BE,00000000,00000000,759A8E30), ref: 0011AB2B
                              • memset.MSVCRT ref: 0014B9C7
                              • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,00000000,759A8E30), ref: 0014B9E0
                              • GetProcAddress.KERNEL32(00000000,K32GetProcessMemoryInfo), ref: 0014B9F5
                              • LoadLibraryW.KERNEL32(Psapi.dll,?,?,?,?,?,?,?,?,?,?,?,?,?,0014AC3A,00000000), ref: 0014BA02
                              • GetProcAddress.KERNEL32(00000000,GetProcessMemoryInfo), ref: 0014BA12
                              • GetCurrentProcess.KERNEL32(?,00000028,?,?,?,?,?,?,?,?,?,?,?,?,?,0014AC3A), ref: 0014BA20
                              • GetProcAddress.KERNEL32(?,QueryProcessCycleTime), ref: 0014BA34
                              • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0014AC3A,00000000), ref: 0014BA40
                              • fputs.MSVCRT ref: 0014BAC3
                              • __aulldiv.LIBCMT ref: 0014BAD8
                              • fputs.MSVCRT ref: 0014BAF5
                              • fputs.MSVCRT ref: 0014BB21
                              • __aulldiv.LIBCMT ref: 0014BB31
                              • __aulldiv.LIBCMT ref: 0014BB49
                              • fputs.MSVCRT ref: 0014BB66
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: Processfputs$AddressCurrentProc__aulldiv$Time$FileHandleLibraryLoadModuleSystemTimesmemset
                              • String ID: Cnt:$ Freq (cnt/ptime):$ MCycles$ MHz$GetProcessMemoryInfo$Global $K32GetProcessMemoryInfo$Kernel $Physical$Process$Psapi.dll$QueryProcessCycleTime$User $Virtual $kernel32.dll
                              • API String ID: 4173168154-4201791934
                              • Opcode ID: e8428ddec72185384e8f2a2dd50f1564b941e9c78ba24b737c12fca0c5163c84
                              • Instruction ID: 969a71e293141a6a8da5fdcfe9714edec9d864602f4c3eecc343fd53d37e9ef6
                              • Opcode Fuzzy Hash: e8428ddec72185384e8f2a2dd50f1564b941e9c78ba24b737c12fca0c5163c84
                              • Instruction Fuzzy Hash: B5615C72E40218BFDB149FE5DC86EAEBBB9FF58310F10402AF501B31A1DB7599408BA0
                              Function 0016C7ED Relevance: 37.1, APIs: 1, Strings: 20, Instructions: 373COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: ERROR$GNU$LongLink$LongName$PAX$PAX_error$PAX_overflow$PAX_unsupported_line$POSIX$SignedChecksum$WARNING$atime$bin_mtime$bin_psize$bin_size$ctime$mtime$pax_linkpath$pax_path$pax_size
                              • API String ID: 3519838083-1011227609
                              • Opcode ID: 9ab3aa6e0d6d088bbd2baae2a47616ecfec1e56584c75aae0593b5f6c87d9292
                              • Instruction ID: 889550a4c35dbfaf451b96e2f7c91f108292274e8a160907dd8763624611d6ea
                              • Opcode Fuzzy Hash: 9ab3aa6e0d6d088bbd2baae2a47616ecfec1e56584c75aae0593b5f6c87d9292
                              • Instruction Fuzzy Hash: 8ED1E63190474A9BCB39DBA0CC91EFEBBB1AF21304F14452DE0DA63191DB30A9A6D791
                              Function 0016F6D7 Relevance: 37.1, APIs: 11, Strings: 10, Instructions: 305stringCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: strcmp$H_prolog
                              • String ID: atime$ctime$gid$gname$linkpath$mtime$path$size$uid$uname
                              • API String ID: 2964315577-3165903417
                              • Opcode ID: 94f741b51029b8cff559c844c9328ec306c554088114ef334999b28cab1305de
                              • Instruction ID: 21ae34f9303c54cae58fd2491aa01f62f03529ea9655ba8d73d91f1028258c28
                              • Opcode Fuzzy Hash: 94f741b51029b8cff559c844c9328ec306c554088114ef334999b28cab1305de
                              • Instruction Fuzzy Hash: 54C1F4318087859EDF25DBE4ED84BAEBFE1AF21318F14543DE08297992D7B0B996C700
                              Function 001707B3 Relevance: 31.9, APIs: 1, Strings: 17, Instructions: 406COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 001707B8
                                • Part of subcall function 00111E40: free.MSVCRT ref: 00111E44
                                • Part of subcall function 0011297F: memcpy.MSVCRT(?,?,?,?,?,001350A5,?,?), ref: 001129B2
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prologfreememcpy
                              • String ID: @PathCut/_pc_$L$PaxHeader/@PaxHeader$atime$crc32/$ctime$devmajor$devminor$gid$gname$linkpath$mtime$path$root$size$uid$uname
                              • API String ID: 2037215848-4204487407
                              • Opcode ID: 16ef5377e0118cdff036a41ab72c1d77ad961e0d395f5c4b0e1aed45fafcb299
                              • Instruction ID: b0e0c0f1e907b905b6aa7dc4e98af787b6421fb6cc67acab8089c11e28fdd933
                              • Opcode Fuzzy Hash: 16ef5377e0118cdff036a41ab72c1d77ad961e0d395f5c4b0e1aed45fafcb299
                              • Instruction Fuzzy Hash: 9F029B71901349DFDB26DF54C890AEEBBB1BF29304F5481AED04EA7642D730AE89CB51
                              Function 0015FA3F Relevance: 28.5, APIs: 13, Strings: 3, Instructions: 452COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0015FA44
                                • Part of subcall function 0015F13E: _CxxThrowException.MSVCRT(?,001CD480), ref: 0015F161
                              • memcpy.MSVCRT(?,?,?,?,?,?,?,?,0000000B,00000000,?,?), ref: 0015FE36
                              • _CxxThrowException.MSVCRT(?,001CD480), ref: 0015FED2
                              • _CxxThrowException.MSVCRT(?,001CD480), ref: 0015FEE6
                              • _CxxThrowException.MSVCRT(?,001CD480), ref: 0015FEFA
                              • _CxxThrowException.MSVCRT(?,001CD480), ref: 0015FF0E
                              • _CxxThrowException.MSVCRT(?,001CD480), ref: 0015FF22
                              • _CxxThrowException.MSVCRT(?,001CD480), ref: 0015FF36
                              • _CxxThrowException.MSVCRT(?,001CD480), ref: 0015FF4A
                              • _CxxThrowException.MSVCRT(?,001CD480), ref: 0015FF5E
                              • _CxxThrowException.MSVCRT(?,001CD480), ref: 0015FF72
                              • _CxxThrowException.MSVCRT(?,001CD480), ref: 0015FF86
                              • _CxxThrowException.MSVCRT(?,001CD480), ref: 0015FF9A
                                • Part of subcall function 0015EF67: _CxxThrowException.MSVCRT(?,001CD440), ref: 0015EF7A
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: ExceptionThrow$H_prologmemcpy
                              • String ID: $!$@
                              • API String ID: 3273695820-2517134481
                              • Opcode ID: 7781e03201eb3a3ede31ddbaab6e3a2f6263fb5cd150d5188bd582dc7b8aca4f
                              • Instruction ID: 0951ed318fe2b03729a48666a5718be015815092c82bacc6f85e95e43b2a2abe
                              • Opcode Fuzzy Hash: 7781e03201eb3a3ede31ddbaab6e3a2f6263fb5cd150d5188bd582dc7b8aca4f
                              • Instruction Fuzzy Hash: D6127B34901249EFCF14DFA4C591AEDBBB1FF19306F14846DE865AF652CB30A94ACB60
                              Function 0014B6AB Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 179COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0014B6B0
                              • fputs.MSVCRT ref: 0014B71A
                                • Part of subcall function 001121D8: fputs.MSVCRT ref: 001121F2
                              • fputs.MSVCRT ref: 0014B6EB
                                • Part of subcall function 0014B8DD: __EH_prolog.LIBCMT ref: 0014B8E2
                                • Part of subcall function 0014B8DD: fputs.MSVCRT ref: 0014B90B
                                • Part of subcall function 0014B8DD: fputs.MSVCRT ref: 0014B94F
                              • fputs.MSVCRT ref: 0014B79D
                              • fputs.MSVCRT ref: 0014B7BC
                              • fputs.MSVCRT ref: 0014B7E5
                              • fputs.MSVCRT ref: 0014B7F8
                              • fputc.MSVCRT ref: 0014B805
                                • Part of subcall function 00111FA0: fputc.MSVCRT ref: 00111FA7
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: fputs$H_prologfputc
                              • String ID: Error:$ file$Scan WARNINGS for files and folders:$Scan WARNINGS: $WARNING: Cannot open $WARNINGS for files:
                              • API String ID: 3294964263-2840245699
                              • Opcode ID: cb5d9573d96e550a0264c952d094a868dd7adb49e9bbe5774645377944d5d626
                              • Instruction ID: ac55c8c76e91f106243f5a0a06964c68af59e93777dafbf3bbf12ebe81b7f018
                              • Opcode Fuzzy Hash: cb5d9573d96e550a0264c952d094a868dd7adb49e9bbe5774645377944d5d626
                              • Instruction Fuzzy Hash: AD51A431A04116ABCF1DEF94E8D2AEDB7B1EF94300F24007EE501A6196DB719E85CBA5
                              Function 0011C085 Relevance: 21.5, APIs: 17, Instructions: 290COMMON
                              Download Yara Rule
                              APIs
                              • memcmp.MSVCRT(?,001C48A0,00000010), ref: 0011C09E
                              • memcmp.MSVCRT(?,001C0258,00000010), ref: 0011C0BB
                              • memcmp.MSVCRT(?,001C0348,00000010), ref: 0011C0CE
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: memcmp
                              • String ID:
                              • API String ID: 1475443563-0
                              • Opcode ID: 6bcfa58336a7e3e9ebe3073b11797f341eec61c593b0f5323b76597aee45dcd6
                              • Instruction ID: 8722e2ada261450b714310ba73e4464cc526270964327decaee07e5c9b963fe5
                              • Opcode Fuzzy Hash: 6bcfa58336a7e3e9ebe3073b11797f341eec61c593b0f5323b76597aee45dcd6
                              • Instruction Fuzzy Hash: 02916C71690610EBD7698A65CC41FEB73A8AB6A750B00803CFD5AE7245F724EE84CBD0
                              Function 00123052 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 165COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00123057
                              • OpenFileMappingW.KERNEL32(00000004,00000000,00000002,?,?,?,00000000,?), ref: 0012311B
                              • GetLastError.KERNEL32(?,?,00000000,?), ref: 00123128
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: ErrorFileH_prologLastMappingOpen
                              • String ID: Cannot open mapping$Map data error$MapViewOfFile error$Unsupported Map data$Unsupported Map data size
                              • API String ID: 2221086200-2628113885
                              • Opcode ID: 266930cfaee51157ddb584a3f2c0f0f91b83f41d1b084c33c1c94cc69224d5d5
                              • Instruction ID: f2a13fb5b69c80d335826e134de716126a9970f2a07367783873050ecd332895
                              • Opcode Fuzzy Hash: 266930cfaee51157ddb584a3f2c0f0f91b83f41d1b084c33c1c94cc69224d5d5
                              • Instruction Fuzzy Hash: 3651BE3180126AEFCB09EBD4E985AEDBBB1FF24304F100068E411B3251DB755F95CBA2
                              Function 00145A74 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 78COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: fputs$H_prolog$fputcfree
                              • String ID: Modified: $Path: $Size:
                              • API String ID: 2632947726-3207571042
                              • Opcode ID: 683fd32293bafa612372bc190cfefd5da8a1dbaca97b38b1709a0e9a39217368
                              • Instruction ID: a854a359070a59645eb539b31cb0be11d936a11491781562d912ac89df97dbd2
                              • Opcode Fuzzy Hash: 683fd32293bafa612372bc190cfefd5da8a1dbaca97b38b1709a0e9a39217368
                              • Instruction Fuzzy Hash: 7C21B331A00105ABCF05AFA4DC91EEEBF33EF54354F14016AF9049A1B2EB3148A2DF90
                              Function 0017447A Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 291COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $16-bit overflow for number of files in headers$32-bit overflow in headers$Central$Local$Minor_Extra_ERROR$Missing volume : $Unsorted_CD$Zip64$apk
                              • API String ID: 3519838083-1909666238
                              • Opcode ID: ee4212542a5cc7ee3539fcc9882609d0a0b57250ba444d16d3d1dfcbd8941f77
                              • Instruction ID: 011e3f0d37dab3618be0340b53621d43f7c6937fd125f07c498babb88225e11e
                              • Opcode Fuzzy Hash: ee4212542a5cc7ee3539fcc9882609d0a0b57250ba444d16d3d1dfcbd8941f77
                              • Instruction Fuzzy Hash: 2DC1A1719442899FDB19DFA4C851EFD7BB1AF12300F1AC0B9E05D6B162DB309E85DB42
                              Function 00147750 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 341COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: fputs$H_prolog
                              • String ID: @$data:
                              • API String ID: 2614055831-1130426132
                              • Opcode ID: 4ba9d4e7215a22accc163feef3f2e5f0ad3a620faf24a6cd0889b610af0bf1f2
                              • Instruction ID: e52e614ddde7ab275c952e9767e102bc2a15e788e954e586e37795e51b2cbfd4
                              • Opcode Fuzzy Hash: 4ba9d4e7215a22accc163feef3f2e5f0ad3a620faf24a6cd0889b610af0bf1f2
                              • Instruction Fuzzy Hash: 46D1D47190820AEFCF15DFA4D994AEEB7B5FF18314F244429E456A32E1E730AE45CB60
                              Function 001749BF Relevance: 16.2, APIs: 1, Strings: 8, Instructions: 437COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: -Cert$:eos$AES$Central$Descriptor_ERROR$Local$StrongCrypto$ZipCrypto
                              • API String ID: 3519838083-2591855172
                              • Opcode ID: 52c53afed8523f73033355b09cc775a8cd86c0554128dc9640e5c0bc82a1e9d2
                              • Instruction ID: 54c2ec626d925f2c8742e3bdeb9a82b14d2e7d42e867eed2959beb14442d780d
                              • Opcode Fuzzy Hash: 52c53afed8523f73033355b09cc775a8cd86c0554128dc9640e5c0bc82a1e9d2
                              • Instruction Fuzzy Hash: 51F1F8319002089BDF29DFA4C991EFEBBB5AF25310F188429F48A771D1DB709E85D761
                              Function 0015C8B2 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 347COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $ $.$:mem$Delta$LZMA$LZMA2$o
                              • API String ID: 3519838083-3806607069
                              • Opcode ID: f2619d3b963b8e1f3ec226375319add97f92aa6a1c7c4f1d2525f697d345843d
                              • Instruction ID: 5983609c04fa1d6cf0dc71f72c5fd28c9f906ab3be7cf59a25fb9cf5ce8c9eec
                              • Opcode Fuzzy Hash: f2619d3b963b8e1f3ec226375319add97f92aa6a1c7c4f1d2525f697d345843d
                              • Instruction Fuzzy Hash: BED19B31D0035ACECF25CFA8C8946EEBBB2BF59305F24416AD8A5AF241D7715D49CBA0
                              Function 001164F3 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 116threadCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 001164F8
                              • GetCurrentThreadId.KERNEL32 ref: 00116508
                              • GetTickCount.KERNEL32 ref: 00116513
                              • GetCurrentProcessId.KERNEL32(?,?,00000000), ref: 0011651E
                              • GetTickCount.KERNEL32 ref: 00116578
                              • SetLastError.KERNEL32(000000B7,?,?,?,?,00000000), ref: 001165C5
                              • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 001165EC
                                • Part of subcall function 00115D7A: __EH_prolog.LIBCMT ref: 00115D7F
                                • Part of subcall function 00115D7A: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,00000001,?,?,00000000), ref: 00115DA1
                                • Part of subcall function 00111E40: free.MSVCRT ref: 00111E44
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: CountCurrentErrorH_prologLastTick$CreateDirectoryProcessThreadfree
                              • String ID: .tmp$d
                              • API String ID: 1989517917-2797371523
                              • Opcode ID: 890b232f634c6c370d13889011bb3f212bbf71551cbd435bfc6923c33fa498ae
                              • Instruction ID: 4874c3810c7d2391e45f557f687dfaa46e3657b0421b0dc8fcb892020276dedf
                              • Opcode Fuzzy Hash: 890b232f634c6c370d13889011bb3f212bbf71551cbd435bfc6923c33fa498ae
                              • Instruction Fuzzy Hash: E5411332910124EBCF1DAFA4D8557ECBBB2FF65394F104239E402B65A1CB3A89C0CB51
                              Function 0014BC14 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 114COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: fputs$fputc$__aulldiv
                              • String ID: Time =$Kernel
                              • API String ID: 3602660170-1750218609
                              • Opcode ID: 09e540d63358c1d5fabbe8689437e635a3d452ed4374d304c9dc7209089cd108
                              • Instruction ID: c719eef67fbdb61284d4378acc43cbd8e752051f883b2399bf400a700906bdbe
                              • Opcode Fuzzy Hash: 09e540d63358c1d5fabbe8689437e635a3d452ed4374d304c9dc7209089cd108
                              • Instruction Fuzzy Hash: 2631C332601218BFDB14DF98DC82F9A37A5EF98760F10842AF9049B2A0D7B1ED518B94
                              Function 0014BD38 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 63COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: fputs$H_prolog
                              • String ID: $ MB$ Memory =
                              • API String ID: 2614055831-2616823926
                              • Opcode ID: 1d8c88053b4844dbe9363063b1131c39817532a30f2947f85b5d6e451b64738d
                              • Instruction ID: 925738bda58304125f13639d646cfb5c39690c9cf647bf0ae019dc9eeae2c0cb
                              • Opcode Fuzzy Hash: 1d8c88053b4844dbe9363063b1131c39817532a30f2947f85b5d6e451b64738d
                              • Instruction Fuzzy Hash: AD11CA32A05105AFCB09ABD4EC82EADBF75EF94324F10002BF500975E1DB716995CF90
                              Function 001485C6 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 37COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: fputs
                              • String ID: : Cannot open the file as [$ERROR$Open $WARNING$] archive
                              • API String ID: 1795875747-657955069
                              • Opcode ID: c45c99a00197d2b211545707306b3794215be6df744e66dedb6b3b8aef9e2653
                              • Instruction ID: 0a38e2df0fb79b3a1c4b1092c13f2da97cafd53d7df8d3677316c839cc181610
                              • Opcode Fuzzy Hash: c45c99a00197d2b211545707306b3794215be6df744e66dedb6b3b8aef9e2653
                              • Instruction Fuzzy Hash: AAF02732A041097BC6142794AC80DBEFF59DF85360B24003FFA0493251EF210C628FA1
                              Function 0013ED7E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 168COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0013ED83
                                • Part of subcall function 00125459: __EH_prolog.LIBCMT ref: 0012545E
                                • Part of subcall function 0011823D: __EH_prolog.LIBCMT ref: 00118242
                                • Part of subcall function 00111E40: free.MSVCRT ref: 00111E44
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$free
                              • String ID: : $ : MINOR_ERROR$...$Junction: $Link: $REPARSE:$WSL:
                              • API String ID: 2654054672-3981964144
                              • Opcode ID: 11999137a06ec3559de3b35df4c5a8882ba8e44e50b1b6e1f90853994843d8af
                              • Instruction ID: a273273b1d27cb6361f4c40fcdfc2371e8a4ecd58882702018296f5396597f1c
                              • Opcode Fuzzy Hash: 11999137a06ec3559de3b35df4c5a8882ba8e44e50b1b6e1f90853994843d8af
                              • Instruction Fuzzy Hash: 41510871A00258ABCF19FB90D851AFDBBFAEF64310F144029F802B72C6DB745A85DB51
                              Function 00126B5E Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 214COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00126B63
                                • Part of subcall function 00124D92: __EH_prolog.LIBCMT ref: 00124D97
                                • Part of subcall function 00117DF8: __EH_prolog.LIBCMT ref: 00117DFD
                              Strings
                              • Dangerous link path was ignored, xrefs: 00126BE5
                              • Cannot fill link data, xrefs: 00126D1E
                              • Incorrect path, xrefs: 00126C46
                              • Empty link, xrefs: 00126C21
                              • Dangerous symbolic link path was ignored, xrefs: 00126CCB
                              • Internal error for symbolic link file, xrefs: 00126D53
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: Cannot fill link data$Dangerous link path was ignored$Dangerous symbolic link path was ignored$Empty link$Incorrect path$Internal error for symbolic link file
                              • API String ID: 3519838083-3151419218
                              • Opcode ID: cdc0d61071a53f49ecdb7f8aea11eb3d7c82580d6ebb6a5672aae2fc8e9a0289
                              • Instruction ID: 5a58fb0d845f0778fb778c858e3cf954cd06eefb6a70542243c3f55af1a9933b
                              • Opcode Fuzzy Hash: cdc0d61071a53f49ecdb7f8aea11eb3d7c82580d6ebb6a5672aae2fc8e9a0289
                              • Instruction Fuzzy Hash: B571B57590025DAFCF19EFE0E8519EEBB75EF28304F108029F895A3292DB315D68D760
                              Function 00145914 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 83COMMON
                              Download Yara Rule
                              APIs
                              • EnterCriticalSection.KERNEL32(001D2938), ref: 0014591F
                              • fputs.MSVCRT ref: 0014595E
                              • fputs.MSVCRT ref: 00145983
                              • LeaveCriticalSection.KERNEL32(001D2938), ref: 00145A1F
                              Strings
                              • with the file from archive:, xrefs: 0014597E
                              • Would you like to replace the existing file:, xrefs: 00145959
                              • v, xrefs: 00145A1F
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: CriticalSectionfputs$EnterLeave
                              • String ID: v$Would you like to replace the existing file:$with the file from archive:
                              • API String ID: 3346953513-622108208
                              • Opcode ID: 8778dc7b21b3e6cfb8d198a0bfe2c7a999d0556aa0e677b51507f9b5afd0aca9
                              • Instruction ID: eddc5c4b0141d9d74b6c39ad201b1b776d38c71a0510eb5e31eba6dd0dd73a00
                              • Opcode Fuzzy Hash: 8778dc7b21b3e6cfb8d198a0bfe2c7a999d0556aa0e677b51507f9b5afd0aca9
                              • Instruction Fuzzy Hash: 49319175200A04DFDB15AF64DC81BEA77E6EF48364F220259F94A9B2B2CB30AC41DF55
                              Function 001431A2 Relevance: 11.4, APIs: 9, Instructions: 116COMMON
                              Download Yara Rule
                              APIs
                              • memcmp.MSVCRT(?,001C48A0,00000010), ref: 001431BB
                              • memcmp.MSVCRT(?,001C01B8,00000010), ref: 001431D8
                              • memcmp.MSVCRT(?,001C01C8,00000010), ref: 001431EB
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: memcmp
                              • String ID:
                              • API String ID: 1475443563-0
                              • Opcode ID: a33545cfaa89bc4f48a2ac37d2c9ded23ba23a76d2fe8f9444649d7b75d041aa
                              • Instruction ID: be70ac641ab274f351fb824a2329d1b46a6c64db0806b748f3e82cd007fbd2fa
                              • Opcode Fuzzy Hash: a33545cfaa89bc4f48a2ac37d2c9ded23ba23a76d2fe8f9444649d7b75d041aa
                              • Instruction Fuzzy Hash: 2D31D071740208ABEB198E51DC82F7F33A89B757A4F05412CFE169B295F7A8DF098690
                              Function 001A2700 Relevance: 10.8, APIs: 6, Strings: 1, Instructions: 301COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001A7D80: WaitForSingleObject.KERNEL32(?,000000FF,0012AFD6,?), ref: 001A7D83
                                • Part of subcall function 001A7D80: GetLastError.KERNEL32(?,000000FF,0012AFD6,?), ref: 001A7D8E
                                • Part of subcall function 001A2FB0: EnterCriticalSection.KERNEL32(?,?,?,001A2749), ref: 001A2FB8
                                • Part of subcall function 001A2FB0: LeaveCriticalSection.KERNEL32(?,?,?,001A2749), ref: 001A2FC2
                              • EnterCriticalSection.KERNEL32(?), ref: 001A290E
                              • LeaveCriticalSection.KERNEL32(?), ref: 001A2928
                              • EnterCriticalSection.KERNEL32(?), ref: 001A2992
                              • LeaveCriticalSection.KERNEL32(?), ref: 001A29B8
                              • EnterCriticalSection.KERNEL32(?), ref: 001A2A1E
                              • LeaveCriticalSection.KERNEL32(?), ref: 001A2A56
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: CriticalSection$EnterLeave$ErrorLastObjectSingleWait
                              • String ID: v
                              • API String ID: 2116739831-3261393531
                              • Opcode ID: cb014a7a221f0a6f723a0f255aa2eb784f4875f9ebaf1f3305612262f87af93f
                              • Instruction ID: b4f9651c4f00d9309e8d5b3aca180c7e7a782f98a04d4d7f9c2cb4c7f2dcf105
                              • Opcode Fuzzy Hash: cb014a7a221f0a6f723a0f255aa2eb784f4875f9ebaf1f3305612262f87af93f
                              • Instruction Fuzzy Hash: 5FC17979604B018FC324DF68C580BA7B7E2FF99314F104A2DE9AA87751EB34E949CB51
                              Function 00134B5C Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 278COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00134B61
                                • Part of subcall function 00111E40: free.MSVCRT ref: 00111E44
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prologfree
                              • String ID: -----$-----BEGIN PGP SIGNED MESSAGE$Hash: $cksum
                              • API String ID: 1978129608-4104380264
                              • Opcode ID: 76d5d8d807e4ffa27fae29d7312e3548b2194681e830c3a17f2b9eae121148e4
                              • Instruction ID: c0903d7b587c334a20e4bf57f242f559a8f10c36d8f653dbf645f42779423cc9
                              • Opcode Fuzzy Hash: 76d5d8d807e4ffa27fae29d7312e3548b2194681e830c3a17f2b9eae121148e4
                              • Instruction Fuzzy Hash: 89B1A031804248DFDF25DFA4C581BEEBBB1AF25304F1444ADE54667282CB76AE89CB61
                              Function 001232EC Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 183COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 001232F1
                                • Part of subcall function 00131D73: __EH_prolog.LIBCMT ref: 00131D78
                              • _CxxThrowException.MSVCRT(?,001C6010), ref: 001234D2
                              • _CxxThrowException.MSVCRT(?,001C6010), ref: 001234EF
                              • __EH_prolog.LIBCMT ref: 001234F9
                              Strings
                              • Incorrect volume size:, xrefs: 001234BF
                              • zero size last volume is not allowed, xrefs: 001234D9
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$ExceptionThrow
                              • String ID: Incorrect volume size:$zero size last volume is not allowed
                              • API String ID: 2366012087-998621408
                              • Opcode ID: 00a80b6ef7579d9e9d1dffae92dee22efa36dfe1bf440324c53b648d8ca97efc
                              • Instruction ID: af44527c1db1671a3ce58858e18c4bcb824d12623c7ed6c2411c5202795d960b
                              • Opcode Fuzzy Hash: 00a80b6ef7579d9e9d1dffae92dee22efa36dfe1bf440324c53b648d8ca97efc
                              • Instruction Fuzzy Hash: EF719E31A00265DFCB19EFA4D445BEDB7B1FF24304F0444ADE855AB292CB78AE59CB90
                              Function 00145B55 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: fputs$CriticalSection$EnterLeave
                              • String ID: v
                              • API String ID: 1081906680-3261393531
                              • Opcode ID: 050cbe1c86677964ce2d6626b4c05866e1b72acd8c8f3b249c8ffd157c35b5ed
                              • Instruction ID: dc6a1987b560ad1d86506adf0d2004a740440a9038f677859ac52c6bef70a428
                              • Opcode Fuzzy Hash: 050cbe1c86677964ce2d6626b4c05866e1b72acd8c8f3b249c8ffd157c35b5ed
                              • Instruction Fuzzy Hash: F751BE31600B06EFDB29DF64D885BEAB7A2FF54300F00852EF45A572B2CB71A995CB51
                              Function 00111265 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 137COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: Incorrect switch postfix:$Multiple instances for switch:$Too long switch:$Too short switch:$Unknown switch:
                              • API String ID: 3519838083-2104980125
                              • Opcode ID: aa8d09c122433f8610a2e56baf07d601427905830cfc67873c3d3139bea9d702
                              • Instruction ID: a1297370d9ffd77e7e666ac40106b3fb1f0f8b9f358b958de92bb9aa5592cd13
                              • Opcode Fuzzy Hash: aa8d09c122433f8610a2e56baf07d601427905830cfc67873c3d3139bea9d702
                              • Instruction Fuzzy Hash: EE51C13060024AEBCF1DCF54C480AEDFBB1FF15324F54816AE6659B686D770EA81CB91
                              Function 0014725A Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 96COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0014725F
                                • Part of subcall function 0014C7D7: fputs.MSVCRT ref: 0014C840
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prologfputs
                              • String ID: Alternate streams$Alternate streams size$Files$Folders$Size
                              • API String ID: 1798449854-232602582
                              • Opcode ID: b452fab1bcf18ed41c2ceccc9d2bb411620663f97f8aacdbe2e0bc8df729e903
                              • Instruction ID: f9f78c006250ff7b3585d293ee799a2e915de0c61ef3f2864bfd861bebaedeed
                              • Opcode Fuzzy Hash: b452fab1bcf18ed41c2ceccc9d2bb411620663f97f8aacdbe2e0bc8df729e903
                              • Instruction Fuzzy Hash: 5731A071700740ABDB29AB75D842FAAF7A7BFA4710F00462CF556526E1CBB0A885CB61
                              Function 00145EC9 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMON
                              Download Yara Rule
                              APIs
                              • EnterCriticalSection.KERNEL32(001D2938), ref: 00145ED6
                              • fputs.MSVCRT ref: 00145F6A
                              • fputs.MSVCRT ref: 00145F83
                              • LeaveCriticalSection.KERNEL32(001D2938), ref: 00145FC5
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: CriticalSectionfputs$EnterLeave
                              • String ID: : $ v
                              • API String ID: 3346953513-2653416290
                              • Opcode ID: 9df367966e8de9a7ca5590e1a1a8a57cacb3e9cec9f14a3208ff56a9bb6a4816
                              • Instruction ID: 2d8a338fe4b22efc25c843d2bf10c0f4214215c4be4391e53f865f5115e61234
                              • Opcode Fuzzy Hash: 9df367966e8de9a7ca5590e1a1a8a57cacb3e9cec9f14a3208ff56a9bb6a4816
                              • Instruction Fuzzy Hash: 6A318831901B04EFC718EFA4D884EDAB7B2FF54315F10816EE95A8B262DB30A844CF60
                              Function 00146244 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 71COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prologfputs
                              • String ID: Cannot open the file$The archive is open with offset$The file is open$WARNING:
                              • API String ID: 1798449854-1259944392
                              • Opcode ID: 1de23f6f79cf9e0f3983d45d1308f63f9f74372651f7e86cc522956dc14a3b43
                              • Instruction ID: 2dbb49e63ca72e267d6f528ed537d4ef9bba8f2a9bcfcd4ee7752c772055ba69
                              • Opcode Fuzzy Hash: 1de23f6f79cf9e0f3983d45d1308f63f9f74372651f7e86cc522956dc14a3b43
                              • Instruction Fuzzy Hash: D9218031A00505AFCB09EF94D942EEEB7B4FF65314B00003EE502E76A1CB70AD578B81
                              Function 0014DE7B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                              Download Yara Rule
                              APIs
                              • fputs.MSVCRT ref: 0014DE96
                                • Part of subcall function 00111F91: fflush.MSVCRT ref: 00111F93
                              • GetStdHandle.KERNEL32(000000F6), ref: 0014DEA8
                              • GetConsoleMode.KERNEL32(00000000,00000000), ref: 0014DECA
                              • SetConsoleMode.KERNEL32(00000000,00000000), ref: 0014DEDB
                              • SetConsoleMode.KERNEL32(00000000,00000000), ref: 0014DEFB
                              Strings
                              • Enter password (will not be echoed):, xrefs: 0014DE91
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: ConsoleMode$Handlefflushfputs
                              • String ID: Enter password (will not be echoed):
                              • API String ID: 108775803-3720017889
                              • Opcode ID: 1f92e982abc29079caa57bf64964db80ec284a94644b052521d0c4259002c026
                              • Instruction ID: 749f466a5474f8e48c46234612da3609a6e50d9645c14d0ae9b9ab11321f32a1
                              • Opcode Fuzzy Hash: 1f92e982abc29079caa57bf64964db80ec284a94644b052521d0c4259002c026
                              • Instruction Fuzzy Hash: 8C112C32904219BBCF01AFA4EC05AFEBBB89F51720F144269F850B71A1CB304D46CF90
                              Function 00135DA2 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 60COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: crc32$crc64$md5$sha1$sha256
                              • API String ID: 3519838083-3826973078
                              • Opcode ID: 36427feca1439bef0a3fdd853e602caa9cfc8d59838a0979d9b79ffcd857f1e5
                              • Instruction ID: f02cd8170a746c160b70e790ae365648362208e7525e685b705f9a5ae2057a5a
                              • Opcode Fuzzy Hash: 36427feca1439bef0a3fdd853e602caa9cfc8d59838a0979d9b79ffcd857f1e5
                              • Instruction Fuzzy Hash: 09114832E0141497CF2CB2E4EA446FDB673AFA5B24F21407EE80677585DB300E8097A1
                              Function 00198AC0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: exit$CriticalSection$EnterLeave
                              • String ID: v
                              • API String ID: 43521-3261393531
                              • Opcode ID: 363886d45d948b2404e24227ad7bf13e7d8628a180eaef6a5695492bfd60f0b7
                              • Instruction ID: 202931c97b518817f46b5a78a4bf705f83ebe5d98edd2fc575444fadc47009d6
                              • Opcode Fuzzy Hash: 363886d45d948b2404e24227ad7bf13e7d8628a180eaef6a5695492bfd60f0b7
                              • Instruction Fuzzy Hash: D9111B79500701CFC730EFA1C9815A6F7F1BF65300B404A2EE18742A81DB70B58ACF91
                              Function 001169AF Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 24libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 001169C8
                              • GetProcAddress.KERNEL32(00000000,FindFirstStreamW), ref: 001169DC
                              • GetProcAddress.KERNEL32(00000000,FindNextStreamW), ref: 001169E9
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: AddressProc$HandleModule
                              • String ID: FindFirstStreamW$FindNextStreamW$kernel32.dll
                              • API String ID: 667068680-4044117955
                              • Opcode ID: ad7a47a7715b63b3b3970c89157d743c9b22fe73f49ad55905fa1b53b68eec1c
                              • Instruction ID: 4f1ec6a2b8027c4adb2858d0b7716664743769752286b40616002911e9618563
                              • Opcode Fuzzy Hash: ad7a47a7715b63b3b3970c89157d743c9b22fe73f49ad55905fa1b53b68eec1c
                              • Instruction Fuzzy Hash: 26E086B1702214AF9218476A5C458A6EAACDBD5A90311003BF800E3350D7F568405AF0
                              Function 001528D1 Relevance: 10.1, APIs: 8, Instructions: 105COMMON
                              Download Yara Rule
                              APIs
                              • memcmp.MSVCRT(?,001C48A0,00000010), ref: 001528EA
                              • memcmp.MSVCRT(?,001C0258,00000010), ref: 00152907
                              • memcmp.MSVCRT(?,001C02D8,00000010), ref: 0015291A
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: memcmp
                              • String ID:
                              • API String ID: 1475443563-0
                              • Opcode ID: 9bd2050930bd6e8f1bbdb74a259c481c78f3193408f95df0a4207f10bb176391
                              • Instruction ID: 81c54f61d8d24a8472f551c8606803cd7c14df0924a03c0084643c917bcf3f8f
                              • Opcode Fuzzy Hash: 9bd2050930bd6e8f1bbdb74a259c481c78f3193408f95df0a4207f10bb176391
                              • Instruction Fuzzy Hash: 8F31C272740208EBE7158A11CC82F7E73A89B767AAF01412CFD559F345F774DD0986A1
                              Function 0012F398 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 461COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: __aulldiv$H_prolog
                              • String ID: x$x
                              • API String ID: 2300968129-177600594
                              • Opcode ID: e262e23cbd715270241142a90a919f96e55462b8ba3d35cb5d83a78158e86e9d
                              • Instruction ID: 6144a3044841998d400853649edbc1dd5984b8fa020000e20bb00cd0544b9d1d
                              • Opcode Fuzzy Hash: e262e23cbd715270241142a90a919f96e55462b8ba3d35cb5d83a78158e86e9d
                              • Instruction Fuzzy Hash: 09124671900229AFCF14DFA4D881AEEBBB1FF18314F24817DE915AB261D7319D96CB50
                              Function 00115F51 Relevance: 9.1, APIs: 6, Instructions: 104COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00115F56
                              • CreateDirectoryW.KERNEL32(?,00000000,00000000,?,00000000), ref: 00115F78
                              • GetLastError.KERNEL32(?,00000000,00000000,?,00000000), ref: 00115F89
                              • CreateDirectoryW.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 00115FC4
                              • GetLastError.KERNEL32 ref: 00115FD2
                              • GetLastError.KERNEL32(00000000,?,00000000), ref: 0011602C
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: ErrorLast$CreateDirectory$H_prolog
                              • String ID:
                              • API String ID: 798237638-0
                              • Opcode ID: 82eb966d799b4354ec054c4ed583619b2df4adb7cf86c853c84a0702ca3d9095
                              • Instruction ID: f11a3ff3ce4a75ea4017a78966d16e218a9f1e6ba2d08e7de519ae8ac6a7b8d7
                              • Opcode Fuzzy Hash: 82eb966d799b4354ec054c4ed583619b2df4adb7cf86c853c84a0702ca3d9095
                              • Instruction Fuzzy Hash: 0D31D031A40214DADF1DABB4C856BEDB731AF65350F144038F54263192CF7A8EC6DAA1
                              Function 0011DBA6 Relevance: 9.1, APIs: 6, Instructions: 95COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: __aulldiv$__aullrem
                              • String ID:
                              • API String ID: 2022606265-0
                              • Opcode ID: 04e66f16f12986b4441152cf9a85647fef7582f5898bb4e7ab3477a840e6bba3
                              • Instruction ID: b53a15993e2b6543059bdb3c91b8db97369099565aa139a0022e4e4267a9e7d7
                              • Opcode Fuzzy Hash: 04e66f16f12986b4441152cf9a85647fef7582f5898bb4e7ab3477a840e6bba3
                              • Instruction Fuzzy Hash: 3221D574500219BEDF149F95DC81DDF7A6AFF927A0F20863DB51461190D3B18D90D7E0
                              Function 00116A78 Relevance: 9.1, APIs: 6, Instructions: 74COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00116A7D
                                • Part of subcall function 00116848: FindClose.KERNELBASE(00000000,?,00116880), ref: 00116853
                              • SetLastError.KERNEL32(00000078,00000000,?,?), ref: 00116AA6
                              • SetLastError.KERNEL32(00000000,00000000,?,?), ref: 00116AB2
                              • FindFirstStreamW.KERNELBASE(?,00000000,-00000270,00000000), ref: 00116AD3
                              • GetLastError.KERNEL32(?,?), ref: 00116AE0
                              • FindFirstStreamW.KERNELBASE(?,00000000,-00000270,00000000), ref: 00116B1C
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: ErrorFindLast$FirstStream$CloseH_prolog
                              • String ID:
                              • API String ID: 1050961465-0
                              • Opcode ID: e7188599833c6c3fc453985602fda52851d8992a76e8c4e90487e80395d0cf8f
                              • Instruction ID: 8bc6aa97ec8ccd31baf09074ccde37bb1c6c1de952e4a1e2a231a2fa676c712e
                              • Opcode Fuzzy Hash: e7188599833c6c3fc453985602fda52851d8992a76e8c4e90487e80395d0cf8f
                              • Instruction Fuzzy Hash: F521C570A04205DBCB28AF64D8899EEBB75FF91354F104239FC6197191DB324DC5DB50
                              Function 0014CC07 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 191COMMON
                              Download Yara Rule
                              APIs
                              • fputs.MSVCRT ref: 0014CCC2
                                • Part of subcall function 0014C7D7: fputs.MSVCRT ref: 0014C840
                              • fputs.MSVCRT ref: 0014CE43
                                • Part of subcall function 00111F91: fflush.MSVCRT ref: 00111F93
                              • fputs.MSVCRT ref: 0014CD75
                                • Part of subcall function 00111FA0: fputc.MSVCRT ref: 00111FA7
                                • Part of subcall function 00111FB3: __EH_prolog.LIBCMT ref: 00111FB8
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: fputs$H_prologfflushfputc
                              • String ID: ERRORS:$WARNINGS:
                              • API String ID: 1876658717-3472301450
                              • Opcode ID: 93012c1a720c79ccfd1b7ee012f9d7c92a879ef145f151a05b878a3c66b6ebdc
                              • Instruction ID: 1ce46baab310c3e6aa2c3604fe20d007d8688966f8f5af50d761ab634b0f172d
                              • Opcode Fuzzy Hash: 93012c1a720c79ccfd1b7ee012f9d7c92a879ef145f151a05b878a3c66b6ebdc
                              • Instruction Fuzzy Hash: 0B717134A02702EFDB68EF61D891BEAB7A2EF54300F04443DE95A57261DB30AC85CB91
                              Function 00117919 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 157COMMON
                              Download Yara Rule
                              APIs
                              • DeviceIoControl.KERNEL32(00000000,00074004,00000000,00000000,00000000,00000020,00000000,00000000), ref: 00117963
                              • DeviceIoControl.KERNEL32(00000002,000700A0,00000000,00000000,?,00000028,00000000,00000000), ref: 00117A06
                              • DeviceIoControl.KERNEL32(00000002,00070000,00000000,00000000,00000000,00000018,00000000,00000000), ref: 00117A36
                              • DeviceIoControl.KERNEL32(00000002,0002404C,00000000,00000000,00000000,00000018,00000000,00000000), ref: 00117A58
                                • Part of subcall function 00119252: GetModuleHandleW.KERNEL32(kernel32.dll,GetDiskFreeSpaceExW,74DEF5D0,00000002,00000000,?,?,?,?,?,?,001179D0,00111AD1,00117B3E,?,00000002), ref: 0011926E
                                • Part of subcall function 00119252: GetProcAddress.KERNEL32(00000000), ref: 00119275
                                • Part of subcall function 00119252: GetDiskFreeSpaceW.KERNEL32(00000002,?,00117B3E,001179D0,00111AD1,?,?,?,?,?,?,001179D0,00111AD1,00117B3E,?,00000002), ref: 001192C5
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: ControlDevice$AddressDiskFreeHandleModuleProcSpace
                              • String ID: :
                              • API String ID: 4250411929-336475711
                              • Opcode ID: b80babb2af2a2e5bc16f3b165dd2e0629216add055b2bd4c2a1670df0cbae3bd
                              • Instruction ID: 8efab0ba381588254c7fb8da0b2e6736ebed7d8ce903331a38970940b19797e4
                              • Opcode Fuzzy Hash: b80babb2af2a2e5bc16f3b165dd2e0629216add055b2bd4c2a1670df0cbae3bd
                              • Instruction Fuzzy Hash: 9A517271908348AEDB25DFA4C841EEEBBFCEF14354F04C86AF19997291D771A984CB60
                              Function 0011A08C Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 143COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0011A091
                                • Part of subcall function 00119BAA: RegCloseKey.ADVAPI32(?,?,00119BA0), ref: 00119BB6
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: CloseH_prolog
                              • String ID: HARDWARE\DESCRIPTION\System\CentralProcessor\0$Previous Update Revision$Update Revision$x86
                              • API String ID: 1579395594-270022386
                              • Opcode ID: 2ca2cead88e2636277ef21147d0747f0c576cdfb46cd6cb3ff5b0bf9c6a29137
                              • Instruction ID: a82916326f21e5875254dcd7ab3724a79b757ce5655e67b331ebaccb8679c97d
                              • Opcode Fuzzy Hash: 2ca2cead88e2636277ef21147d0747f0c576cdfb46cd6cb3ff5b0bf9c6a29137
                              • Instruction Fuzzy Hash: A251C471A01205EFCF19EF98C8929EEBBB5BF69340F40443DE512A7251DB70A985CB92
                              Function 00119E75 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 138COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00119E7A
                                • Part of subcall function 00111E40: free.MSVCRT ref: 00111E44
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prologfree
                              • String ID: act:$ cpus:$ gran:$ page:
                              • API String ID: 1978129608-454015223
                              • Opcode ID: 21eb4b1fb37e54e665ee32b9f451e495618cc83161df41ffaaea36a289460a60
                              • Instruction ID: 59379fe2f8627d9771d9d1fbb06051dfe68b44578a4026aa0b5c19866dbb004a
                              • Opcode Fuzzy Hash: 21eb4b1fb37e54e665ee32b9f451e495618cc83161df41ffaaea36a289460a60
                              • Instruction Fuzzy Hash: 1641AF71700311ABDF2CAE648C62BFE76A2ABA4754F04483DF4A3966D2CF749CC98750
                              Function 00122CB4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00122CB9
                                • Part of subcall function 00111AA1: __EH_prolog.LIBCMT ref: 00111AA6
                                • Part of subcall function 00111AA1: GetLastError.KERNEL32(00000000,?,00000000,00000000), ref: 00111AD5
                              • _CxxThrowException.MSVCRT(00000001,001C6010), ref: 00122D73
                                • Part of subcall function 001158A9: __EH_prolog.LIBCMT ref: 001158AE
                                • Part of subcall function 00111E40: free.MSVCRT ref: 00111E44
                                • Part of subcall function 00131DBF: __EH_prolog.LIBCMT ref: 00131DC4
                              • _CxxThrowException.MSVCRT(00000001,001C6010), ref: 00122D56
                              • _CxxThrowException.MSVCRT(00000001,001C6010), ref: 00122D9A
                              Strings
                              • The file operation error for listfile, xrefs: 00122D03
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$ExceptionThrow$ErrorLastfree
                              • String ID: The file operation error for listfile
                              • API String ID: 362913088-4247703111
                              • Opcode ID: 27c3b42d4e2160a0edc5546bd98a01a54579f50db11c544586f35a72cf3b7fe8
                              • Instruction ID: 88bf9b6fbbf31a44513b8a7450a38b64b7cbf867f1d3c427f0d67d4269aca324
                              • Opcode Fuzzy Hash: 27c3b42d4e2160a0edc5546bd98a01a54579f50db11c544586f35a72cf3b7fe8
                              • Instruction Fuzzy Hash: 6E411935D00129EBCF15EFE4E8519EEBB75AF68700F108129F45273252CB749A56CBA0
                              Function 0014D824 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0014D829
                              • EnterCriticalSection.KERNEL32(001D2960,?,00000001,?,?,0014DBB0,?,0000006F,0000006F,?,?,00000000), ref: 0014D83D
                              • fputs.MSVCRT ref: 0014D88E
                              • LeaveCriticalSection.KERNEL32(001D2960,?,00000001,?,?,0014DBB0,?,0000006F,0000006F,?,?,00000000), ref: 0014D95F
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: CriticalSection$EnterH_prologLeavefputs
                              • String ID: v
                              • API String ID: 2174113412-3261393531
                              • Opcode ID: cc2e510cdf12e64a76385e72e780f2f5a849e628374bc3f4716c46bfdb599e93
                              • Instruction ID: 84440d31c4b1b45bf53ddb360f263ea44cf6a36294ea0a4c64d0c178baf7bce2
                              • Opcode Fuzzy Hash: cc2e510cdf12e64a76385e72e780f2f5a849e628374bc3f4716c46bfdb599e93
                              • Instruction Fuzzy Hash: 3241C431600786EFCF25AF64D4907AEBBA2FF55304F04453EF09A97261C7316955CB91
                              Function 00115C7E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00115C83
                              • GetModuleHandleW.KERNEL32(kernel32.dll,CreateHardLinkW), ref: 00115C9D
                              • GetProcAddress.KERNEL32(00000000), ref: 00115CA4
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: AddressH_prologHandleModuleProc
                              • String ID: CreateHardLinkW$kernel32.dll
                              • API String ID: 786088110-294928789
                              • Opcode ID: 806ebc62e8e2ffadec624b9a7082cf246b8940264795d9bcc39141f5e6660b2f
                              • Instruction ID: 8b44089a716357f2226fd4bcb12f2b72b753e14b2a96c3f774f06ac79cbd5caa
                              • Opcode Fuzzy Hash: 806ebc62e8e2ffadec624b9a7082cf246b8940264795d9bcc39141f5e6660b2f
                              • Instruction Fuzzy Hash: 8F21AE32E40615EBCF2DEBE4D94ABEEBB76AF84340F240035E901B2151CB319D80D7A1
                              Function 0014D2DD Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 63COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: fputs$H_prolog
                              • String ID: Archive size: $Files read from disk$Volumes:
                              • API String ID: 2614055831-73833580
                              • Opcode ID: ef585317c1759fbefa8bf05e344c0c4106fadc4bc4fa144f951064b61998d5fb
                              • Instruction ID: a495364b8867845fd5cce38ff367fdc0f8627f5002ff9686d6058c4cee3e2cf4
                              • Opcode Fuzzy Hash: ef585317c1759fbefa8bf05e344c0c4106fadc4bc4fa144f951064b61998d5fb
                              • Instruction Fuzzy Hash: 1E21417190060AABCB19EFA4D852FEEBBB5BF65304F004129E506624A2DF706999CF91
                              Function 001446CF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59timeCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 001446D4
                              • EnterCriticalSection.KERNEL32(001D2918), ref: 001446E8
                              • CompareFileTime.KERNEL32(?,?), ref: 00144712
                              • LeaveCriticalSection.KERNEL32(001D2918), ref: 0014476A
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: CriticalSection$CompareEnterFileH_prologLeaveTime
                              • String ID: v
                              • API String ID: 3800395459-3261393531
                              • Opcode ID: 22479715b907eb35611f062128451b4db5a98d9892af67eba0a00dfcfa2f58d1
                              • Instruction ID: 3717d701058053027d4ab37d0793752e598e36bc2df789f2bdba41b66247f68e
                              • Opcode Fuzzy Hash: 22479715b907eb35611f062128451b4db5a98d9892af67eba0a00dfcfa2f58d1
                              • Instruction Fuzzy Hash: 4121CD75500601EFDB21DF28C584B9ABBF5FF51346F10852DE85A97621D730FA89CB90
                              Function 0014463D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00144642
                              • EnterCriticalSection.KERNEL32(001D2918), ref: 00144656
                              • LeaveCriticalSection.KERNEL32(001D2918), ref: 00144685
                              • LeaveCriticalSection.KERNEL32(001D2918), ref: 001446C5
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: CriticalSection$Leave$EnterH_prolog
                              • String ID: v
                              • API String ID: 2532973370-3261393531
                              • Opcode ID: b880d53d9e7efc7803bd7a6251f71fa951a978b7ebb2a9418d1f1889479af3f4
                              • Instruction ID: f014c0fd076993ad0f1028b1fb7222ed64fa3cb742335bd7074f4d40ec74b18d
                              • Opcode Fuzzy Hash: b880d53d9e7efc7803bd7a6251f71fa951a978b7ebb2a9418d1f1889479af3f4
                              • Instruction Fuzzy Hash: B4115E79A00211AFC714DF59C894A6EB7B9FF9A710B11822DF80AD7710D774ED458BA0
                              Function 0014B8DD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0014B8E2
                              • fputs.MSVCRT ref: 0014B90B
                                • Part of subcall function 001158A9: __EH_prolog.LIBCMT ref: 001158AE
                                • Part of subcall function 00111FB3: __EH_prolog.LIBCMT ref: 00111FB8
                                • Part of subcall function 00111FA0: fputc.MSVCRT ref: 00111FA7
                                • Part of subcall function 00111E40: free.MSVCRT ref: 00111E44
                              • fputs.MSVCRT ref: 0014B94F
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$fputs$fputcfree
                              • String ID: : $----------------
                              • API String ID: 1877784702-4071417161
                              • Opcode ID: e290c845b4471b3aec6498d4c426ddf92548f136e36d66bafa9d8eb0ec02f252
                              • Instruction ID: 8750d2e13432de44993ce568e5ea8476f388600a9c7a9b0a7ed8185856049cfb
                              • Opcode Fuzzy Hash: e290c845b4471b3aec6498d4c426ddf92548f136e36d66bafa9d8eb0ec02f252
                              • Instruction Fuzzy Hash: 95019632704201EFCB19AFA8E89299DBBB2FF94360B10417DF112A76A2CF3199458B50
                              Function 0014D406 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0014D40B
                              • fputs.MSVCRT ref: 0014D42E
                                • Part of subcall function 00111FB3: __EH_prolog.LIBCMT ref: 00111FB8
                              • fputs.MSVCRT ref: 0014D46A
                                • Part of subcall function 00111FA0: fputc.MSVCRT ref: 00111FA7
                                • Part of subcall function 00111E40: free.MSVCRT ref: 00111E44
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prologfputs$fputcfree
                              • String ID: : $Write SFX:
                              • API String ID: 1941438168-2530961540
                              • Opcode ID: dfd98763c8e978d4b603901e116d9a3cec9789b5a6d948f42109f6d0d925cd96
                              • Instruction ID: 443d6371608634b5fb22ce05d99bcdb92e2fbb75f9a62f3c35e621e1d43e75ed
                              • Opcode Fuzzy Hash: dfd98763c8e978d4b603901e116d9a3cec9789b5a6d948f42109f6d0d925cd96
                              • Instruction Fuzzy Hash: 49014F32604205AFCF0AAFA4EC12BDEBBB6EF54310F10442EF505A21A1DF716995DF95
                              Function 00119E14 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemInfo.KERNEL32(?), ref: 00119E36
                                • Part of subcall function 00119E75: __EH_prolog.LIBCMT ref: 00119E7A
                              • GetModuleHandleA.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 00119E50
                              • GetProcAddress.KERNEL32(00000000), ref: 00119E57
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: AddressH_prologHandleInfoModuleProcSystem
                              • String ID: GetNativeSystemInfo$kernel32.dll
                              • API String ID: 2024292667-192647395
                              • Opcode ID: 1949faa9a9ba94db89de1490ef68a072c591e0e8ba152ca6861dba4d29baeed8
                              • Instruction ID: 0f1d0d9e1d63a420a5be81b312a8a3848edd410621401120df2dae771308936f
                              • Opcode Fuzzy Hash: 1949faa9a9ba94db89de1490ef68a072c591e0e8ba152ca6861dba4d29baeed8
                              • Instruction Fuzzy Hash: B1F0F0726007009FCB09EBA8CC59BDEB7F8AF84311F044658E002A7181DBB4E941CBE2
                              Function 001AD290 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetVersion.KERNEL32(0014C2E1), ref: 001AD290
                              • GetModuleHandleW.KERNEL32(kernel32.dll,SetDefaultDllDirectories), ref: 001AD2A6
                              • GetProcAddress.KERNEL32(00000000), ref: 001AD2AD
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: AddressHandleModuleProcVersion
                              • String ID: SetDefaultDllDirectories$kernel32.dll
                              • API String ID: 3310240892-2102062458
                              • Opcode ID: 12e4c7927676677d10296c4ea5efa9bc64ffef15125629f2503119b695732fdd
                              • Instruction ID: c4231e1149bcc8c00ee56ba6fcb16da9da1c1cb1562d54c43df39057fb03c416
                              • Opcode Fuzzy Hash: 12e4c7927676677d10296c4ea5efa9bc64ffef15125629f2503119b695732fdd
                              • Instruction Fuzzy Hash: B9C01238282601E7F7102BB9AD0EB5A356A9B90B42F414201F842E08A0CBA8C581C6B1
                              Function 00129194 Relevance: 8.0, APIs: 5, Instructions: 477COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00129199
                              • memcpy.MSVCRT(?,?,?,?,00000000,?,?), ref: 0012921D
                              • memcpy.MSVCRT(?,?,?,?,?,?,00000000,?,?), ref: 0012933B
                              • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 0012934F
                              • memset.MSVCRT ref: 0012955C
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: memcpy$H_prologmemset
                              • String ID:
                              • API String ID: 2371260246-0
                              • Opcode ID: cf008b82e72e3f8ffe5de03f54f21a28e4259eff91a900dbd81417496e5d1ba1
                              • Instruction ID: 86999e46d28fd9fe8e77f80a2b41a8db0053011635ec4f57a96c67b4f7ddfbaf
                              • Opcode Fuzzy Hash: cf008b82e72e3f8ffe5de03f54f21a28e4259eff91a900dbd81417496e5d1ba1
                              • Instruction Fuzzy Hash: C212BE71A00256DFCB24DFA8D988AAEB7F5FF49300F24886DE45ADB251D730AD51CB20
                              Function 00114B36 Relevance: 7.7, APIs: 5, Instructions: 234COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: wcscmp$ExceptionH_prologThrow
                              • String ID:
                              • API String ID: 2750596395-0
                              • Opcode ID: 8eacde68bd512a895191d57882c156028396fb394f488bc8ccc5496f2dae19db
                              • Instruction ID: 0ea89f2ca436f6c2e9e0d2b9456fd73443a511a0395f5d28f754762773157681
                              • Opcode Fuzzy Hash: 8eacde68bd512a895191d57882c156028396fb394f488bc8ccc5496f2dae19db
                              • Instruction Fuzzy Hash: 7B91CD31D01249DFCF19DFE8C894BEDBBB1BF65714F148169E811A7292CB309A85CB90
                              Function 001703D6 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 212COMMON
                              Download Yara Rule
                              APIs
                              • memset.MSVCRT ref: 001703F5
                              • memcpy.MSVCRT(?,?,00000008,00000064,?,?,?,?,00000064), ref: 00170490
                              • memset.MSVCRT ref: 00170618
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: memset$memcpy
                              • String ID: $@
                              • API String ID: 368790112-1077428164
                              • Opcode ID: b087934bbc7c95f7ee7647cfdf8c5fba5a54d9d4edf4d7707c4dc34027eb37c2
                              • Instruction ID: 3f70328bbf6ec616ac73955353a64caf7aed6de912554381929d25fd214003c7
                              • Opcode Fuzzy Hash: b087934bbc7c95f7ee7647cfdf8c5fba5a54d9d4edf4d7707c4dc34027eb37c2
                              • Instruction Fuzzy Hash: 6991CE30900709EFEF22DF24C851BEAB7B1AF68304F14C469E59E56192D770BA99CF90
                              Function 001A272C Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 156COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001A2FB0: EnterCriticalSection.KERNEL32(?,?,?,001A2749), ref: 001A2FB8
                                • Part of subcall function 001A2FB0: LeaveCriticalSection.KERNEL32(?,?,?,001A2749), ref: 001A2FC2
                              • EnterCriticalSection.KERNEL32(?), ref: 001A290E
                              • LeaveCriticalSection.KERNEL32(?), ref: 001A2928
                              • EnterCriticalSection.KERNEL32(?), ref: 001A2992
                              • LeaveCriticalSection.KERNEL32(?), ref: 001A29B8
                              • EnterCriticalSection.KERNEL32(?), ref: 001A2A1E
                              • LeaveCriticalSection.KERNEL32(?), ref: 001A2A56
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: CriticalSection$EnterLeave
                              • String ID: v
                              • API String ID: 3168844106-3261393531
                              • Opcode ID: 9793ebc9872834fe1c66ad3141330e88d1d4963b02c4fe654ad9b13da66b6f6e
                              • Instruction ID: b8b32f4d530216b9213bc26ab38155c6dd6a6e8ba6c7e161be398862392aee98
                              • Opcode Fuzzy Hash: 9793ebc9872834fe1c66ad3141330e88d1d4963b02c4fe654ad9b13da66b6f6e
                              • Instruction Fuzzy Hash: AE6146796047018FC725DF28C480B6BB3F2BF9A314F114A1DE9AA87651EB34E989CB51
                              Function 0011613C Relevance: 7.6, APIs: 5, Instructions: 150COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00116141
                                • Part of subcall function 00116C72: __EH_prolog.LIBCMT ref: 00116C77
                              • SetLastError.KERNEL32(0000010B,00000000,00000000), ref: 00116197
                              • GetLastError.KERNEL32(?,?,?,0000005C,?,00000000,00000000), ref: 0011626E
                              • SetLastError.KERNEL32(?,?,?,?,?,0000005C,?,00000000,00000000), ref: 001162A9
                                • Part of subcall function 00116096: __EH_prolog.LIBCMT ref: 0011609B
                                • Part of subcall function 00116096: DeleteFileW.KERNEL32(?,?,?,00000000), ref: 001160DF
                              • GetLastError.KERNEL32(?,?,?,0000005C,?,00000000,00000000), ref: 00116285
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: ErrorLast$H_prolog$DeleteFile
                              • String ID:
                              • API String ID: 3586524497-0
                              • Opcode ID: 9897b85ea97c1cb2b632c769127f9e8fece7c6dc28a4037d6d0830e254ad8df8
                              • Instruction ID: 19671ce197421e05015cddfdfb9ec104b2f263a5f999f68f02dde85361e64ca1
                              • Opcode Fuzzy Hash: 9897b85ea97c1cb2b632c769127f9e8fece7c6dc28a4037d6d0830e254ad8df8
                              • Instruction Fuzzy Hash: 2C51BC31C04228EADF1DEBE4D841BEDBBB5AF25340F104079E851B31D2DB361A8ACB51
                              Function 00199220 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 115COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001A7D80: WaitForSingleObject.KERNEL32(?,000000FF,0012AFD6,?), ref: 001A7D83
                                • Part of subcall function 001A7D80: GetLastError.KERNEL32(?,000000FF,0012AFD6,?), ref: 001A7D8E
                              • EnterCriticalSection.KERNEL32(?), ref: 0019926B
                              • EnterCriticalSection.KERNEL32(?), ref: 00199274
                              • LeaveCriticalSection.KERNEL32(?), ref: 00199296
                              • LeaveCriticalSection.KERNEL32(?), ref: 00199299
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: CriticalSection$EnterLeave$ErrorLastObjectSingleWait
                              • String ID: v
                              • API String ID: 2116739831-3261393531
                              • Opcode ID: 0f885dc23cc43df34d908b673cc61d654fe5d982d2c012ad29f71da75fe2863e
                              • Instruction ID: ce5138f03ddda4594f2e3b7ec5e76197903afcb50cc87dfeadb3ad93e1358bdf
                              • Opcode Fuzzy Hash: 0f885dc23cc43df34d908b673cc61d654fe5d982d2c012ad29f71da75fe2863e
                              • Instruction Fuzzy Hash: 80414935600B05AFCB19EF78C994AAAF3E5FF58314F00862DE4AA43681DB35B955CB90
                              Function 00113814 Relevance: 7.6, APIs: 5, Instructions: 98COMMON
                              Download Yara Rule
                              APIs
                              • WideCharToMultiByte.KERNEL32(?,00000000,0000005F,00000000,00000000,00000000,00000000,00000000,?,?,7597AB50,0000005F,?,?,?), ref: 0011384C
                              • GetLastError.KERNEL32(?,?,7597AB50,0000005F,?,?,?), ref: 00113855
                              • _CxxThrowException.MSVCRT(?,001C4A58), ref: 00113873
                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0000005F,00000000,?,?,00000001,00000001,?,?,7597AB50,0000005F,?), ref: 001138DA
                              • _CxxThrowException.MSVCRT(0000FDE9,001C4A58), ref: 00113902
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: ByteCharExceptionMultiThrowWide$ErrorLast
                              • String ID:
                              • API String ID: 2296236218-0
                              • Opcode ID: 0a16db8a36a2fb3c9b5fd21bb9e0b4e0c308a6b6fe6817de838658a23138d589
                              • Instruction ID: 80d53f769adad54fd09745fc3d51b3a9e240dfbdd4675b6f627ba049ddc756db
                              • Opcode Fuzzy Hash: 0a16db8a36a2fb3c9b5fd21bb9e0b4e0c308a6b6fe6817de838658a23138d589
                              • Instruction Fuzzy Hash: 5131EF71A0420ABFDB15CFA8CC84BEEBBF8EF55344F108269E468D7140D7709A85CBA0
                              Function 001244C2 Relevance: 7.6, APIs: 6, Instructions: 84COMMON
                              Download Yara Rule
                              APIs
                              • memcmp.MSVCRT(?,001C48A0,00000010), ref: 001244DB
                              • memcmp.MSVCRT(?,001C0128,00000010), ref: 001244EE
                              • memcmp.MSVCRT(?,001C0228,00000010), ref: 0012450B
                              • memcmp.MSVCRT(?,001C0248,00000010), ref: 00124528
                              • memcmp.MSVCRT(?,001C01C8,00000010), ref: 00124545
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: memcmp
                              • String ID:
                              • API String ID: 1475443563-0
                              • Opcode ID: 79da48bc29dbf5b7fa7d311a29681c02b357e1447a27c0a5bd18f9e674f0fe36
                              • Instruction ID: fbc9c59de982a12f1ef192be3468bd4afdb9f59b145bbcadd2a31fc5151b86a3
                              • Opcode Fuzzy Hash: 79da48bc29dbf5b7fa7d311a29681c02b357e1447a27c0a5bd18f9e674f0fe36
                              • Instruction Fuzzy Hash: CE21CF72740208ABE7198E21EC82F7E33AC9B657A0F05803CFD469A285F764DD158690
                              Function 00176711 Relevance: 7.6, APIs: 6, Instructions: 83COMMON
                              Download Yara Rule
                              APIs
                              • memcmp.MSVCRT(?,001C48A0,00000010), ref: 0017672A
                              • memcmp.MSVCRT(?,001C0258,00000010), ref: 00176747
                              • memcmp.MSVCRT(?,001C02D8,00000010), ref: 0017675A
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: memcmp
                              • String ID:
                              • API String ID: 1475443563-0
                              • Opcode ID: d4fcf427e37aefc8054c105664bbe7c4af7f08e1f2507c2bfff0f29608c862d4
                              • Instruction ID: 743374a37469f2f92710b453d48ef029baa0f68210dd4e0757856bd2f3891273
                              • Opcode Fuzzy Hash: d4fcf427e37aefc8054c105664bbe7c4af7f08e1f2507c2bfff0f29608c862d4
                              • Instruction Fuzzy Hash: 2221A176640208ABE7188E11CC86F7E33BC9B757E8F01852CFD099A249F764DD098790
                              Function 001389BC Relevance: 7.6, APIs: 6, Instructions: 83COMMON
                              Download Yara Rule
                              APIs
                              • memcmp.MSVCRT(?,001C48A0,00000010), ref: 001389D5
                              • memcmp.MSVCRT(?,001C0258,00000010), ref: 001389F2
                              • memcmp.MSVCRT(?,001C0328,00000010), ref: 00138A05
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: memcmp
                              • String ID:
                              • API String ID: 1475443563-0
                              • Opcode ID: f83f0b1d77c8a8b49c2a35e39b1bf8c5bd92102af3c552a2edae3a26cc0f8c28
                              • Instruction ID: 0346a32a14cff1acbe4b3cf4683f116162812c520759f22bc5aec02b1c6de1f7
                              • Opcode Fuzzy Hash: f83f0b1d77c8a8b49c2a35e39b1bf8c5bd92102af3c552a2edae3a26cc0f8c28
                              • Instruction Fuzzy Hash: EC21D171240308ABE7149B61CC82F7E33A89B753A4F00412DFD069B281FB64ED0593A1
                              Function 0011B50A Relevance: 7.6, APIs: 6, Instructions: 83COMMON
                              Download Yara Rule
                              APIs
                              • memcmp.MSVCRT(?,001C48A0,00000010), ref: 0011B523
                              • memcmp.MSVCRT(?,001C0088,00000010), ref: 0011B540
                              • memcmp.MSVCRT(?,001C00A8,00000010), ref: 0011B553
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: memcmp
                              • String ID:
                              • API String ID: 1475443563-0
                              • Opcode ID: 618c53bad9eeacc03c05fc55cd027f3000aded41cfb8cade7db155f32bf9f023
                              • Instruction ID: a2e916e746ee7eb28065511ebf4b87c2a93a260dd8388eba4539ef1adfaa93fd
                              • Opcode Fuzzy Hash: 618c53bad9eeacc03c05fc55cd027f3000aded41cfb8cade7db155f32bf9f023
                              • Instruction Fuzzy Hash: 6921FF72204208ABE7188F11DCC2FBE33AEAB653A0F05453CFD059B281F764DE8587A0
                              Function 00155E71 Relevance: 7.6, APIs: 6, Instructions: 83COMMON
                              Download Yara Rule
                              APIs
                              • memcmp.MSVCRT(?,001C48A0,00000010), ref: 00155E8A
                              • memcmp.MSVCRT(?,001C0168,00000010), ref: 00155EA7
                              • memcmp.MSVCRT(?,001C0198,00000010), ref: 00155EBA
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: memcmp
                              • String ID:
                              • API String ID: 1475443563-0
                              • Opcode ID: 4360ecfafe58d905d5c0fb91cfba744d42fe3a6aa7db3745958bb1d4b6e91958
                              • Instruction ID: 052d38ff285bed9d336cbac738166a628d23231f1fd97882a135abf4e231e656
                              • Opcode Fuzzy Hash: 4360ecfafe58d905d5c0fb91cfba744d42fe3a6aa7db3745958bb1d4b6e91958
                              • Instruction Fuzzy Hash: 5721AEB2640208EBE7158A11CC92F7EB3AADB757A6F05402EFD158E245F764DD0986A0
                              Function 001159BF Relevance: 7.6, APIs: 5, Instructions: 72filetimeCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 001159C4
                              • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000000,?,?,?,?,?), ref: 00115A03
                              • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,00000000,?,?,00000000,?,?,?,?,?), ref: 00115A43
                              • SetFileTime.KERNEL32(000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,?), ref: 00115A65
                              • CloseHandle.KERNEL32(000000FF,?,00000000,?,?,?,?,?,?,?), ref: 00115A73
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: File$Create$CloseH_prologHandleTime
                              • String ID:
                              • API String ID: 213185242-0
                              • Opcode ID: 2c87ab7b8fffa6d1ee043c9928fa075ab67eae6a43dde6f639d7d72930bf0d36
                              • Instruction ID: f9af2bbc1389c3f491a9430231b8ee5853f58a0d88508e20b7fae588b2efbb96
                              • Opcode Fuzzy Hash: 2c87ab7b8fffa6d1ee043c9928fa075ab67eae6a43dde6f639d7d72930bf0d36
                              • Instruction Fuzzy Hash: 2A218031E8020AEBDF159FA8DC45BEEBB7AFF54324F104225E520761E1C7714A91DB90
                              Function 00147172 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: fputs$H_prologfputcfreestrlen
                              • String ID:
                              • API String ID: 154898386-0
                              • Opcode ID: 18323e084baaa67f41740de3888f7efbb2a98fb8125f5c8704e2c4c9627f766b
                              • Instruction ID: 4961781d4db967de05b03505fdf04d8ce0296883f96ec7d5cc32b319384a3e43
                              • Opcode Fuzzy Hash: 18323e084baaa67f41740de3888f7efbb2a98fb8125f5c8704e2c4c9627f766b
                              • Instruction Fuzzy Hash: A3117332A00109EFCF05AFA4EC42AEDBB76EF54360F104076F614A71A1DB315A95DB90
                              Function 0017A8B4 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 186COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0017A8B9
                                • Part of subcall function 0011965D: VariantClear.OLEAUT32(?), ref: 0011967F
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: ClearH_prologVariant
                              • String ID: ZIP$exe$zip
                              • API String ID: 1166855276-1635144978
                              • Opcode ID: 4c49184927885c2c07d4d2c5010fab25f812b21b51c6629fcb98d60001524426
                              • Instruction ID: 4e5ceca56af13b72bf06c2b342708d5901372fda22e85fef9d9f480892c172f0
                              • Opcode Fuzzy Hash: 4c49184927885c2c07d4d2c5010fab25f812b21b51c6629fcb98d60001524426
                              • Instruction Fuzzy Hash: 92610A31900246DFCF29EFE4C540AEEF7B1AF64304FA0843DE546A7251D7746A8ACB52
                              Function 0015C414 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 181COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: !$LZMA2:$LZMA:
                              • API String ID: 3519838083-3332058968
                              • Opcode ID: f8f96e513e0a2911009bc1b58bfd2f17bc7585b5d8ba0f9772360e8fc79c53a1
                              • Instruction ID: 1f8cecd24078ed949b9c8d928cef9b0091e963720832b188277d19073e4ca0a1
                              • Opcode Fuzzy Hash: f8f96e513e0a2911009bc1b58bfd2f17bc7585b5d8ba0f9772360e8fc79c53a1
                              • Instruction Fuzzy Hash: 0461B170900246DEDB19CFA4C559FFD7BF1AF25342F1540B9E8256B262E770AE88CB80
                              Function 0015E76F Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 151COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0015E774
                                • Part of subcall function 00113563: memmove.MSVCRT(?,?,00000022,00000000,?,00111DAE,00000000,00000000,00000000,00111D37,7FFFFFE0,00000000,00000000,?,00000000,00000000), ref: 00113588
                                • Part of subcall function 0015E6C2: __EH_prolog.LIBCMT ref: 0015E6C7
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$memmove
                              • String ID: hcf$mtf$rsfx
                              • API String ID: 593149739-3699647704
                              • Opcode ID: 8d50e6e6668e2c214526f72f10801eb7a41d45fbe1cecfdfc00ec72f5b5267be
                              • Instruction ID: 50f60b136e5bd6c448bdf8284a2cfc8d83cdcb9274894cf4e8440f72dfe94306
                              • Opcode Fuzzy Hash: 8d50e6e6668e2c214526f72f10801eb7a41d45fbe1cecfdfc00ec72f5b5267be
                              • Instruction Fuzzy Hash: 23519031D00245DBCF2CEBA0C481AFEB3A2AB54315B14853AEC766F282DB749E4DD791
                              Function 00146C74 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 118COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00146C79
                                • Part of subcall function 00146AFA: __EH_prolog.LIBCMT ref: 00146AFF
                              • fputs.MSVCRT ref: 00146DAE
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$fputs
                              • String ID: Name$Size
                              • API String ID: 3822167597-481755742
                              • Opcode ID: 06f0f262f932ae2ac1272c3c8b327ddc937d0508b835b025ac9c139acefe0893
                              • Instruction ID: 52035debb5888837c1f232bd54309f33308bfa6f9f8e1b5ec93e35925423f33d
                              • Opcode Fuzzy Hash: 06f0f262f932ae2ac1272c3c8b327ddc937d0508b835b025ac9c139acefe0893
                              • Instruction Fuzzy Hash: 21418375B002149FCF09EFA4C891AEDB7B2FF55314F104079E845AB2A2CB34AD45CB61
                              Function 00122AA9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00122AAE
                              • _CxxThrowException.MSVCRT(?,001C6010), ref: 00122BC1
                              • _CxxThrowException.MSVCRT(?,001C6010), ref: 00122BDF
                                • Part of subcall function 00122BF5: __EH_prolog.LIBCMT ref: 00122BFA
                                • Part of subcall function 00122BF5: _CxxThrowException.MSVCRT(?,001C6010), ref: 00122C9E
                              Strings
                              • There is no second file name for rename pair:, xrefs: 00122BAE
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: ExceptionThrow$H_prolog
                              • String ID: There is no second file name for rename pair:
                              • API String ID: 206451386-3412818124
                              • Opcode ID: 0fbef60aee37a84d124236a3b38df81b952fc74d0b56e14b5f4b9b43bf257235
                              • Instruction ID: 903e160f0e1b9aa14372039d20a3d9a26649eae942ccd499aa06d309017e0a3a
                              • Opcode Fuzzy Hash: 0fbef60aee37a84d124236a3b38df81b952fc74d0b56e14b5f4b9b43bf257235
                              • Instruction Fuzzy Hash: DC419F31A00229EFCF15DF94D891BEEBBB1BF69314F108259F8116B2D1C770A961CBA1
                              Function 00136B83 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 103COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00136B88
                                • Part of subcall function 001504D2: _CxxThrowException.MSVCRT(?,001C4A58), ref: 001504F8
                                • Part of subcall function 00111524: __EH_prolog.LIBCMT ref: 00111529
                                • Part of subcall function 00111E40: free.MSVCRT ref: 00111E44
                                • Part of subcall function 00113599: memmove.MSVCRT(00000002,?,?,?,00000001,?,0011904C,00000001,00000002,00000000,00000000,?,?,?,00118EC4,?), ref: 001135D5
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$ExceptionThrowfreememmove
                              • String ID: crc$flags$memuse
                              • API String ID: 2665131394-339511674
                              • Opcode ID: 0c4f3ac45a99431127d36a8a957e95b772b9801d22b8e8fdd395fcb2e176bd84
                              • Instruction ID: cff14db4af1c0e2b7532a4f2a9f0cc9a23c425c498fc87f3ab7bf8d9c9dadc54
                              • Opcode Fuzzy Hash: 0c4f3ac45a99431127d36a8a957e95b772b9801d22b8e8fdd395fcb2e176bd84
                              • Instruction Fuzzy Hash: 1D31E431900149EBCF19EBD0CA52AEDBBB5EF25314F108068E5417B192CB769E89CBA0
                              Function 0011A384 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 88COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0011A389
                                • Part of subcall function 0011A4C5: GetModuleHandleW.KERNEL32(ntdll.dll,?,0011A3C1,00000001), ref: 0011A4CD
                                • Part of subcall function 0011A4C5: GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0011A4DD
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: AddressH_prologHandleModuleProc
                              • String ID: : $ SP:$Windows
                              • API String ID: 786088110-3655538264
                              • Opcode ID: eb47a93a789b35861a93c98a073c73aaaedb1b3188667a8038fd7cb351d8ea8b
                              • Instruction ID: c6d07e2d02a423b2cddc632b4eb2a1ec3148f32fcc9c0becad64e0d61554533d
                              • Opcode Fuzzy Hash: eb47a93a789b35861a93c98a073c73aaaedb1b3188667a8038fd7cb351d8ea8b
                              • Instruction Fuzzy Hash: 8531E9319012199ACF1DEBE5C8669EEBBB4BF28300F404079F60672191EF715AD5CBA1
                              Function 0014D490 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 83COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: fputs$fputc
                              • String ID: : Removing files after including to archive$Removing
                              • API String ID: 1185151155-1218467041
                              • Opcode ID: 1e813c08c3cd5b9a94ac1a0470f14b6d89bfab6c36168f4ac512b506619fe5aa
                              • Instruction ID: 3c5c265f800f234bf876b1421111c71dca826ec2ed1e4e4cb597a6858307c603
                              • Opcode Fuzzy Hash: 1e813c08c3cd5b9a94ac1a0470f14b6d89bfab6c36168f4ac512b506619fe5aa
                              • Instruction Fuzzy Hash: C73182325047019FCB69EF70E891BEBB3B6AFA5314F04492EE19B06162DF317899CB51
                              Function 0017D8EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0017D8F0
                              • EnterCriticalSection.KERNEL32(?), ref: 0017D904
                              • LeaveCriticalSection.KERNEL32(?), ref: 0017D994
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: CriticalSection$EnterH_prologLeave
                              • String ID: v
                              • API String ID: 367238759-3261393531
                              • Opcode ID: f725e8351d1169888fe4a533e3ec4a666386e9a6c8c1cdce78c2ea479c136289
                              • Instruction ID: 5361438bd635765ee95e693c06c3119d9beaf5b5a45736032252343aafa73d85
                              • Opcode Fuzzy Hash: f725e8351d1169888fe4a533e3ec4a666386e9a6c8c1cdce78c2ea479c136289
                              • Instruction Fuzzy Hash: 6331E2B9A00705DFCB24DF68D984A6AB7F4FF48354B048A6DE99A97B11D730F904CB60
                              Function 0012EFD8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 68COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0012EFDD
                                • Part of subcall function 0012B49A: memset.MSVCRT ref: 0012B4B5
                                • Part of subcall function 0012B49A: strlen.MSVCRT ref: 0012B4D3
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prologmemsetstrlen
                              • String ID: ?$ MB$RAM
                              • API String ID: 2475707007-294454972
                              • Opcode ID: 26dbe2323b472c49e0a8bf00cf455ed2ae849119c54c831359335c42c378129c
                              • Instruction ID: 785829b6ca54d847f20605011b378c10dc4c35922e43249dc70a024c52525313
                              • Opcode Fuzzy Hash: 26dbe2323b472c49e0a8bf00cf455ed2ae849119c54c831359335c42c378129c
                              • Instruction Fuzzy Hash: 38218E35700214AFCB19EF58D89AAAE7FB1EFA9710F10442DF5829B2E1CB709C51DB90
                              Function 001207DB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 001207E0
                              • EnterCriticalSection.KERNEL32(?), ref: 001207F2
                              • LeaveCriticalSection.KERNEL32(?), ref: 0012086B
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: CriticalSection$EnterH_prologLeave
                              • String ID: v
                              • API String ID: 367238759-3261393531
                              • Opcode ID: 14bb27a5b2b77078bb6c28fdb786a8f9bd239e21f7f9e16e5d76a2ffd57e0d34
                              • Instruction ID: f75ebf6b5123a3f08febf6e7888a1a57b49af73188638753f602d29cac11cda7
                              • Opcode Fuzzy Hash: 14bb27a5b2b77078bb6c28fdb786a8f9bd239e21f7f9e16e5d76a2ffd57e0d34
                              • Instruction Fuzzy Hash: C4216A39A00214DFD724CF29C58495ABBF5FF88714B15866EE84A8B721C730FC05CB90
                              Function 0016BD9A Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: ASCII$UTF8$UTF8-ERROR
                              • API String ID: 3519838083-1783863097
                              • Opcode ID: 36332ac7c1140300aed844673b49c04589d538901e144fcd1378627783142fbb
                              • Instruction ID: f1f9cad1be62429a8febf24d693383fc7a999aca433041c7a7f340174b74144b
                              • Opcode Fuzzy Hash: 36332ac7c1140300aed844673b49c04589d538901e144fcd1378627783142fbb
                              • Instruction Fuzzy Hash: 97219571C09249EBDF19EFE4D8919EEBBB4AF34350B00803EE452A3142DB7499D4C750
                              Function 00137018 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 64COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0013701D
                                • Part of subcall function 00137A40: __EH_prolog.LIBCMT ref: 00137A45
                                • Part of subcall function 00137A40: wcscmp.MSVCRT ref: 00137AD2
                                • Part of subcall function 00111E40: free.MSVCRT ref: 00111E44
                                • Part of subcall function 001504D2: _CxxThrowException.MSVCRT(?,001C4A58), ref: 001504F8
                                • Part of subcall function 001374EB: __EH_prolog.LIBCMT ref: 001374F0
                                • Part of subcall function 00137193: __EH_prolog.LIBCMT ref: 00137198
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$ExceptionThrowfreewcscmp
                              • String ID: A0$Hash$sha256 sha512 sha224 sha384 sha1 sha md5 crc32 crc64 asc cksum
                              • API String ID: 4250029832-3656212537
                              • Opcode ID: 03323f3f62c4363ccc37343f7897cf6005dc4abfce3f2a76940ad2788d7ede73
                              • Instruction ID: c873bfe5a51ab167cb1a76df26639c0197a1eda5540217676b6da8722261ca47
                              • Opcode Fuzzy Hash: 03323f3f62c4363ccc37343f7897cf6005dc4abfce3f2a76940ad2788d7ede73
                              • Instruction Fuzzy Hash: 2E219DB1D05348EECB09EBE4DA929DDBBB5AF25310F20006DF40677282DB740E48CB61
                              Function 00122BF5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00122BFA
                                • Part of subcall function 00123AF1: __EH_prolog.LIBCMT ref: 00123AF6
                              • _CxxThrowException.MSVCRT(?,001C6010), ref: 00122C9E
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$ExceptionThrow
                              • String ID: -r0$Unsupported rename command:
                              • API String ID: 2366012087-1002762148
                              • Opcode ID: ad9514d637f1f8b47f4d89e8fd81a35ca06ef8816f469166a34e03b1e4b83a26
                              • Instruction ID: ab3bae21811d803db694b13023b56f8ee1842743b74498206c54b55473bcfcf7
                              • Opcode Fuzzy Hash: ad9514d637f1f8b47f4d89e8fd81a35ca06ef8816f469166a34e03b1e4b83a26
                              • Instruction Fuzzy Hash: 2C119035900215AACB19FBA0D992EFEB778EF75740F000039F51263182DB719B5BC7A0
                              Function 0014DA49 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: fputs$H_prolog
                              • String ID: :
                              • API String ID: 2614055831-3653984579
                              • Opcode ID: d28dc76d822d35da4fc81d016cf4348477e45352b01ab46ab81e33fe7de99867
                              • Instruction ID: 47438d634edbcafbb2aa8d2c09a1aac133731b072a09a685977de768b442a40d
                              • Opcode Fuzzy Hash: d28dc76d822d35da4fc81d016cf4348477e45352b01ab46ab81e33fe7de99867
                              • Instruction Fuzzy Hash: 41118132600605EFCB19BBA4D892EEEF7B3EF94310F10442EE91653251DB316896CB61
                              Function 001206F6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 001206FB
                              • EnterCriticalSection.KERNEL32(?), ref: 0012070B
                              • LeaveCriticalSection.KERNEL32(?,?), ref: 00120786
                                • Part of subcall function 0012089E: _CxxThrowException.MSVCRT(?,001C4A58), ref: 001208C4
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: CriticalSection$EnterExceptionH_prologLeaveThrow
                              • String ID: v
                              • API String ID: 4150843469-3261393531
                              • Opcode ID: ad1a712afd08c7f5777af132346a855dc4c7467ad6c8bfe1eadaa6f6f4ea4940
                              • Instruction ID: 44b982d7ebb38f489347616acd360187ccd3e367cba930e61330d9754f7f0785
                              • Opcode Fuzzy Hash: ad1a712afd08c7f5777af132346a855dc4c7467ad6c8bfe1eadaa6f6f4ea4940
                              • Instruction Fuzzy Hash: 9A215CB5A10604DFCB25EF28D584B6ABBF0FF08314F108A6EE44ACBA42D731A915CF50
                              Function 00145D59 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44COMMON
                              Download Yara Rule
                              APIs
                              • EnterCriticalSection.KERNEL32(001D2938), ref: 00145D61
                              • fputs.MSVCRT ref: 00145DB4
                              • LeaveCriticalSection.KERNEL32(001D2938), ref: 00145DE2
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: CriticalSection$EnterLeavefputs
                              • String ID: v
                              • API String ID: 4171338575-3261393531
                              • Opcode ID: 87af60a1ecc1e898b81959d9f90b096e39cc3de9ffed6548a917dc50a2783cd2
                              • Instruction ID: 227d3b65068732f3f81734c7b74365863e77eafd5e52ea53ffd73a5bd644ca0b
                              • Opcode Fuzzy Hash: 87af60a1ecc1e898b81959d9f90b096e39cc3de9ffed6548a917dc50a2783cd2
                              • Instruction Fuzzy Hash: 6801D835204A00EFC714ABB4DC4CA9AB7E5EF94325F14462DF456D7222EB30AC44CB90
                              Function 00119399 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNEL32(ntdll.dll), ref: 001193A7
                              • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 001193B7
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: AddressHandleModuleProc
                              • String ID: RtlGetVersion$ntdll.dll
                              • API String ID: 1646373207-1489217083
                              • Opcode ID: f0744e727e3857d29973a81a9ba0616d244118e4269932fc6ec12c83036198e0
                              • Instruction ID: 1f99f6ea2fbc14633a54a66ac056d3f7092ab5c976fe6ca06713076dde245fae
                              • Opcode Fuzzy Hash: f0744e727e3857d29973a81a9ba0616d244118e4269932fc6ec12c83036198e0
                              • Instruction Fuzzy Hash: F3F06271E00318C6DF38AB24DD167E633A45B50705F0405B4E515E1481DBB8DAC289E9
                              Function 0014D082 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0014D087
                              • EnterCriticalSection.KERNEL32(001D2960), ref: 0014D09A
                                • Part of subcall function 0014CF20: __EH_prolog.LIBCMT ref: 0014CF25
                                • Part of subcall function 0014CF20: fputs.MSVCRT ref: 0014CF92
                              • LeaveCriticalSection.KERNEL32(001D2960,?,?,00000001), ref: 0014D0D6
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: CriticalH_prologSection$EnterLeavefputs
                              • String ID: v
                              • API String ID: 347903205-3261393531
                              • Opcode ID: 6a53afca586417406160660962ea0f38c6dc685be57a0cc964b0d9b40fbeec05
                              • Instruction ID: 57786841e79ffcabc58b1788f681b44e5d65ed32b3940b9c7aa4c48f06f277ff
                              • Opcode Fuzzy Hash: 6a53afca586417406160660962ea0f38c6dc685be57a0cc964b0d9b40fbeec05
                              • Instruction Fuzzy Hash: B0F0CD36600108FFCB09AF84CC15FCCBB79FF54310F00822AF524AA160C7B5AA55CBA0
                              Function 0014D7B8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0014D7BD
                              • EnterCriticalSection.KERNEL32(001D2960), ref: 0014D7D0
                              • LeaveCriticalSection.KERNEL32(001D2960), ref: 0014D804
                                • Part of subcall function 0014C911: GetTickCount.KERNEL32 ref: 0014C926
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: CriticalSection$CountEnterH_prologLeaveTick
                              • String ID: v
                              • API String ID: 2547919631-3261393531
                              • Opcode ID: 7ee6e66cf4b706bb2a6dab4cbca64c8bdaf43f382d59ec4fe0d0590e3100e382
                              • Instruction ID: 095ed4b4d884b0c22b12620fabbe513feac5393d579639532239c2a6f367c335
                              • Opcode Fuzzy Hash: 7ee6e66cf4b706bb2a6dab4cbca64c8bdaf43f382d59ec4fe0d0590e3100e382
                              • Instruction Fuzzy Hash: 70F0CD39600200EFCB04DB69D808B89BBE8EF85305F04827AF400D7361CBB0E941CBA0
                              Function 0014D0EF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0014D0F4
                              • EnterCriticalSection.KERNEL32(001D2960), ref: 0014D108
                                • Part of subcall function 0014CF20: __EH_prolog.LIBCMT ref: 0014CF25
                                • Part of subcall function 0014CF20: fputs.MSVCRT ref: 0014CF92
                              • LeaveCriticalSection.KERNEL32(001D2960,?,?,00000000), ref: 0014D133
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: CriticalH_prologSection$EnterLeavefputs
                              • String ID: v
                              • API String ID: 347903205-3261393531
                              • Opcode ID: 54b82debfca341819c462d950fd640bdeeb9639b4972ac433eb97983e6c6e6bf
                              • Instruction ID: 84a60da95868afe83fea5d429049f261de65128b002fb1e75a4ebcbc77453546
                              • Opcode Fuzzy Hash: 54b82debfca341819c462d950fd640bdeeb9639b4972ac433eb97983e6c6e6bf
                              • Instruction Fuzzy Hash: 6BF0273AB00210BFD7106B48DD05BAEB77AEFD5311F20413AF801E3340C7B89D0486A4
                              Function 0014B55F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32COMMON
                              Download Yara Rule
                              APIs
                              • _CxxThrowException.MSVCRT(?,001CAC78), ref: 0014B5AA
                                • Part of subcall function 00111FA0: fputc.MSVCRT ref: 00111FA7
                              • fputs.MSVCRT ref: 0014B589
                              • fputs.MSVCRT ref: 0014B58E
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: fputs$ExceptionThrowfputc
                              • String ID: ERROR:
                              • API String ID: 2339886702-977468659
                              • Opcode ID: 462c250f63c952bb82b347478a62a7163c33e451ab5c8ffceaa9588019eacab7
                              • Instruction ID: 77b59e83d08e720ad004d3254bd4e17f3d7a2d42c0519e2f12dca4e5176af1a4
                              • Opcode Fuzzy Hash: 462c250f63c952bb82b347478a62a7163c33e451ab5c8ffceaa9588019eacab7
                              • Instruction Fuzzy Hash: B4F0A072A01219BBCB05ABD8DC51C8EF7ACDF98750750002AF600A3211C771AE824BD4
                              Function 00146025 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0014602A
                              • EnterCriticalSection.KERNEL32(001D2938), ref: 00146044
                              • LeaveCriticalSection.KERNEL32(001D2938), ref: 00146060
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: CriticalSection$EnterH_prologLeave
                              • String ID: v
                              • API String ID: 367238759-3261393531
                              • Opcode ID: 3d8e638d6e1e4be052885a20489ef865033092a07a3adf956f83ee54ab0873b4
                              • Instruction ID: 5b6a9a31a889af3bbc63ea6a9455dab68198222c6f8755ec41385dbf3f88af9b
                              • Opcode Fuzzy Hash: 3d8e638d6e1e4be052885a20489ef865033092a07a3adf956f83ee54ab0873b4
                              • Instruction Fuzzy Hash: ABF09A3A900114EFC704DF88C909ADEBBB8FF46354F10816AF401A7211C7B4DA00CBA0
                              Function 0014CFF4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0014CFF9
                              • EnterCriticalSection.KERNEL32(001D2960,?,?,?,00146A2C,?,?), ref: 0014D00C
                                • Part of subcall function 0014CF20: __EH_prolog.LIBCMT ref: 0014CF25
                                • Part of subcall function 0014CF20: fputs.MSVCRT ref: 0014CF92
                              • LeaveCriticalSection.KERNEL32(001D2960,?,?,00000001,?,?,?,?,?,00146A2C,?,?), ref: 0014D037
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: CriticalH_prologSection$EnterLeavefputs
                              • String ID: v
                              • API String ID: 347903205-3261393531
                              • Opcode ID: aa517388beca3891ab5882bd570eb7aae5d8dacb7e808f4e47aac336b6c65eab
                              • Instruction ID: 6b0f01f49ce1b8e7cfda8855ce369005280f33eefad6c16b96da807651dfa220
                              • Opcode Fuzzy Hash: aa517388beca3891ab5882bd570eb7aae5d8dacb7e808f4e47aac336b6c65eab
                              • Instruction Fuzzy Hash: 56F0A036610114FFCB05AF94DD05FDEBB7AFF99310F00812AF815A6161CBB5AA11CBA4
                              Function 0014720F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: fputs$fputc
                              • String ID: $:
                              • API String ID: 1185151155-4041779174
                              • Opcode ID: b2d7a18cf1f244198b2c9b12bed9779ec43c62fcde86823d353597bdedfab558
                              • Instruction ID: 5e9dacda84e17351d0a77084061ec341784380b163ff5c0cc3420da9f242d3c8
                              • Opcode Fuzzy Hash: b2d7a18cf1f244198b2c9b12bed9779ec43c62fcde86823d353597bdedfab558
                              • Instruction Fuzzy Hash: 95F0A032900259EBCF266FA8DC05DDEBF79EFA8314F04441AED9133251C734A665CBA2
                              Function 0014D760 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0014D765
                              • EnterCriticalSection.KERNEL32(001D2960), ref: 0014D778
                              • LeaveCriticalSection.KERNEL32(001D2960), ref: 0014D7A0
                                • Part of subcall function 0014C911: GetTickCount.KERNEL32 ref: 0014C926
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: CriticalSection$CountEnterH_prologLeaveTick
                              • String ID: v
                              • API String ID: 2547919631-3261393531
                              • Opcode ID: dd1b780acbed00341268c6660cd1ab8dab8850390b06fcaeaa68d9831bf05a28
                              • Instruction ID: 0b32fc0e7a6ce201b88a6d082f05c03eb607b842827398da440451b2bab0175f
                              • Opcode Fuzzy Hash: dd1b780acbed00341268c6660cd1ab8dab8850390b06fcaeaa68d9831bf05a28
                              • Instruction Fuzzy Hash: 7BF0B839A00611EFDB05EF68D808B89B7B8FF45324F00862AF415A3650C7B4AA40CBE0
                              Function 0011A4C5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNEL32(ntdll.dll,?,0011A3C1,00000001), ref: 0011A4CD
                              • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0011A4DD
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: AddressHandleModuleProc
                              • String ID: RtlGetVersion$ntdll.dll
                              • API String ID: 1646373207-1489217083
                              • Opcode ID: be846036d12f1d7a7baef3fa1018638ac064005641e599559bbd36d9220bdc2d
                              • Instruction ID: 22a505fb5c04c61b183e97529945993487758a9a457280fcf1453ea32a1f7056
                              • Opcode Fuzzy Hash: be846036d12f1d7a7baef3fa1018638ac064005641e599559bbd36d9220bdc2d
                              • Instruction Fuzzy Hash: C9D0C7713592205AF674A6B97C4EBE6164C8F80B517054566F900E1440E7D89DC245F1
                              Function 00196A60 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNEL32(kernel32.dll,GetLargePageMinimum,00121D26), ref: 00196A6A
                              • GetProcAddress.KERNEL32(00000000), ref: 00196A71
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: AddressHandleModuleProc
                              • String ID: GetLargePageMinimum$kernel32.dll
                              • API String ID: 1646373207-2515562745
                              • Opcode ID: f383d8567168ffd6dc7e8b6ceeae5d012867c58f0488b5183d9e4079ff6c4ec3
                              • Instruction ID: 27a870a65b41e761a57271dcbf3ba8cb87d6a12e6c2ba227d25b567791435cda
                              • Opcode Fuzzy Hash: f383d8567168ffd6dc7e8b6ceeae5d012867c58f0488b5183d9e4079ff6c4ec3
                              • Instruction Fuzzy Hash: CCD0C970345302DBEF24AFB69C1DB2A3668AB90B813008059A411F2491EF25C680CB72
                              Function 00136EF9 Relevance: 6.3, APIs: 5, Instructions: 68COMMON
                              Download Yara Rule
                              APIs
                              • memcmp.MSVCRT(?,001C48A0,00000010), ref: 00136F0F
                              • memcmp.MSVCRT(?,001C0168,00000010), ref: 00136F2A
                              • memcmp.MSVCRT(?,001C0178,00000010), ref: 00136F3E
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: memcmp
                              • String ID:
                              • API String ID: 1475443563-0
                              • Opcode ID: e2f82b7b682d427970757d1120fc6f924410141f3c51e777df0dffbec5c8292b
                              • Instruction ID: 88049e477069b675dd1095f8b516152d2445814d34d68a8bf907cd029e2f4972
                              • Opcode Fuzzy Hash: e2f82b7b682d427970757d1120fc6f924410141f3c51e777df0dffbec5c8292b
                              • Instruction Fuzzy Hash: 4A11C431340308BBD7254F15DC52FBD73A85B69760F04842CFE45DA282F7B4E9549795
                              Function 0013DB96 Relevance: 6.3, APIs: 5, Instructions: 68COMMON
                              Download Yara Rule
                              APIs
                              • memcmp.MSVCRT(?,001C48A0,00000010), ref: 0013DBAC
                              • memcmp.MSVCRT(?,001C0108,00000010), ref: 0013DBC7
                              • memcmp.MSVCRT(?,001C0138,00000010), ref: 0013DBDB
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: memcmp
                              • String ID:
                              • API String ID: 1475443563-0
                              • Opcode ID: cae0ce6fb7e96253b716baf74f6f858fa840bda2a53cca51c529add9f492d854
                              • Instruction ID: f39eb0cdce0ee128a340c28a0adf8b33be1322d45a785ed5d135cde170623680
                              • Opcode Fuzzy Hash: cae0ce6fb7e96253b716baf74f6f858fa840bda2a53cca51c529add9f492d854
                              • Instruction Fuzzy Hash: 55110431340308A7DB259A11FC02FADB3A89B7A720F05482CFE45DA286F7B9E9559380
                              Function 00151D80 Relevance: 6.3, APIs: 5, Instructions: 68COMMON
                              Download Yara Rule
                              APIs
                              • memcmp.MSVCRT(?,001C48A0,00000010), ref: 00151D96
                              • memcmp.MSVCRT(?,001C0168,00000010), ref: 00151DB1
                              • memcmp.MSVCRT(?,001C0198,00000010), ref: 00151DC5
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: memcmp
                              • String ID:
                              • API String ID: 1475443563-0
                              • Opcode ID: e10d779fa13795c2be20759c896ef899a0b2d1a914850b8c31ff9929f6e00f56
                              • Instruction ID: 4e0e220b272c0d7c6c5219f7769953dee784bde053bdae664892dcb40dc15bb6
                              • Opcode Fuzzy Hash: e10d779fa13795c2be20759c896ef899a0b2d1a914850b8c31ff9929f6e00f56
                              • Instruction Fuzzy Hash: FC110432780304FBD7268A52DC43FAE73A89B69721F04442CFE55DE282F7B4E9599780
                              Function 0015BEB8 Relevance: 6.3, APIs: 5, Instructions: 68COMMON
                              Download Yara Rule
                              APIs
                              • memcmp.MSVCRT(?,001C48A0,00000010), ref: 0015BECE
                              • memcmp.MSVCRT(?,001C0168,00000010), ref: 0015BEE9
                              • memcmp.MSVCRT(?,001C0178,00000010), ref: 0015BEFD
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: memcmp
                              • String ID:
                              • API String ID: 1475443563-0
                              • Opcode ID: 9323156c50a6a217033d42895fedaaf439fe5c757a448753ce742b721d2e62e3
                              • Instruction ID: 8409d1cbcf59480cf2463a12b6008427245e38f832a1bed98eb192b52662b2c6
                              • Opcode Fuzzy Hash: 9323156c50a6a217033d42895fedaaf439fe5c757a448753ce742b721d2e62e3
                              • Instruction Fuzzy Hash: F111E231344304EBD7244A15CC83FAE73A49B69722F08442DFE559E282F7A8E9489A80
                              Function 001136C2 Relevance: 6.3, APIs: 5, Instructions: 66COMMON
                              Download Yara Rule
                              APIs
                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,000004B0,00000000,00000000,?,?,00111BDA,0000FDE9,7FFFFFE0,00000000,00000000), ref: 001136EE
                              • GetLastError.KERNEL32(?,00111BDA,0000FDE9,7FFFFFE0,00000000,00000000,?,00000000,00000000), ref: 001136F7
                              • _CxxThrowException.MSVCRT(00000000,001C4A58), ref: 00113711
                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,?,?,00111BDA,0000FDE9,7FFFFFE0,00000000,00000000,?,00000000,00000000), ref: 00113736
                              • _CxxThrowException.MSVCRT(00000000,001C4A58), ref: 0011374C
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: ByteCharExceptionMultiThrowWide$ErrorLast
                              • String ID:
                              • API String ID: 2296236218-0
                              • Opcode ID: 227fc6d3e7f54932fe4160afd2e30a8d4e1ef103436ed7cef91c810512b574e3
                              • Instruction ID: ec93c2148d8ef310f03ee0ad9c843120e23dad5d9d7f66b991a1a1c566dde2eb
                              • Opcode Fuzzy Hash: 227fc6d3e7f54932fe4160afd2e30a8d4e1ef103436ed7cef91c810512b574e3
                              • Instruction Fuzzy Hash: AA117CF5640201BFD718DF54C891EBAB7E9EF583907108129F919C7280E770EE41CBA0
                              Function 00146E7E Relevance: 6.1, APIs: 4, Instructions: 124stringCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00146E83
                                • Part of subcall function 00146AFA: __EH_prolog.LIBCMT ref: 00146AFF
                              • strlen.MSVCRT ref: 00146F1E
                                • Part of subcall function 0013447D: strlen.MSVCRT ref: 001344C7
                              • strlen.MSVCRT ref: 00146F92
                              • fputs.MSVCRT ref: 00146FDF
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: strlen$H_prolog$fputs
                              • String ID:
                              • API String ID: 3404455912-0
                              • Opcode ID: 60905fdc1d34db50aa104d91325ec5cf0cf29539118862c78bee9ab1ffa42332
                              • Instruction ID: 7c3c152c603ac9183b651bd27177277e6b4bfb2c8bc56d843e0345e8e3f87bcc
                              • Opcode Fuzzy Hash: 60905fdc1d34db50aa104d91325ec5cf0cf29539118862c78bee9ab1ffa42332
                              • Instruction Fuzzy Hash: FE41C231A001199FCF19EFA8D891AEDB7B5BF59304F004079F941AB2A2DB30AD59CB91
                              Function 00185C40 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 105COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001A7D80: WaitForSingleObject.KERNEL32(?,000000FF,0012AFD6,?), ref: 001A7D83
                                • Part of subcall function 001A7D80: GetLastError.KERNEL32(?,000000FF,0012AFD6,?), ref: 001A7D8E
                              • EnterCriticalSection.KERNEL32(?), ref: 00185C84
                              • LeaveCriticalSection.KERNEL32(?), ref: 00185CA0
                              • LeaveCriticalSection.KERNEL32(?,?), ref: 00185D7A
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: CriticalSection$Leave$EnterErrorLastObjectSingleWait
                              • String ID: v
                              • API String ID: 4273280806-3261393531
                              • Opcode ID: ce14dd17e48ff321c00feb6ddb38c4b269586bc747d26750717c306b8d3e306e
                              • Instruction ID: 8782bf15403d6eac4a2ac580086fdab24e1e5dbaadbfccaf2ba74de3fad3fe86
                              • Opcode Fuzzy Hash: ce14dd17e48ff321c00feb6ddb38c4b269586bc747d26750717c306b8d3e306e
                              • Instruction Fuzzy Hash: E8418D70605B049FD714EF68C484BAAB7F6FF49710F19826DE49A97392CB306A01CFA1
                              Function 00130306 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                              Download Yara Rule
                              APIs
                              • GetFileSecurityW.ADVAPI32(?,00000007,?,?,00000000,?,?,00000000,?), ref: 00130359
                              • GetLastError.KERNEL32(?,?,00000000,?), ref: 00130382
                              • GetFileSecurityW.ADVAPI32(?,00000007,?,?,00000000,?,?,?,00000000,?), ref: 001303DA
                              • GetLastError.KERNEL32(?,?,00000000,?,?,?,00000000,?), ref: 001303F0
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: ErrorFileLastSecurity
                              • String ID:
                              • API String ID: 555121230-0
                              • Opcode ID: 5de3e08a71356c74adf2f027ff3722c7da6e73af2544311be3c1dd7832eaa754
                              • Instruction ID: 1ad29baf6d2e7f8764752702b4717f3bf9242dbac1529412451e2b535c2a6fcd
                              • Opcode Fuzzy Hash: 5de3e08a71356c74adf2f027ff3722c7da6e73af2544311be3c1dd7832eaa754
                              • Instruction Fuzzy Hash: AF318D74900209EFDB11DFA4C890BAEBBF5FF48304F108959E466D7250D770AE85DBA0
                              Function 0012EF31 Relevance: 6.1, APIs: 4, Instructions: 76COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: __aulldiv
                              • String ID:
                              • API String ID: 3732870572-0
                              • Opcode ID: 7d729fc88e7c47bfac140448e9967f6bd03948ff3cd6f782fc37fd31b014d79d
                              • Instruction ID: 16cda377e4350bca84889c68f2b93f16ef92179e6d992fb6b2124771a7c5f32e
                              • Opcode Fuzzy Hash: 7d729fc88e7c47bfac140448e9967f6bd03948ff3cd6f782fc37fd31b014d79d
                              • Instruction Fuzzy Hash: C811DFB6204248BFEB25AEA1DC81EBBBBBEEBD5710F00842DF54256191C7B1AC11D760
                              Function 00115D7A Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00115D7F
                              • CreateDirectoryW.KERNEL32(?,00000000,?,00000000,00000001,?,?,00000000), ref: 00115DA1
                              • GetLastError.KERNEL32(?,00000000,?,00000000,00000001,?,?,00000000), ref: 00115DAB
                              • CreateDirectoryW.KERNEL32(?,00000000,00000000,?,00000000,00000001,?,?,00000000), ref: 00115DE2
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: CreateDirectory$ErrorH_prologLast
                              • String ID:
                              • API String ID: 1817354178-0
                              • Opcode ID: 04de37f3def63d515425f4cabf29f456d634629563d40e13925d6960d257025a
                              • Instruction ID: 86250e51e0417dd0b9881af2abaa52dd01e03822ad303c93ccb0fe2472a60202
                              • Opcode Fuzzy Hash: 04de37f3def63d515425f4cabf29f456d634629563d40e13925d6960d257025a
                              • Instruction Fuzzy Hash: E201B532A01605E7CF1D6BE4A8867FEBB27DF91390F144036EE02A6591CB258DC297D1
                              Function 001A7E40 Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON
                              Download Yara Rule
                              APIs
                              • _beginthreadex.MSVCRT ref: 001A7E55
                              • SetThreadAffinityMask.KERNEL32(00000000,?), ref: 001A7E6D
                              • ResumeThread.KERNEL32(00000000), ref: 001A7E74
                              • GetLastError.KERNEL32 ref: 001A7E86
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: Thread$AffinityErrorLastMaskResume_beginthreadex
                              • String ID:
                              • API String ID: 3268521904-0
                              • Opcode ID: 7ebb1f0c11effc6a7bd1cfac4e41bdf9d139d9c5ae8236295967f4fab4434ab8
                              • Instruction ID: a07bda578ed3963cdd3bf4ec0751e30906dc5e08210b2a807cf627393331a5e3
                              • Opcode Fuzzy Hash: 7ebb1f0c11effc6a7bd1cfac4e41bdf9d139d9c5ae8236295967f4fab4434ab8
                              • Instruction Fuzzy Hash: 7CF0E27B205111ABD210AB58AC04FAB7399EBD2B20F00421AF604CB1C4D7708C4787F1
                              Function 0014D6F7 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: fputs$H_prologfputcfree
                              • String ID:
                              • API String ID: 3247574066-0
                              • Opcode ID: e43a700de873c889f12ea9db9cdb5b125562ce9eeec26217528ce0a9a32e4bd3
                              • Instruction ID: aa6b7a46d4aba128059bb82e19b224353305109eabb6653658da8b955ff22352
                              • Opcode Fuzzy Hash: e43a700de873c889f12ea9db9cdb5b125562ce9eeec26217528ce0a9a32e4bd3
                              • Instruction Fuzzy Hash: 47F01232900019ABCB067B94DD52ADEBF76EF64360F10407AE505621A1DB7159A5DEC4
                              Function 00133D70 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 443COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00133D75
                                • Part of subcall function 0013021A: __EH_prolog.LIBCMT ref: 0013021F
                                • Part of subcall function 001504D2: _CxxThrowException.MSVCRT(?,001C4A58), ref: 001504F8
                                • Part of subcall function 0013749D: __EH_prolog.LIBCMT ref: 001374A2
                                • Part of subcall function 00134345: __EH_prolog.LIBCMT ref: 0013434A
                                • Part of subcall function 0013375C: __EH_prolog.LIBCMT ref: 00133761
                                • Part of subcall function 0013375C: strcmp.MSVCRT ref: 00133815
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$ExceptionThrowstrcmp
                              • String ID: Scanning error
                              • API String ID: 1140649431-2691707340
                              • Opcode ID: aeb32f2d736393cd99c86a98a0f142b68a42a43819a93a8bf32ef2f0b780449c
                              • Instruction ID: f1e73a80ede31e2d107ea84dec54f55e529c4ddec9e2dcdc4463e3a8c7c19d85
                              • Opcode Fuzzy Hash: aeb32f2d736393cd99c86a98a0f142b68a42a43819a93a8bf32ef2f0b780449c
                              • Instruction Fuzzy Hash: DE027E71D05259DFDF19DFA4C884AEEBBB1BF28310F1480A9E955A7252DB30AE84CF50
                              Function 001688D8 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 441COMMON
                              Download Yara Rule
                              APIs
                              • wcscmp.MSVCRT ref: 00168CC6
                              • __EH_prolog.LIBCMT ref: 001688DD
                                • Part of subcall function 00168E31: __EH_prolog.LIBCMT ref: 00168E36
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$wcscmp
                              • String ID: Can't open volume:
                              • API String ID: 3232955128-72083580
                              • Opcode ID: 685f608cb6baaf5012f77f0e139e9a5508bd8771d70ac424889ed345ae578d61
                              • Instruction ID: ad05aa716f7a9765d8c22c7c6b7c78d30042b9894e41e8db57124194dca42287
                              • Opcode Fuzzy Hash: 685f608cb6baaf5012f77f0e139e9a5508bd8771d70ac424889ed345ae578d61
                              • Instruction Fuzzy Hash: 3002F170900249DFCF25DFE8C884BEDBBB1AF64304F1481A9E54AA7291DF719E95CB21
                              Function 0012B791 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 284COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0012B796
                                • Part of subcall function 001A7E00: _beginthreadex.MSVCRT ref: 001A7E14
                              • __aulldiv.LIBCMT ref: 0012BA51
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog__aulldiv_beginthreadex
                              • String ID:
                              • API String ID: 2901374343-3916222277
                              • Opcode ID: bc03af7cb7ad5a42d20c8e487c26fe587adca97ed7d849110b680e14a484d2c8
                              • Instruction ID: 7a466da45ec038df4986be7cbac6a8d6fc98fb469470fcb48014897157e05e9c
                              • Opcode Fuzzy Hash: bc03af7cb7ad5a42d20c8e487c26fe587adca97ed7d849110b680e14a484d2c8
                              • Instruction Fuzzy Hash: 58B16BB1D04219DFCB24DFA9D8C09AEBBB5FF58314F20852EE51AA7251D730AE91CB50
                              Function 0017AAE5 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 226COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0017AAEA
                                • Part of subcall function 00111E40: free.MSVCRT ref: 00111E44
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prologfree
                              • String ID: EXE$exe
                              • API String ID: 1978129608-1088655240
                              • Opcode ID: 161b8a0aba4d50f47f4f42d76d096d47a3bea2e3dbe790ca74b1bb8cc63f48e6
                              • Instruction ID: e24b041e7a3d0a17dc7a19a8d7c8494c7550a4741645d011cd1db84f4e9e4406
                              • Opcode Fuzzy Hash: 161b8a0aba4d50f47f4f42d76d096d47a3bea2e3dbe790ca74b1bb8cc63f48e6
                              • Instruction Fuzzy Hash: CE918231900209EFCF29DFA4C494BEEB7B5FF95311F50C529E86A97251DB30A985CB12
                              Function 00139531 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 204COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00139536
                                • Part of subcall function 0011965D: VariantClear.OLEAUT32(?), ref: 0011967F
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: ClearH_prologVariant
                              • String ID: Unknown error$Unknown warning
                              • API String ID: 1166855276-4291957651
                              • Opcode ID: 54a117ba65d701890b01cc52f8f094ffd7ddd37e036ddb0fe85ea129a3e65289
                              • Instruction ID: 30565c49d364b00eeb397723369a6f015660f0cc0b5574f86c179c74638d54a8
                              • Opcode Fuzzy Hash: 54a117ba65d701890b01cc52f8f094ffd7ddd37e036ddb0fe85ea129a3e65289
                              • Instruction Fuzzy Hash: C5813771900609DFCB14DFA8C5919EEBBF1BF58304F50896DE46AA7290D7B0AE45CF60
                              Function 00162FDF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog__aullrem
                              • String ID: wav
                              • API String ID: 3415659256-1803495720
                              • Opcode ID: 00c213f9e7592e60da7e48f8f4d0334c231aaf86c920921973e1efb16a43354a
                              • Instruction ID: 97523883ec18f8550d9cabbbb94844e0a0a5f06c11d244d971601327667af621
                              • Opcode Fuzzy Hash: 00c213f9e7592e60da7e48f8f4d0334c231aaf86c920921973e1efb16a43354a
                              • Instruction Fuzzy Hash: 5961BE31A002098BDF25CFA4CD44BEEB7F1AF55355F248059E825AB246C771DF59CBA0
                              Function 00150982 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 160COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @$crc
                              • API String ID: 3519838083-849529298
                              • Opcode ID: 12a623e3fa06063abb1726ab36410879ca27878666c20de97fa5e6f51ad92f56
                              • Instruction ID: 7b810b9fcc8ce707266652b34e25b8edc0fc24524a32f9f5e3a0563b4e7d93e8
                              • Opcode Fuzzy Hash: 12a623e3fa06063abb1726ab36410879ca27878666c20de97fa5e6f51ad92f56
                              • Instruction Fuzzy Hash: DE51933590020ADBCF1AEFD0D8819EEB775EF18354F118439E8266B291DB74AE89CB50
                              Function 001560D2 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 157COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: BlockPackSize$BlockUnpackSize
                              • API String ID: 3519838083-5494122
                              • Opcode ID: f5e645c0baa9caf31bc194e55d3150d4b936aed0a154eb182b7e0251686cf7da
                              • Instruction ID: bfc7a90f3187d5e5ed01b9936ab46f7a593bad0240a352a81004b34a81a5f33b
                              • Opcode Fuzzy Hash: f5e645c0baa9caf31bc194e55d3150d4b936aed0a154eb182b7e0251686cf7da
                              • Instruction Fuzzy Hash: 79510831804684EEDF39CBA4C4A1AFD7BB1AF26301F98406ED8725F196D7215D8CD781
                              Function 001235B9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 150COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 001235BE
                              • _CxxThrowException.MSVCRT(?,001C6010), ref: 00123796
                                • Part of subcall function 00111E40: free.MSVCRT ref: 00111E44
                              Strings
                              • incorrect update switch command, xrefs: 00123783
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: ExceptionH_prologThrowfree
                              • String ID: incorrect update switch command
                              • API String ID: 2564996034-2497410926
                              • Opcode ID: 8b99f9af210b1e3d115db8b35df95160fbf580f98d025afec33be64e8eeeb9f7
                              • Instruction ID: 099ec5abd7984c924784074e81a3600c195a852ebf9acce27a6a14cb44267be7
                              • Opcode Fuzzy Hash: 8b99f9af210b1e3d115db8b35df95160fbf580f98d025afec33be64e8eeeb9f7
                              • Instruction Fuzzy Hash: 1C515872900269EBCF19EB94D841BEDBBB5BF14310F2041A9E525B7291CB346F95CBA0
                              Function 0012F172 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 131COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0012F177
                                • Part of subcall function 0012F302: __EH_prolog.LIBCMT ref: 0012F307
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: AES128$AES192
                              • API String ID: 3519838083-2727009373
                              • Opcode ID: 9ef66d43826b63933c063b8fbee2e1099ccbe0ff3949354a118a24387dc9944b
                              • Instruction ID: 0ff55b65ca7dfd8fa5dff21959cb799714807712ac89a5d873ec8aeb94c646e4
                              • Opcode Fuzzy Hash: 9ef66d43826b63933c063b8fbee2e1099ccbe0ff3949354a118a24387dc9944b
                              • Instruction Fuzzy Hash: 6C51BF31900119EBDF18EF94E991AEDBBB1FF69300F10413DE446A7281D7709E66CB90
                              Function 001367E9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121stringCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prologstrcmp
                              • String ID: =
                              • API String ID: 1490138475-2525689732
                              • Opcode ID: d2cd6c47de316688ac5f2ff5b4a30cef0f5104454ae8edb9200860b6876b96a0
                              • Instruction ID: 1132b6e12deca3908de2be65fc1c084bc1c443a30a5c078a69f0b8ceea5edd87
                              • Opcode Fuzzy Hash: d2cd6c47de316688ac5f2ff5b4a30cef0f5104454ae8edb9200860b6876b96a0
                              • Instruction Fuzzy Hash: 53417330A01249BBDF1AFBA4C856BFDBBB3AFA4314F048069F5412A2D2DBB54D85C751
                              Function 0011A4F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89stringCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0011A4F8
                                • Part of subcall function 0011A384: __EH_prolog.LIBCMT ref: 0011A389
                                • Part of subcall function 00119E14: GetSystemInfo.KERNEL32(?), ref: 00119E36
                                • Part of subcall function 00119E14: GetModuleHandleA.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 00119E50
                                • Part of subcall function 00119E14: GetProcAddress.KERNEL32(00000000), ref: 00119E57
                              • strcmp.MSVCRT ref: 0011A564
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$AddressHandleInfoModuleProcSystemstrcmp
                              • String ID: -
                              • API String ID: 2798778560-3695764949
                              • Opcode ID: ca423cf3d1a4ba6877d303bbc2f2b62a598b1f2a3f6d2d19fa3da70d0fe59ba2
                              • Instruction ID: 704406e6f54521bd818fcc083e155f724326d6aa5da437dace3753a769730c47
                              • Opcode Fuzzy Hash: ca423cf3d1a4ba6877d303bbc2f2b62a598b1f2a3f6d2d19fa3da70d0fe59ba2
                              • Instruction Fuzzy Hash: 96312931D02219ABCF1DFBE0D8529EDFBB6AF64710F50403AF80172192DB705AD5CA62
                              Function 00114DE5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: wcscmp
                              • String ID: UNC
                              • API String ID: 3392835482-337201128
                              • Opcode ID: e309bd14b0378ffdc7423ff5b797c007dcad1769d81e9595507148cf904cd14e
                              • Instruction ID: e797b22069824c9dc026e4b4e44f48bd3507653e9e7743330a7ccad687a7004b
                              • Opcode Fuzzy Hash: e309bd14b0378ffdc7423ff5b797c007dcad1769d81e9595507148cf904cd14e
                              • Instruction Fuzzy Hash: 182150393416018FDA2CCF18D894EA6B3E5FF45F24B258879E5569B2A1D735ECC1CB80
                              Function 00134F46 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75stringCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prologstrlen
                              • String ID: sums
                              • API String ID: 1633371453-329994169
                              • Opcode ID: 6898184d739cf483bda262721f3f67cf1b9defd7e04de18078b462625e7cf8fd
                              • Instruction ID: 7f37dd9d10941de0ef9e8141bb376d35972da776844e5122565fe369d7f43cf0
                              • Opcode Fuzzy Hash: 6898184d739cf483bda262721f3f67cf1b9defd7e04de18078b462625e7cf8fd
                              • Instruction Fuzzy Hash: F621C131E041189BCF09EBD8D591AEDFBB9EFA5300F14406EE40273292DB716E86C791
                              Function 0014C86A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73stringCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: __aulldivstrlen
                              • String ID: M
                              • API String ID: 1892184250-3664761504
                              • Opcode ID: e40119c0635b6d839feff1b5c6c5846a9c1e8e09341b1f83b9f9535c25550f02
                              • Instruction ID: 9def6c71e4047a1e8a68bf96b97fbe73d3e20a589968dfd1deff36631ce064f1
                              • Opcode Fuzzy Hash: e40119c0635b6d839feff1b5c6c5846a9c1e8e09341b1f83b9f9535c25550f02
                              • Instruction Fuzzy Hash: 14112C766003446BDB25DAF5C891FAF77E99B99314F14483DE383971D1DB31AC458360
                              Function 00146184 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: 0$x
                              • API String ID: 3519838083-1948001322
                              • Opcode ID: 54e7851dec0261ddd3ff4359f76afc8ea2832f2eee62f538b4a0d1fde83f3380
                              • Instruction ID: 90f2d74d80764198b2df09c551523b5a2815c2e804480d44bce5dbf2f31c2b59
                              • Opcode Fuzzy Hash: 54e7851dec0261ddd3ff4359f76afc8ea2832f2eee62f538b4a0d1fde83f3380
                              • Instruction Fuzzy Hash: BE218B36D011199ACF08EB98D992AEDB7B5FFA9704F10006AE801B7281CBB55E45CBA1
                              Function 0012393C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00123941
                              • _CxxThrowException.MSVCRT(?,001C6010), ref: 001239DE
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: ExceptionH_prologThrow
                              • String ID: Unsupported charset:
                              • API String ID: 461045715-616772432
                              • Opcode ID: b2cf3fb85ff9b1cf9d596849757be6069d6042831cab93b4a3e11f38c23a1824
                              • Instruction ID: eeaae83c2bd861cb7996520eb5c6c53847415ccbf349852cdd52cd0a04c37043
                              • Opcode Fuzzy Hash: b2cf3fb85ff9b1cf9d596849757be6069d6042831cab93b4a3e11f38c23a1824
                              • Instruction Fuzzy Hash: 75213831A000199BCF05EF98D891EEDB771EF5A318F014178E8966B152C735AE92CB90
                              Function 00149FAD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: fputs
                              • String ID: Decoding ERROR$N
                              • API String ID: 1795875747-1022896211
                              • Opcode ID: 30140fbabe91d7189473d80a4b841b0b14e053879d213b8cbc1c18e43c96b510
                              • Instruction ID: bb463c4d269c0b97478489d92f2f07734796518c6acc3bb2585efb60d63caf8a
                              • Opcode Fuzzy Hash: 30140fbabe91d7189473d80a4b841b0b14e053879d213b8cbc1c18e43c96b510
                              • Instruction Fuzzy Hash: 5321AC31D06159DBCF19EBA4D895BDCFBB1AF24308F5000AAE115B72A2CB745E84CF65
                              Function 0015D3D5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: BT2$LZMA
                              • API String ID: 3519838083-1343681682
                              • Opcode ID: cdd3d489fc38c3da5535f6e53776e43bcab0a4176fbccf2d8a59c65d57730a74
                              • Instruction ID: b627e8f31470a87029872979b0efe810cd055e820f2ace38174f586b0280bad8
                              • Opcode Fuzzy Hash: cdd3d489fc38c3da5535f6e53776e43bcab0a4176fbccf2d8a59c65d57730a74
                              • Instruction Fuzzy Hash: 41116D31A60214ABD718EBA4EC62FDDB770AF34B41F004069F4126A1D2EBB46A48C751
                              Function 0012B216 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: / $ :
                              • API String ID: 3519838083-1815150141
                              • Opcode ID: 719eea4b4721d9121dacf90c06232cd86050621be187cb80ca7174c75f962cbc
                              • Instruction ID: 35edfec40aa000bc0cfba5091b44fb2d5106f4b52a9c7976b0e040139f89ff8e
                              • Opcode Fuzzy Hash: 719eea4b4721d9121dacf90c06232cd86050621be187cb80ca7174c75f962cbc
                              • Instruction Fuzzy Hash: C011F532900229DBCF19EBE4DDA2BEEB3B5BF68740F14042DE11676191DB74AA54CB60
                              Function 00124DFF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: ErrorH_prologLast
                              • String ID: :
                              • API String ID: 1057991267-3653984579
                              • Opcode ID: 78b3c23e93c460cadc65a50e4411969722f7d5bf7af493f47d3d8628c97ca017
                              • Instruction ID: ad84014e26ffbcdb39f020f693a1c7fca03872e354c857cdb3933924060c32a9
                              • Opcode Fuzzy Hash: 78b3c23e93c460cadc65a50e4411969722f7d5bf7af493f47d3d8628c97ca017
                              • Instruction Fuzzy Hash: E4118436900105EBCB1AEBE4D816ADEBB71AF64350F104069F902A7292DF759E55CBA0
                              Function 00148685 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • Cannot open the file as archive, xrefs: 001486D0
                              • Cannot open encrypted archive. Wrong password?, xrefs: 00148698
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: fputs
                              • String ID: Cannot open encrypted archive. Wrong password?$Cannot open the file as archive
                              • API String ID: 1795875747-1623556331
                              • Opcode ID: 5559933e687638318a88d843941a35a10da05f92fb6e9893b348078e25021e78
                              • Instruction ID: 2f6305277a067bab514e067d876ea1ea7db7e1e4a90898834aff3268322a655b
                              • Opcode Fuzzy Hash: 5559933e687638318a88d843941a35a10da05f92fb6e9893b348078e25021e78
                              • Instruction Fuzzy Hash: 8001F9323002009BC708EB54D895EBEF3E7AFD8300F55442EF20287695DF74A8428F51
                              Function 0011596C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34windowCOMMON
                              Download Yara Rule
                              APIs
                              • FormatMessageW.KERNEL32(00001300,00000000,?,00000000,00000000,00000000,00000000,?,?,?,001158D6,00000000,00000000), ref: 00115999
                              Strings
                              • Internal Error: The failure in hardware (RAM or CPU), OS or program, xrefs: 0011597B
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: FormatMessage
                              • String ID: Internal Error: The failure in hardware (RAM or CPU), OS or program
                              • API String ID: 1306739567-2427807339
                              • Opcode ID: eca19d50ee90ba4e8e176c5227e47f28859ce995df65c9beedc7b15b8c3353dc
                              • Instruction ID: cc86ea371fc6751aef1f5028986959449cb7bc42ac76088c836f63a22bb48d52
                              • Opcode Fuzzy Hash: eca19d50ee90ba4e8e176c5227e47f28859ce995df65c9beedc7b15b8c3353dc
                              • Instruction Fuzzy Hash: 83E0ED7520061AFAAF0D37208C02CFF72AEDBA4724B100238F802A2240E7A14EC166F6
                              Function 001482DD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: fputs
                              • String ID: =
                              • API String ID: 1795875747-2525689732
                              • Opcode ID: eff8788d49cac9e295cb046495488669a258017bccc7d1704231105227b5ced4
                              • Instruction ID: c259312266e17f7915c5e3b991f957293f6cb88419250cbf99ba8e66ecb0fe21
                              • Opcode Fuzzy Hash: eff8788d49cac9e295cb046495488669a258017bccc7d1704231105227b5ced4
                              • Instruction Fuzzy Hash: 77E0DF36A00115ABCB04BBECAC51CFE7B69FB803147000826E510D7211EB70D962CBD0
                              Function 00123290 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON
                              Download Yara Rule
                              APIs
                              • OpenEventW.KERNEL32(00000002,00000000,?,Unsupported Map data size,?,?,0012324C,?,?,?,00000000), ref: 001232A1
                              • GetLastError.KERNEL32(?,0012324C,?,?,?,00000000), ref: 001232AE
                              Strings
                              • Unsupported Map data size, xrefs: 00123294
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: ErrorEventLastOpen
                              • String ID: Unsupported Map data size
                              • API String ID: 330508107-1172413320
                              • Opcode ID: a9b328980cf33090c0df0bbc17d790f39b554575716155c4fbc485275038abce
                              • Instruction ID: c3e8c1ed604938aaea466d9818d60628d100fe35532ecdb3f5041ca538ecb5c5
                              • Opcode Fuzzy Hash: a9b328980cf33090c0df0bbc17d790f39b554575716155c4fbc485275038abce
                              • Instruction Fuzzy Hash: C9E06530500214EBEB14ABA1DC07BADB7A8EF10354F204169A401E20A0EBB0AF00AA64
                              Function 00149587 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                              Download Yara Rule
                              APIs
                              • fputs.MSVCRT ref: 00149594
                              • fputs.MSVCRT ref: 0014959D
                                • Part of subcall function 00112201: fputs.MSVCRT ref: 0011221E
                                • Part of subcall function 00111FA0: fputc.MSVCRT ref: 00111FA7
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: fputs$fputc
                              • String ID: Archives
                              • API String ID: 1185151155-454332015
                              • Opcode ID: 393ffdbce3fd04ddda5087a3b8d923b8b21d10fe26b081a34004713f18627272
                              • Instruction ID: 8c26cc351a80c97a5b402f0607f013f736c93644f45040a3ed9b8f8d07766bae
                              • Opcode Fuzzy Hash: 393ffdbce3fd04ddda5087a3b8d923b8b21d10fe26b081a34004713f18627272
                              • Instruction Fuzzy Hash: 09D02B32200200A7CB157FA89C01C9FBAA6EFE43107020C2FF48053120CB7248B49F90
                              Function 001741C0 Relevance: 5.1, APIs: 4, Instructions: 57COMMON
                              Download Yara Rule
                              APIs
                              • memcmp.MSVCRT(?,001C48A0,00000010), ref: 001741D6
                              • memcmp.MSVCRT(?,001C0168,00000010), ref: 001741F1
                              • memcmp.MSVCRT(?,001C01E8,00000010), ref: 00174205
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: memcmp
                              • String ID:
                              • API String ID: 1475443563-0
                              • Opcode ID: 12b9b465968e1e9fe9f7a4766ac8e672b4f3d79b36e17602929838d317a3e747
                              • Instruction ID: 050625296988dfa9ac1807d3a87a7eba36f1b81a8d26d88c452f61919a952e66
                              • Opcode Fuzzy Hash: 12b9b465968e1e9fe9f7a4766ac8e672b4f3d79b36e17602929838d317a3e747
                              • Instruction Fuzzy Hash: C8010435340204A7D7245A55DC42F7D73B49B79720F04842CFE49DB282F3B4E9518340
                              Function 0013CDD7 Relevance: 5.1, APIs: 4, Instructions: 57COMMON
                              Download Yara Rule
                              APIs
                              • memcmp.MSVCRT(?,001C48A0,00000010), ref: 0013CDED
                              • memcmp.MSVCRT(?,001C0108,00000010), ref: 0013CE08
                              • memcmp.MSVCRT(?,001C0138,00000010), ref: 0013CE1C
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: memcmp
                              • String ID:
                              • API String ID: 1475443563-0
                              • Opcode ID: c7a6990f0ec04f946c7293f004e8cbf72e699aace0853c211067bbaf178a6ee0
                              • Instruction ID: c4ccf7d7e7107ff3a97ab5271bfc7e0ad668b9690ae96013b306892738c77831
                              • Opcode Fuzzy Hash: c7a6990f0ec04f946c7293f004e8cbf72e699aace0853c211067bbaf178a6ee0
                              • Instruction Fuzzy Hash: E901C431740305A7D7244A55CC02F6EB7A89B79B60F04443CFE85EA282F7A4E55597D4
                              Function 0014B1A7 Relevance: 5.1, APIs: 4, Instructions: 57COMMON
                              Download Yara Rule
                              APIs
                              • memcmp.MSVCRT(?,001C48A0,00000010), ref: 0014B1BD
                              • memcmp.MSVCRT(?,001C0418,00000010), ref: 0014B1D8
                              • memcmp.MSVCRT(?,001C0428,00000010), ref: 0014B1EC
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: memcmp
                              • String ID:
                              • API String ID: 1475443563-0
                              • Opcode ID: 2bdcf13c0370d28bf16f2f3f1f3b17da75f5911bd9fbca8080a7c0c99d5a798c
                              • Instruction ID: 9bd7ae578451c4666f29f0061473d029b7fd398678133f10615e599075d450c3
                              • Opcode Fuzzy Hash: 2bdcf13c0370d28bf16f2f3f1f3b17da75f5911bd9fbca8080a7c0c99d5a798c
                              • Instruction Fuzzy Hash: 9C010431344208A7D7245E61DC82FBE33E89B69760F04443CFE45DA292F7A4E4458390
                              Function 00173C14 Relevance: 5.1, APIs: 4, Instructions: 57COMMON
                              Download Yara Rule
                              APIs
                              • memcmp.MSVCRT(?,001C48A0,00000010), ref: 00173C2A
                              • memcmp.MSVCRT(?,001C0388,00000010), ref: 00173C45
                              • memcmp.MSVCRT(?,001C03B8,00000010), ref: 00173C59
                              Memory Dump Source
                              • Source File: 00000009.00000002.1765277765.0000000000111000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00110000, based on PE: true
                              • Associated: 00000009.00000002.1765261968.0000000000110000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765323043.00000000001BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765415299.00000000001D2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1765429629.00000000001DB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_110000_7zr.jbxd
                              Similarity
                              • API ID: memcmp
                              • String ID:
                              • API String ID: 1475443563-0
                              • Opcode ID: f0ce98e91aae053a52f74f95d0942341af62a532fa3951203572e29df827356a
                              • Instruction ID: 9a68fd36031a9b7d1a59e12c28c1218cc981991b2ab1afc04abbf74fe1eff0af
                              • Opcode Fuzzy Hash: f0ce98e91aae053a52f74f95d0942341af62a532fa3951203572e29df827356a
                              • Instruction Fuzzy Hash: 7B010432340308ABD7254B15CC02FAD73B89B75720F05853DFE49EA281F3A4EA11A340