Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Setup64v4.1.9.exe

Overview

General Information

Sample name:Setup64v4.1.9.exe
Analysis ID:1580841
MD5:f07267a8be1916ac2b02700f5fdb65bc
SHA1:15380faa66ef42ba6171ffed2bbee6bba9cc3e16
SHA256:7157a44b6835911bb056cea9b6f5d53eab8a393f25e425caee5de1183c00c571
Tags:exeuser-kafan_shengui
Infos:

Detection

Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Adds a directory exclusion to Windows Defender
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Checks if the current process is being debugged
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Setup64v4.1.9.exe (PID: 6624 cmdline: "C:\Users\user\Desktop\Setup64v4.1.9.exe" MD5: F07267A8BE1916AC2B02700F5FDB65BC)
    • Setup64v4.1.9.tmp (PID: 6656 cmdline: "C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmp" /SL5="$1042C,11953450,792064,C:\Users\user\Desktop\Setup64v4.1.9.exe" MD5: 9F18A5E381F7509154D344A6946A533A)
      • powershell.exe (PID: 3704 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 2916 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • Setup64v4.1.9.exe (PID: 6316 cmdline: "C:\Users\user\Desktop\Setup64v4.1.9.exe" /VERYSILENT MD5: F07267A8BE1916AC2B02700F5FDB65BC)
        • Setup64v4.1.9.tmp (PID: 6872 cmdline: "C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmp" /SL5="$30418,11953450,792064,C:\Users\user\Desktop\Setup64v4.1.9.exe" /VERYSILENT MD5: 9F18A5E381F7509154D344A6946A533A)
          • 7zr.exe (PID: 4852 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 6656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 1700 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 4476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 4852 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • sc.exe (PID: 6532 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
              • conhost.exe (PID: 4048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 1700 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • sc.exe (PID: 2108 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
              • conhost.exe (PID: 1456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6688 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1196 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3584 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2736 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4476 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3584 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6656 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6248 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5768 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2080 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2736 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3332 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4476 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1196 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6656 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6248 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6620 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6672 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6624 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6656 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 764 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4888 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6676 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 824 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6548 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4852 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5764 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4908 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 744 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 764 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5840 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6580 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6532 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3084 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4192 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3060 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4944 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6548 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5300 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5764 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5304 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6532 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2756 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4192 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4900 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4852 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4412 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5300 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5768 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5304 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3168 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 744 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5016 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5840 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6688 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3332 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5720 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1216 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2992 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3060 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2144 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmp" /SL5="$1042C,11953450,792064,C:\Users\user\Desktop\Setup64v4.1.9.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmp, ParentProcessId: 6656, ParentProcessName: Setup64v4.1.9.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 3704, ProcessName: powershell.exe
Sigma detected: New Kernel Driver Via SC.EXE
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6688, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 1196, ProcessName: sc.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmp" /SL5="$1042C,11953450,792064,C:\Users\user\Desktop\Setup64v4.1.9.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmp, ParentProcessId: 6656, ParentProcessName: Setup64v4.1.9.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 3704, ProcessName: powershell.exe
Sigma detected: New Service Creation Using Sc.EXE
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6688, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 1196, ProcessName: sc.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmp" /SL5="$1042C,11953450,792064,C:\Users\user\Desktop\Setup64v4.1.9.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmp, ParentProcessId: 6656, ParentProcessName: Setup64v4.1.9.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 3704, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Windows NT\hrsv.vbcVirustotal: Detection: 11%Perma Link
Source: C:\Users\user\AppData\Local\Temp\is-3NMSI.tmp\Setup.tmpVirustotal: Detection: 11%Perma Link
Multi AV Scanner detection for submitted file
Source: Setup64v4.1.9.exeVirustotal: Detection: 8%Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\is-727LQ.tmp\Setup.tmpJoe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows NT\hrsv.vbcJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\is-3NMSI.tmp\Setup.tmpJoe Sandbox ML: detected
Source: Setup64v4.1.9.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Setup64v4.1.9.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.1810162664.0000000003640000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.1810067191.0000000003440000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F46868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_00F46868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F47496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_00F47496
Source: Setup64v4.1.9.tmp, 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Setup64v4.1.9.tmp, 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: Setup64v4.1.9.tmp, 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: Setup64v4.1.9.tmp, 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Setup64v4.1.9.tmp, 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Setup64v4.1.9.tmp, 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Setup64v4.1.9.tmp, 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: Setup64v4.1.9.tmp, 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Setup64v4.1.9.tmp, 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Setup64v4.1.9.tmp, 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.6.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: Setup64v4.1.9.tmp, 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.6.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: Setup64v4.1.9.tmp, 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.6.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: Setup64v4.1.9.tmp, 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.6.drString found in binary or memory: http://ocsp.digicert.com0A
Source: Setup64v4.1.9.tmp, 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.6.drString found in binary or memory: http://ocsp.digicert.com0C
Source: Setup64v4.1.9.tmp, 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.6.drString found in binary or memory: http://ocsp.digicert.com0H
Source: Setup64v4.1.9.tmp, 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.6.drString found in binary or memory: http://ocsp.digicert.com0I
Source: Setup64v4.1.9.tmp, 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.6.drString found in binary or memory: http://ocsp.digicert.com0X
Source: Setup64v4.1.9.tmp, 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.6.drString found in binary or memory: http://www.digicert.com/CPS0
Source: Setup64v4.1.9.tmp, 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.6.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: Setup64v4.1.9.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: Setup64v4.1.9.exe, 00000000.00000003.1701230094.000000007EC3B000.00000004.00001000.00020000.00000000.sdmp, Setup64v4.1.9.exe, 00000000.00000003.1700583998.00000000034A0000.00000004.00001000.00020000.00000000.sdmp, Setup64v4.1.9.tmp, 00000001.00000000.1702858163.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Setup64v4.1.9.tmp, 00000006.00000000.1765576606.0000000000EBD000.00000020.00000001.01000000.00000008.sdmp, Setup64v4.1.9.tmp.5.dr, Setup64v4.1.9.tmp.0.drString found in binary or memory: https://www.innosetup.com/
Source: Setup64v4.1.9.exe, 00000000.00000003.1701230094.000000007EC3B000.00000004.00001000.00020000.00000000.sdmp, Setup64v4.1.9.exe, 00000000.00000003.1700583998.00000000034A0000.00000004.00001000.00020000.00000000.sdmp, Setup64v4.1.9.tmp, 00000001.00000000.1702858163.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Setup64v4.1.9.tmp, 00000006.00000000.1765576606.0000000000EBD000.00000020.00000001.01000000.00000008.sdmp, Setup64v4.1.9.tmp.5.dr, Setup64v4.1.9.tmp.0.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpProcess information set: 01 00 00 00 Jump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F482FB: __EH_prolog,GetFileInformationByHandle,DeviceIoControl,memcpy,10_2_00F482FB
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C6D3CE06_2_6C6D3CE0
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C720D506_2_6C720D50
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C6BFEC96_2_6C6BFEC9
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C6A5EA16_2_6C6A5EA1
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C726E806_2_6C726E80
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C71B8106_2_6C71B810
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C6A59726_2_6C6A5972
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C7379306_2_6C737930
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C7269F06_2_6C7269F0
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C71CA506_2_6C71CA50
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C71AAD06_2_6C71AAD0
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C71EAA06_2_6C71EAA0
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C731AA06_2_6C731AA0
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C6BDB666_2_6C6BDB66
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C6ADBCA6_2_6C6ADBCA
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C6C240A6_2_6C6C240A
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C72C5C06_2_6C72C5C0
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C71F5806_2_6C71F580
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C7266E06_2_6C7266E0
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C7467006_2_6C746700
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C6A97CF6_2_6C6A97CF
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C71D0206_2_6C71D020
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C7307506_2_6C730750
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F881EC10_2_00F881EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F5E00A10_2_00F5E00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FC81C010_2_00FC81C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FC22E010_2_00FC22E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FD824010_2_00FD8240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FDC3C010_2_00FDC3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FE230010_2_00FE2300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FD04C810_2_00FD04C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FAE49F10_2_00FAE49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FC25F010_2_00FC25F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FB66D010_2_00FB66D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FBA6A010_2_00FBA6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FB865010_2_00FB8650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FDE99010_2_00FDE990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FBC95010_2_00FBC950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F9094310_2_00F90943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FC2A8010_2_00FC2A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F9AB1110_2_00F9AB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FC6CE010_2_00FC6CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FB8C2010_2_00FB8C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FD4EA010_2_00FD4EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FD0E0010_2_00FD0E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FA10AC10_2_00FA10AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FCD08910_2_00FCD089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FBD1D010_2_00FBD1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FD91C010_2_00FD91C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FC518010_2_00FC5180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FBB18010_2_00FBB180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FAB12110_2_00FAB121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FD112010_2_00FD1120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FDD2C010_2_00FDD2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FD720010_2_00FD7200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FA53F310_2_00FA53F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F6B3E410_2_00F6B3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F453CF10_2_00F453CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FDF3C010_2_00FDF3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FCF3A010_2_00FCF3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FD54D010_2_00FD54D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F8D49610_2_00F8D496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FDD47010_2_00FDD470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FCF42010_2_00FCF420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FB741010_2_00FB7410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FDF59910_2_00FDF599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F4157210_2_00F41572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FD155010_2_00FD1550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FD353010_2_00FD3530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FE351A10_2_00FE351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FBF50010_2_00FBF500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FCD6A010_2_00FCD6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F9965210_2_00F99652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FE360110_2_00FE3601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FD77C010_2_00FD77C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F497CA10_2_00F497CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F5976610_2_00F59766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F6F8E010_2_00F6F8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FDD9E010_2_00FDD9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FBF91010_2_00FBF910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FC7AF010_2_00FC7AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F93AEF10_2_00F93AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F5BAC910_2_00F5BAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F41AA110_2_00F41AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F5BC9210_2_00F5BC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FC7C5010_2_00FC7C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FBFDF010_2_00FBFDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FC5E8010_2_00FC5E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FC5F8010_2_00FC5F80
Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\Windows NT\7zr.exe BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\Windows NT\hrsv.vbc 02A7CA1654FA8AE05144BB9750DC43784E00AAD587B2DEE2E3AED67AB82D0C52
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00F41E40 appears 75 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00F428E3 appears 34 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00FDFB10 appears 725 times
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpCode function: String function: 6C6A6240 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpCode function: String function: 6C743F10 appears 415 times
Source: Setup64v4.1.9.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: Setup64v4.1.9.tmp.5.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: Setup64v4.1.9.exeStatic PE information: Number of sections : 11 > 10
Source: Setup64v4.1.9.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: Setup64v4.1.9.tmp.5.drStatic PE information: Number of sections : 11 > 10
Source: Setup64v4.1.9.exe, 00000000.00000003.1701230094.000000007EF2B000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameSetup.exe vs Setup64v4.1.9.exe
Source: Setup64v4.1.9.exe, 00000000.00000003.1700583998.00000000035AF000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameSetup.exe vs Setup64v4.1.9.exe
Source: Setup64v4.1.9.exe, 00000000.00000000.1699117376.0000000000979000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameSetup.exe vs Setup64v4.1.9.exe
Source: Setup64v4.1.9.exeBinary or memory string: OriginalFileNameSetup.exe vs Setup64v4.1.9.exe
Source: Setup64v4.1.9.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.12.drBinary string: \Device\TfSysMon
Source: tProtect.dll.12.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal88.evad.winEXE@130/31@0/0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F49313 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,10_2_00F49313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F53D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,10_2_00F53D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F49252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,10_2_00F49252
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpFile created: C:\Program Files (x86)\Windows NT\is-GL0PP.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5768:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5304:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5840:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6564:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3332:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6620:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1456:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4048:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6580:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2416:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6624:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3492:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6532:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:792:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:480:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6656:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4476:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5968:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6672:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5820:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6548:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4412:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5016:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4520:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4944:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4192:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:824:120:WilError_03
Source: C:\Users\user\Desktop\Setup64v4.1.9.exeFile created: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmpJump to behavior
Source: C:\Users\user\Desktop\Setup64v4.1.9.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\Setup64v4.1.9.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\Setup64v4.1.9.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\Setup64v4.1.9.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\Setup64v4.1.9.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: Setup64v4.1.9.exeVirustotal: Detection: 8%
Source: Setup64v4.1.9.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\Setup64v4.1.9.exeFile read: C:\Users\user\Desktop\Setup64v4.1.9.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\Setup64v4.1.9.exe "C:\Users\user\Desktop\Setup64v4.1.9.exe"
Source: C:\Users\user\Desktop\Setup64v4.1.9.exeProcess created: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmp "C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmp" /SL5="$1042C,11953450,792064,C:\Users\user\Desktop\Setup64v4.1.9.exe"
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpProcess created: C:\Users\user\Desktop\Setup64v4.1.9.exe "C:\Users\user\Desktop\Setup64v4.1.9.exe" /VERYSILENT
Source: C:\Users\user\Desktop\Setup64v4.1.9.exeProcess created: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmp "C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmp" /SL5="$30418,11953450,792064,C:\Users\user\Desktop\Setup64v4.1.9.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\Setup64v4.1.9.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\Setup64v4.1.9.exeProcess created: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmp "C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmp" /SL5="$1042C,11953450,792064,C:\Users\user\Desktop\Setup64v4.1.9.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpProcess created: C:\Users\user\Desktop\Setup64v4.1.9.exe "C:\Users\user\Desktop\Setup64v4.1.9.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\Setup64v4.1.9.exeProcess created: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmp "C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmp" /SL5="$30418,11953450,792064,C:\Users\user\Desktop\Setup64v4.1.9.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\Setup64v4.1.9.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Setup64v4.1.9.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\Setup64v4.1.9.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Setup64v4.1.9.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Setup64v4.1.9.exeStatic file information: File size 12899330 > 1048576
Source: Setup64v4.1.9.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.1810162664.0000000003640000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.1810067191.0000000003440000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FC57D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_00FC57D0
Source: hrsv.vbc.6.drStatic PE information: real checksum: 0x0 should be: 0x649dd2
Source: Setup.tmp.1.drStatic PE information: real checksum: 0x0 should be: 0x649dd2
Source: Setup64v4.1.9.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x32a21e
Source: Setup.tmp.6.drStatic PE information: real checksum: 0x0 should be: 0x649dd2
Source: tProtect.dll.12.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: Setup64v4.1.9.tmp.5.drStatic PE information: real checksum: 0x0 should be: 0x32a21e
Source: Setup64v4.1.9.exeStatic PE information: section name: .didata
Source: Setup64v4.1.9.tmp.0.drStatic PE information: section name: .didata
Source: Setup.tmp.1.drStatic PE information: section name: .00cfg
Source: Setup.tmp.1.drStatic PE information: section name: .voltbl
Source: Setup.tmp.1.drStatic PE information: section name: .XkS
Source: Setup64v4.1.9.tmp.5.drStatic PE information: section name: .didata
Source: 7zr.exe.6.drStatic PE information: section name: .sxdata
Source: Setup.tmp.6.drStatic PE information: section name: .00cfg
Source: Setup.tmp.6.drStatic PE information: section name: .voltbl
Source: Setup.tmp.6.drStatic PE information: section name: .XkS
Source: hrsv.vbc.6.drStatic PE information: section name: .00cfg
Source: hrsv.vbc.6.drStatic PE information: section name: .voltbl
Source: hrsv.vbc.6.drStatic PE information: section name: .XkS
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C743F10 push eax; ret 6_2_6C743F2E
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C6A89F4 push 004AC35Ch; ret 6_2_6C6A8A0E
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C744290 push eax; ret 6_2_6C7442BE
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F445F4 push 00FEC35Ch; ret 10_2_00F4460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FDFB10 push eax; ret 10_2_00FDFB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FDFE90 push eax; ret 10_2_00FDFEBE
Source: Setup.tmp.1.drStatic PE information: section name: .text entropy: 6.902892302303514
Source: Setup.tmp.6.drStatic PE information: section name: .text entropy: 6.902892302303514
Source: hrsv.vbc.6.drStatic PE information: section name: .text entropy: 6.902892302303514
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpFile created: C:\Users\user\AppData\Local\Temp\is-3NMSI.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\Desktop\Setup64v4.1.9.exeFile created: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpFile created: C:\Users\user\AppData\Local\Temp\is-3NMSI.tmp\Setup.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpFile created: C:\Users\user\AppData\Local\Temp\is-727LQ.tmp\Setup.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpFile created: C:\Program Files (x86)\Windows NT\hrsv.vbcJump to dropped file
Source: C:\Users\user\Desktop\Setup64v4.1.9.exeFile created: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpFile created: C:\Users\user\AppData\Local\Temp\is-727LQ.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpFile created: C:\Program Files (x86)\Windows NT\hrsv.vbcJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\Setup64v4.1.9.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Setup64v4.1.9.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5993Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3784Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpWindow / User API: threadDelayed 534Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpWindow / User API: threadDelayed 567Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpWindow / User API: threadDelayed 511Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-3NMSI.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-3NMSI.tmp\Setup.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-727LQ.tmp\Setup.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsv.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-727LQ.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 8.5 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3492Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F46868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_00F46868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F47496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_00F47496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F49C60 GetSystemInfo,10_2_00F49C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: Setup64v4.1.9.tmp, 00000001.00000002.1769307177.0000000000F0D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}h
Source: Setup64v4.1.9.tmp, 00000001.00000002.1769307177.0000000000F0D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\/
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpProcess queried: DebugPortJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FC57D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_00FC57D0
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C687676 mov eax, dword ptr fs:[00000030h]6_2_6C687676
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Found driver which could be used to inject code into processes
Source: tProtect.dll.12.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmpProcess created: C:\Users\user\Desktop\Setup64v4.1.9.exe "C:\Users\user\Desktop\Setup64v4.1.9.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmpCode function: 6_2_6C744720 cpuid 6_2_6C744720
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F4AB2A GetSystemTimeAsFileTime,10_2_00F4AB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00FE0090 GetVersion,10_2_00FE0090

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		1
Windows Service		1
Access Token Manipulation		11
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Windows Service		1
Disable or Modify Tools		LSASS Memory311
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Service Execution		Logon Script (Windows)111
Process Injection		231
Virtualization/Sandbox Evasion		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts1
Native API		Login Hook1
DLL Side-Loading		1
Access Token Manipulation		NTDS231
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information		Cached Domain Credentials2
System Owner/User Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information		DCSync3
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing		Proc Filesystem35
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1580841 Sample: Setup64v4.1.9.exe Startdate: 26/12/2024 Architecture: WINDOWS Score: 88 103 Multi AV Scanner detection for dropped file 2->103 105 Multi AV Scanner detection for submitted file 2->105 107 Found driver which could be used to inject code into processes 2->107 109 2 other signatures 2->109 11 Setup64v4.1.9.exe 2 2->11         started        14 cmd.exe 2->14         started        16 cmd.exe 2->16         started        18 29 other processes 2->18 process3 file4 101 C:\Users\user\AppData\...\Setup64v4.1.9.tmp, PE32 11->101 dropped 20 Setup64v4.1.9.tmp 3 5 11->20         started        24 sc.exe 1 14->24         started        26 sc.exe 1 16->26         started        28 sc.exe 1 18->28         started        30 sc.exe 1 18->30         started        32 sc.exe 1 18->32         started        34 25 other processes 18->34 process5 file6 87 C:\Users\user\AppData\Local\...\Setup.tmp, PE32 20->87 dropped 89 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 20->89 dropped 111 Adds a directory exclusion to Windows Defender 20->111 36 Setup64v4.1.9.exe 2 20->36         started        39 powershell.exe 23 20->39         started        42 conhost.exe 24->42         started        44 conhost.exe 26->44         started        46 conhost.exe 28->46         started        48 conhost.exe 30->48         started        50 conhost.exe 32->50         started        52 conhost.exe 34->52         started        54 24 other processes 34->54 signatures7 process8 file9 91 C:\Users\user\AppData\...\Setup64v4.1.9.tmp, PE32 36->91 dropped 56 Setup64v4.1.9.tmp 4 15 36->56         started        113 Loading BitLocker PowerShell Module 39->113 60 conhost.exe 39->60         started        62 WmiPrvSE.exe 39->62         started        signatures10 process11 file12 93 C:\Users\user\AppData\Local\...\Setup.tmp, PE32 56->93 dropped 95 C:\Program Files (x86)\Windows NT\hrsv.vbc, PE32 56->95 dropped 97 C:\Program Files (x86)\Windows NT\7zr.exe, PE32 56->97 dropped 99 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 56->99 dropped 115 Query firmware table information (likely to detect VMs) 56->115 117 Protects its processes via BreakOnTermination flag 56->117 119 Hides threads from debuggers 56->119 64 7zr.exe 2 56->64         started        67 cmd.exe 56->67         started        69 cmd.exe 56->69         started        71 7zr.exe 7 56->71         started        signatures13 process14 file15 85 C:\Program Files (x86)\...\tProtect.dll, PE32+ 64->85 dropped 73 conhost.exe 64->73         started        75 sc.exe 1 67->75         started        77 sc.exe 69->77         started        79 conhost.exe 71->79         started        process16 process17 81 conhost.exe 75->81         started        83 conhost.exe 77->83         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Setup64v4.1.9.exe8%VirustotalBrowse
Setup64v4.1.9.exe3%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\is-727LQ.tmp\Setup.tmp100%Joe Sandbox ML
C:\Program Files (x86)\Windows NT\hrsv.vbc100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\is-3NMSI.tmp\Setup.tmp100%Joe Sandbox ML
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\7zr.exe0%VirustotalBrowse
C:\Program Files (x86)\Windows NT\hrsv.vbc11%VirustotalBrowse
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll6%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-3NMSI.tmp\Setup.tmp11%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-3NMSI.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-727LQ.tmp\_isetup\_setup64.tmp0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
bg.microsoft.map.fastly.net
199.232.214.172
truefalse
    		high

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUSetup64v4.1.9.exefalse
      		high
      https://www.remobjects.com/psSetup64v4.1.9.exe, 00000000.00000003.1701230094.000000007EC3B000.00000004.00001000.00020000.00000000.sdmp, Setup64v4.1.9.exe, 00000000.00000003.1700583998.00000000034A0000.00000004.00001000.00020000.00000000.sdmp, Setup64v4.1.9.tmp, 00000001.00000000.1702858163.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Setup64v4.1.9.tmp, 00000006.00000000.1765576606.0000000000EBD000.00000020.00000001.01000000.00000008.sdmp, Setup64v4.1.9.tmp.5.dr, Setup64v4.1.9.tmp.0.drfalse
        		high
        https://www.innosetup.com/Setup64v4.1.9.exe, 00000000.00000003.1701230094.000000007EC3B000.00000004.00001000.00020000.00000000.sdmp, Setup64v4.1.9.exe, 00000000.00000003.1700583998.00000000034A0000.00000004.00001000.00020000.00000000.sdmp, Setup64v4.1.9.tmp, 00000001.00000000.1702858163.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Setup64v4.1.9.tmp, 00000006.00000000.1765576606.0000000000EBD000.00000020.00000001.01000000.00000008.sdmp, Setup64v4.1.9.tmp.5.dr, Setup64v4.1.9.tmp.0.drfalse
          		high

          World Map of Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox version:41.0.0 Charoite
          Analysis ID:1580841
          Start date and time:2024-12-26 11:15:32 +01:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 9m 47s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Run name:Run with higher sleep bypass
          Number of analysed new started processes analysed:110
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Critical Process Termination
          Sample name:Setup64v4.1.9.exe
          Detection:MAL
          Classification:mal88.evad.winEXE@130/31@0/0
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 60%
          • Number of executed functions: 92
          • Number of non-executed functions: 195
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
          • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

          Warnings

          • Exclude process from analysis (whitelisted): Conhost.exe, SIHClient.exe
          • Excluded IPs from analysis (whitelisted): 52.149.20.212, 52.165.164.15
          • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, dns.msftncsi.com, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • Report size exceeded maximum capacity and may have missing behavior information.
          • Report size getting too big, too many NtCreateKey calls found.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.

          Simulations

          Behavior and APIs

          No simulations

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          bg.microsoft.map.fastly.net0Ty.png.exeGet hashmaliciousXmrigBrowse
          • 199.232.214.172
          0442.pdf.exeGet hashmaliciousUnknownBrowse
          • 199.232.210.172
          0442.pdf.exeGet hashmaliciousUnknownBrowse
          • 199.232.214.172
          yvaKqhmD4L.exeGet hashmaliciousUnknownBrowse
          • 199.232.210.172
          #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeGet hashmaliciousUnknownBrowse
          • 199.232.210.172
          IoIB9gQ6OQ.exeGet hashmaliciousAsyncRAT, PureLog StealerBrowse
          • 199.232.210.172
          eCompleted_419z.pdfGet hashmaliciousHTMLPhisherBrowse
          • 199.232.214.172
          3FG4bsfkEwmxFYY.exeGet hashmaliciousFormBookBrowse
          • 199.232.214.172
          #U5b89#U88c5#U52a9#U624b1.0.3.exeGet hashmaliciousUnknownBrowse
          • 199.232.214.172
          eCompleted_419z.pdfGet hashmaliciousUnknownBrowse
          • 199.232.210.172

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          C:\Program Files (x86)\Windows NT\7zr.exeSetup64v7.3.9.exeGet hashmaliciousUnknownBrowse
            #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeGet hashmaliciousUnknownBrowse
              #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeGet hashmaliciousUnknownBrowse
                yvaKqhmD4L.exeGet hashmaliciousUnknownBrowse
                  yvaKqhmD4L.exeGet hashmaliciousUnknownBrowse
                    #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeGet hashmaliciousUnknownBrowse
                      #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeGet hashmaliciousUnknownBrowse
                        #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeGet hashmaliciousUnknownBrowse
                          #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeGet hashmaliciousUnknownBrowse
                            C:\Program Files (x86)\Windows NT\hrsv.vbcSetup64v7.3.9.exeGet hashmaliciousUnknownBrowse

                              Created / dropped Files

                              C:\Program Files (x86)\Windows NT\7zr.exe

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmp
                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):831200
                              Entropy (8bit):6.671005303304742
                              Encrypted:false
                              SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                              MD5:84DC4B92D860E8AEA55D12B1E87EA108
                              SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                              SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                              SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                              Malicious:true
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              • Antivirus: Virustotal, Detection: 0%, Browse
                              Joe Sandbox View:
                              • Filename: Setup64v7.3.9.exe, Detection: malicious, Browse
                              • Filename: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe, Detection: malicious, Browse
                              • Filename: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe, Detection: malicious, Browse
                              • Filename: yvaKqhmD4L.exe, Detection: malicious, Browse
                              • Filename: yvaKqhmD4L.exe, Detection: malicious, Browse
                              • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe, Detection: malicious, Browse
                              • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe, Detection: malicious, Browse
                              • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe, Detection: malicious, Browse
                              • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe, Detection: malicious, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................

                              C:\Program Files (x86)\Windows NT\file.dat (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmp
                              File Type:data
                              Category:dropped
                              Size (bytes):3221009
                              Entropy (8bit):7.999940595371903
                              Encrypted:true
                              SSDEEP:98304:XCOjC0WnYf+LCXhksIbstsy780E+S5XufrjVpfjF:y2hWCRksIb5y7W5ezjVxF
                              MD5:844C90C34433E6159EC531A2038FD95C
                              SHA1:55229F8F5715E1E2F4F5F13FFEB67B188259DEF6
                              SHA-256:B8E5BBB5400326FDF0366A0212F4F2C05D1517A064883A7CA82480AF46948BFE
                              SHA-512:39AE0AE1FF66C10FCF48A337C594FA19A33CF9E44D75F9800E09377E1DD5F432CFD8FF05063DD6D3055FDDF99126F78C8D4849DE1A194EDBD0DAD10C3CC95B26
                              Malicious:false
                              Preview:.@S.....T..L...............A...-_..kG.k.EoO..W.....9f.FD...o&f.~.A.6.......v.3i...R.S.....wA.yYN...7...j\AC#..F..?..).......`...../...I.LF.Z............kV...3....v.B..........G.n).1..*TYA.B..8...ihp......Z??.T....Fb:...B.-;..{.Fc.2...z.n=bSY)."....K...e...n...0;.^.O.:.P.:.....p?..=....E>Z..|.?$d?.....k&...]......N..*?f~r.I@Z...t....~m.<.....<...i..!......~.*.l....y=i....?..(.AG...rH.0-/.%p.G.pz&.,.~.|Y...?.A...,..ljW...].k.....b.J..f).R......s3}.......E..Ge7F.U\.,.....|...o...4.......A.lr..#%P.h.Bb.P....FPXR.#!......qG<............Y.'.=K./.4.Z\.F..O..9.?\-.}.IQq@......2..Y.......n ..c....r\.<f..f{......6A.......~{..c."..[...y<...l..S..,Z.t...{.zF....r.&T.....,....J>-.%?.[.8..fy..Y...."...Q.......Q....U.(...mc.......TN.......Rp._0y..w...)h.p...M..n....2.%../.f....f>..xQ.1.m)I%.|.\f..q..M r..xJ.?X.."....RV>......[r%y...L..L....tS1.1(...b...k..].e.mZ.x.G.kx....r..U....a.....A.....)K.N....;.c.....e_...f.Q..y`|AN.._l4...bXf.&..UL..6

                              C:\Program Files (x86)\Windows NT\hrsv.vbc

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):6553088
                              Entropy (8bit):7.647769337217841
                              Encrypted:false
                              SSDEEP:196608:90JmOiIkT/p5gtxNvL/6amzp5+/2nfD3:fjghjCZm2f
                              MD5:7660CD2408FA83CD090E58097DF443EA
                              SHA1:927B4D4213058490E4A5F0E8F917F492A7B9816F
                              SHA-256:02A7CA1654FA8AE05144BB9750DC43784E00AAD587B2DEE2E3AED67AB82D0C52
                              SHA-512:A93AE155006D47B59D34358B202B04EBB14E9BD62F64E4FB8FFD80102836B2BCA92382A7CA8559105EC4F66587918A498C59F510CF3FB2DE94B96FC83AA8A849
                              Malicious:true
                              Antivirus:
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: Virustotal, Detection: 11%, Browse
                              Joe Sandbox View:
                              • Filename: Setup64v7.3.9.exe, Detection: malicious, Browse
                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....lg...........!.....:...........u........................................d...........@.........................t.......a...(....0d......................@d..:...................................................................................text....9.......:.................. ..`.rdata.......P.......>..............@..@.data...`....P.......0..............@....00cfg.......0......................@..@.tls.........@......................@....voltbl.F....P...........................XkS....`.G..`....G................. ..`.rsrc........0d.......c.............@..@.reloc...:...@d..<....c.............@..B................................................................................................................................................................................................................................................................................

                              C:\Program Files (x86)\Windows NT\is-GL0PP.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmp
                              File Type:data
                              Category:dropped
                              Size (bytes):3221009
                              Entropy (8bit):7.999940595371903
                              Encrypted:true
                              SSDEEP:98304:XCOjC0WnYf+LCXhksIbstsy780E+S5XufrjVpfjF:y2hWCRksIb5y7W5ezjVxF
                              MD5:844C90C34433E6159EC531A2038FD95C
                              SHA1:55229F8F5715E1E2F4F5F13FFEB67B188259DEF6
                              SHA-256:B8E5BBB5400326FDF0366A0212F4F2C05D1517A064883A7CA82480AF46948BFE
                              SHA-512:39AE0AE1FF66C10FCF48A337C594FA19A33CF9E44D75F9800E09377E1DD5F432CFD8FF05063DD6D3055FDDF99126F78C8D4849DE1A194EDBD0DAD10C3CC95B26
                              Malicious:false
                              Preview:.@S.....T..L...............A...-_..kG.k.EoO..W.....9f.FD...o&f.~.A.6.......v.3i...R.S.....wA.yYN...7...j\AC#..F..?..).......`...../...I.LF.Z............kV...3....v.B..........G.n).1..*TYA.B..8...ihp......Z??.T....Fb:...B.-;..{.Fc.2...z.n=bSY)."....K...e...n...0;.^.O.:.P.:.....p?..=....E>Z..|.?$d?.....k&...]......N..*?f~r.I@Z...t....~m.<.....<...i..!......~.*.l....y=i....?..(.AG...rH.0-/.%p.G.pz&.,.~.|Y...?.A...,..ljW...].k.....b.J..f).R......s3}.......E..Ge7F.U\.,.....|...o...4.......A.lr..#%P.h.Bb.P....FPXR.#!......qG<............Y.'.=K./.4.Z\.F..O..9.?\-.}.IQq@......2..Y.......n ..c....r\.<f..f{......6A.......~{..c."..[...y<...l..S..,Z.t...{.zF....r.&T.....,....J>-.%?.[.8..fy..Y...."...Q.......Q....U.(...mc.......TN.......Rp._0y..w...)h.p...M..n....2.%../.f....f>..xQ.1.m)I%.|.\f..q..M r..xJ.?X.."....RV>......[r%y...L..L....tS1.1(...b...k..].e.mZ.x.G.kx....r..U....a.....A.....)K.N....;.c.....e_...f.Q..y`|AN.._l4...bXf.&..UL..6

                              C:\Program Files (x86)\Windows NT\locale.bin

                              Download File
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):56546
                              Entropy (8bit):7.99657747958244
                              Encrypted:true
                              SSDEEP:1536:0wybuqhUe1ZL6Pl98y1spKtRz11VYBDas2fSG74fO5+:Euqh31gPL/ZVQG1KG74f9
                              MD5:8A30882E738E453D9259B2EAE6880356
                              SHA1:D6D794D2A99B03A2206D28C10DC2BB68578E3E62
                              SHA-256:510100BDD847A8E22AFE7B393B4F67E5F9835FA06D2CB263BC3E3858126FF40F
                              SHA-512:6B33273BE7E6680BC910322FD5B49BD79F97A2E00B234BACA885B13835EA3DF4599A6A7CFF093FBE2B618F5B41AC7E8402CB08B09A131AD1AEE9E69D87BA2817
                              Malicious:false
                              Preview:.@S......2Sl ..............j,..J../...:.w._......&.........H[9...a.tW..5?..!..........B.P......E.... .u`X.,.{9A.<...~....G`.....`....we..`.......a/8R(.*.f1....M$}...d(9..6.y?..o.t&...W;.(}r.B#._Z...O...\.....L....5{.S.......JX.;.#.v. .or....b......ug..C.G..9?.4..mn0.eMY:....z..J...i;...V.W#.n........M.;m.k.....2QkK.}JZ\....T....C..~V|.1.......O.L&V..........0..B.6.f..Sd.A..g...2WR..../n.....F~...Hd.p..}.......o...}EO..Of...."..{e....N(D.]...{.F.1(.D.....:.e.)Pz..c..~.Zc.R....:;....N4.p.Qm.o.m...y..S.<.]^,.a0JTa...`......O.".:.m^........i..m..*..u.A..3.?...T^.....=...Bl..)K....,.....gD....B..B.E..lC.)r.?S t.N5.;...<;.../...8..3{.-..H.....Y...s....&...)/0.v>Po..0......\ZVl.m.c.A...}..P...R."em;.....3f../...r....mem.N..1....bJ7..1c7..Y..S..a......oB.QW.....+.w.?|C.*%]!Z..;.u>$...qR..qKI*..<.6"...i.gk,...k....y+...-..@....N.....J....0..n6....C.........y....<..w.-.D.j...........F'.(....D.iY..Ui..v..*F.#sW=.u.....)N....J.....|.s....#.......x9.

                              C:\Program Files (x86)\Windows NT\locale.dat

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmp
                              File Type:7-zip archive data, version 0.4
                              Category:dropped
                              Size (bytes):56546
                              Entropy (8bit):7.996577479582443
                              Encrypted:true
                              SSDEEP:1536:1R6xzdWTOgFy6W9or7zm3viXV6p8V6Y/mYrG:1R6xzdWTfFy6JG6p0YrG
                              MD5:5E4625C9C66FD7AE2A8415D0C39590CC
                              SHA1:90A370CAE2FECC67E467B5134793EB71406D119C
                              SHA-256:4B7825FEEFF9F889D656E2F136FB905B7B4C90733E5CEA086CAED401B4F3B680
                              SHA-512:9E6E5F1263171F8F84DFFEB18A2B33AE0D102858DB0A959E64C13842C51A12AB530C14FECC24BE61B33DC59522EACAB4CAE4570D92BFFB14EE1AA15FAAB6484C
                              Malicious:false
                              Preview:7z..'...{P.........2.........?.....;E4/.....](+Y...}..&.m...+.....H\.5..@......co..n..;.0M....'~l.o.dB[......F.?..u.W.@........~...q.pc ...`[...c/.......n.6..Q|....vQ1...2...}M..s".|...59M..........?.Pz:|.`..{.Q...Q....#.DP$.^..9.<...$......rg..g!T.d..|a...&{!..G.~/v...6m.....H......[^...]a.....z.H..$A........X...k...;....$...m..B.^..8...A..=b0YMd......@0..HY.34 .E...:.|.....P.Z.J....K.."zW:..h.*....s{@....P;.h.#L@a.?..3......kA4Q[..=..H)......e5c...O....[Qn=..............(...N2..Z.r............}...Nx...;...5....P}...A.K....p.&..&.u.j.s..p(..0.U@...c.F...9..".....-.E..C^...\'.=|.X.Y..j0..B.a\.P.%...).1.._.."x.``.....?.y.p.qV....1.y...;.....L..t..I6})...d.......b.. e+....Q...B...*.NR.=....f...pZ..).].W..@..6..c.....q...&.'x....b..C....f....T{I.m...|..G......`...?..R....n,....6.....[=....%.%.....f.m....z....2O.z7..nhk.O."X#,.*3.0G. ...2:'I..?...VR..a.HX...o..S...q.....?.jg.....q.n........|..X.z7.].......x'...Am<.|Y..k.b..V{.."UfZ..|...G

                              C:\Program Files (x86)\Windows NT\locale2.bin

                              Download File
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):56546
                              Entropy (8bit):7.996966859255975
                              Encrypted:true
                              SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                              MD5:CEA69F993E1CE0FB945A98BF37A66546
                              SHA1:7114365265F041DA904574D1F5876544506F89BA
                              SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                              SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                              Malicious:false
                              Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..

                              C:\Program Files (x86)\Windows NT\locale2.dat

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmp
                              File Type:7-zip archive data, version 0.4
                              Category:dropped
                              Size (bytes):56546
                              Entropy (8bit):7.996966859255979
                              Encrypted:true
                              SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                              MD5:4CB8B7E557C80FC7B014133AB834A042
                              SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                              SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                              SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                              Malicious:false
                              Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.

                              C:\Program Files (x86)\Windows NT\locale3.bin

                              Download File
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):31890
                              Entropy (8bit):7.99402458740637
                              Encrypted:true
                              SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                              MD5:8622FC7228777F64A47BD6C61478ADD9
                              SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                              SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                              SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                              Malicious:false
                              Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..

                              C:\Program Files (x86)\Windows NT\locale3.dat

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmp
                              File Type:7-zip archive data, version 0.4
                              Category:dropped
                              Size (bytes):31890
                              Entropy (8bit):7.99402458740637
                              Encrypted:true
                              SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                              MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                              SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                              SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                              SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                              Malicious:false
                              Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.

                              C:\Program Files (x86)\Windows NT\locale4.bin

                              Download File
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):74960
                              Entropy (8bit):7.99759370165655
                              Encrypted:true
                              SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                              MD5:950338D50B95A25F494EE74E97B7B7A9
                              SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                              SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                              SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                              Malicious:false
                              Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...

                              C:\Program Files (x86)\Windows NT\locale4.dat

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmp
                              File Type:7-zip archive data, version 0.4
                              Category:dropped
                              Size (bytes):74960
                              Entropy (8bit):7.997593701656546
                              Encrypted:true
                              SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                              MD5:059BA7C31F3E227356CA5F29E4AA2508
                              SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                              SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                              SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                              Malicious:false
                              Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.

                              C:\Program Files (x86)\Windows NT\locale7.bin

                              Download File
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):29730
                              Entropy (8bit):7.994290657653607
                              Encrypted:true
                              SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                              MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                              SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                              SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                              SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                              Malicious:false
                              Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.

                              C:\Program Files (x86)\Windows NT\locale7.dat

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmp
                              File Type:7-zip archive data, version 0.4
                              Category:dropped
                              Size (bytes):29730
                              Entropy (8bit):7.994290657653608
                              Encrypted:true
                              SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                              MD5:A9C8A3E00692F79E1BA9693003F85D18
                              SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                              SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                              SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                              Malicious:false
                              Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8

                              C:\Program Files (x86)\Windows NT\res.dat

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmp
                              File Type:7-zip archive data, version 0.4
                              Category:dropped
                              Size (bytes):3221009
                              Entropy (8bit):7.999940595371902
                              Encrypted:true
                              SSDEEP:98304:6agv3bsjsmV7kOYQQOanECdSue7C9A8lBQ:ifbsj33anEKSueIPBQ
                              MD5:4090D84E35D0027AD6F80E5025EFFA48
                              SHA1:BB0E514B427D866B4BA46B41A810EB58DA2E76A3
                              SHA-256:7DA43951BF763885F9C2CF070A8F1BB30648FB2480EBE357EBE3F8A76F30CFFA
                              SHA-512:8BE39035256DCA49065FBA6749DA0DD32203D6646E0A972CB60AF54B58D74477D3F6B6A423D959C517E7E2D778F95F803C92013FD785DF803A49267650B20A85
                              Malicious:false
                              Preview:7z..'...<.(/.%1.....A........Qh;..m...-......cb..z.b...V.M..}...,.<|sj.m.;.&.#.....s9.Z".....B@.).H.....y.......u.j,..6...m............O:.b?.eo..P?.......+..C.A.U.^..];".{k9...........h.Yw..jv....a.5p.g...@.e....h"n../B...M....;..3#k.z......h.`fc!o.;...1?...~...K.C..am...).H..-...})..F.48...&.N...4g......W;...,.t@P.o%........<...oX5...b....BR.V[.."..6..ne..'...._~9...m/+..X=.U...A-..v...5.2j......V.>..dzT.9.]pF./o....x$..cu-.rb........a..[-^(....u...{.*......'..U..{.~...X'..S].f++..Y.....n..._.m..>t.^%......O..P...BD...5....%.X.~....w.n..).`.)[..U.g+.......a......r.gW.....}..`c%.."..|f..r....]..;$.....`......b..p...<f.#....Q)K3....3^.U;.9..).....p....(Np.7.3......hO&.OKj..........qV.....hpiW..`Id_.$Mb.,0>v&.x1.4.(.jT'..a{.[..Y...1.c>'.@V..v.....Z4/...#z.(...c...4..!.Q....;.9i'..(`.y..L......qD.4..%H*.B$..;...f.~G.!#[.....R..).k.....v.B.R........Dw.....%..<.2......k...T_;.Y....u.$v...67~".$...>.<.g%....gu......@..V......-gi...ZsA...U..)x..>=.

                              C:\Program Files (x86)\Windows NT\tProtect.dll

                              Download File
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:PE32+ executable (native) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):63640
                              Entropy (8bit):6.482810107683822
                              Encrypted:false
                              SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                              MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                              SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                              SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                              SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                              Malicious:true
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 9%
                              • Antivirus: Virustotal, Detection: 6%, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................

                              C:\Program Files (x86)\Windows NT\task.xml

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmp
                              File Type:data
                              Category:dropped
                              Size (bytes):4096
                              Entropy (8bit):3.340989669697226
                              Encrypted:false
                              SSDEEP:48:dXKLzDlnyL6w0QldOVQOj933ODOiTdKbKsz72eW+5y2:dXazDlnHwhldOVQOj6dKbKsz7
                              MD5:E1D51247D1DAF8A0FC6537B88C88FDE2
                              SHA1:D57695EFE59DE41E3EDB50A8331609B4E7A88168
                              SHA-256:F06F970B6AEC492D4CE8EABEF736C88E03C3D560EBA0A951A278A2441D2A582E
                              SHA-512:87BF2EAC8F23B7A56BFC9F56CA7F155A0C66492C5F33FAEC3F2F9D7E1FE84A6A0C3D520791839CBB5B19AC4CA28DCECC1798D2287B03EE03100C573C62BD2F21
                              Malicious:false
                              Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\turminoob</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAva

                              C:\Program Files (x86)\Windows NT\trash

                              Download File
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2970813
                              Entropy (8bit):7.999933720029463
                              Encrypted:true
                              SSDEEP:49152:VFhJ5YgezPp0Pkb1EhI5LLh08nFa6aS1YO3PhX1RgxrMlJZHeYqNXaHtWeNU2:VF187yq1nl0iFawyO3PhfO4zZHe4tWej
                              MD5:92132FE3BD20C7955B8DBD8B1C7A2312
                              SHA1:86792AB31D1706F69B1E048F3E301A0B3924106E
                              SHA-256:EF9260CC02284F63FC5106B6F9A2C05DEB31F4700FBB4CDEBD201C3CD8227EE0
                              SHA-512:1B48D8AF7489B5928988982895C901921C0D9BB7D02138DC5CAE0FB6B67030FF1556DD6964BFAF94F3A13B349E11AE31F512A38BA72860BCD0CE5CB8DDE508EC
                              Malicious:false
                              Preview:!..)..2..b`}.w.........T..t...+9d.j.d...sn....0Q...D...h..+8..F.92..4~.sS0........nC..y..%...$......%..,\...HF.Pp).....>.Nbx..,.......=R..#..C...F..Pv..i%...],..y..k.;...E{1..%".j.*Nt.4.W.f."..J..t....%.~.SN."4v.......$(.b`.iI<.....'F._u...Q..vV0.e..........M..m..;6qrw....oj..@)$.VyA.3.|)y..........|.H....a...q...R.C.5..}..oV.......[.^..wD:[hY..,.).D..9.V.}.U..........nE.........v(f.7...v.....\=..Sr.W..d.ej7.Z...[..L...,..N..+..`lCf..@|..n..|..m^am.E."......M.n...[..,..'.o..kt..Yquzq..o..2d.ky.C..5Z.iI.............~(M.u....*^W.I{._..oy ..d..O..>....K..o .i..r....:.d.i<.nX>...Zv..s....<.>.IBq.;..{...M...7......h...^..~..9O..6.e.P..W..x.8,-..d7...w...J6.4...s.....&.....d..\f.D..Io..P..E....L.4....ew.+%....''q"E.WJ.^^&.q:.......z.-..B-.(.@.....d(.......b...%O.CF.. (yDW..^..s}.!..vd....}c......V..... .A>%.E.y..%...Z2|5.t.X.A.....B.......+.a(.cy.......G..k...&.|..=...\..5.....gg??/.r.g.%...f9..?hn.;......X.%>j!..(..I..9.....x6..D..HE(...U

                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):64
                              Entropy (8bit):1.1940658735648508
                              Encrypted:false
                              SSDEEP:3:NlllulnmWllZ:NllUmWl
                              MD5:3EBBEC2F920D055DAC842B4FF84448FA
                              SHA1:52D2AD86C481FAED6187FC7E6655C5BD646CA663
                              SHA-256:32441EEF46369E90F192889F3CC91721ECF615B0395CEC99996AB8CF06C59D09
                              SHA-512:163F2BECB9695851B36E3F502FA812BFBF6B88E4DCEA330A03995282E2C848A7DE6B9FDBA740E3DF536AB65390FBE3CC5F41F91505603945C0C79676B48EE5C3
                              Malicious:false
                              Preview:@...e................................................@..........

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b3mmr1kj.on4.ps1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_byxoknnu.5f4.psm1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rxl1hsy1.t0o.psm1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w2pcnsyj.mz4.ps1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\is-3NMSI.tmp\Setup.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):6553088
                              Entropy (8bit):7.647769337217841
                              Encrypted:false
                              SSDEEP:196608:90JmOiIkT/p5gtxNvL/6amzp5+/2nfD3:fjghjCZm2f
                              MD5:7660CD2408FA83CD090E58097DF443EA
                              SHA1:927B4D4213058490E4A5F0E8F917F492A7B9816F
                              SHA-256:02A7CA1654FA8AE05144BB9750DC43784E00AAD587B2DEE2E3AED67AB82D0C52
                              SHA-512:A93AE155006D47B59D34358B202B04EBB14E9BD62F64E4FB8FFD80102836B2BCA92382A7CA8559105EC4F66587918A498C59F510CF3FB2DE94B96FC83AA8A849
                              Malicious:true
                              Antivirus:
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: Virustotal, Detection: 11%, Browse
                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....lg...........!.....:...........u........................................d...........@.........................t.......a...(....0d......................@d..:...................................................................................text....9.......:.................. ..`.rdata.......P.......>..............@..@.data...`....P.......0..............@....00cfg.......0......................@..@.tls.........@......................@....voltbl.F....P...........................XkS....`.G..`....G................. ..`.rsrc........0d.......c.............@..@.reloc...:...@d..<....c.............@..B................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\is-3NMSI.tmp\_isetup\_setup64.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmp
                              File Type:PE32+ executable (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):6144
                              Entropy (8bit):4.720366600008286
                              Encrypted:false
                              SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                              MD5:E4211D6D009757C078A9FAC7FF4F03D4
                              SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                              SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                              SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\is-727LQ.tmp\Setup.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):6553088
                              Entropy (8bit):7.647769337217841
                              Encrypted:false
                              SSDEEP:196608:90JmOiIkT/p5gtxNvL/6amzp5+/2nfD3:fjghjCZm2f
                              MD5:7660CD2408FA83CD090E58097DF443EA
                              SHA1:927B4D4213058490E4A5F0E8F917F492A7B9816F
                              SHA-256:02A7CA1654FA8AE05144BB9750DC43784E00AAD587B2DEE2E3AED67AB82D0C52
                              SHA-512:A93AE155006D47B59D34358B202B04EBB14E9BD62F64E4FB8FFD80102836B2BCA92382A7CA8559105EC4F66587918A498C59F510CF3FB2DE94B96FC83AA8A849
                              Malicious:true
                              Antivirus:
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....lg...........!.....:...........u........................................d...........@.........................t.......a...(....0d......................@d..:...................................................................................text....9.......:.................. ..`.rdata.......P.......>..............@..@.data...`....P.......0..............@....00cfg.......0......................@..@.tls.........@......................@....voltbl.F....P...........................XkS....`.G..`....G................. ..`.rsrc........0d.......c.............@..@.reloc...:...@d..<....c.............@..B................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\is-727LQ.tmp\_isetup\_setup64.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmp
                              File Type:PE32+ executable (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):6144
                              Entropy (8bit):4.720366600008286
                              Encrypted:false
                              SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                              MD5:E4211D6D009757C078A9FAC7FF4F03D4
                              SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                              SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                              SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmp

                              Download File
                              Process:C:\Users\user\Desktop\Setup64v4.1.9.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):3282432
                              Entropy (8bit):6.577767672935761
                              Encrypted:false
                              SSDEEP:49152:NdJYVM+9JtzZWnoS2VC23aun8+f5KuG2OY9IG9ivyv2cLx1RQh333WT:DJYVM+LtVt3P/KuG2ONG9iqLRQh333U
                              MD5:9F18A5E381F7509154D344A6946A533A
                              SHA1:3B4308BECDCFA810AE5B552A1067F360CE898C6E
                              SHA-256:A0060D5DE5421B06375AE0298C3BB4DB66E67C2CE94B4E0B1DC517D09B4289CE
                              SHA-512:998CC90205E7F05B009B9C298B3CE10C096D3C60693E144A44B62953FACF08694AF2C321C693449691B5A4DED981BFC02BEF34FB092EDF691A0A583D64F110D3
                              Malicious:true
                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*..P........*.......*...@...........................2...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                              C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmp

                              Download File
                              Process:C:\Users\user\Desktop\Setup64v4.1.9.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):3282432
                              Entropy (8bit):6.577767672935761
                              Encrypted:false
                              SSDEEP:49152:NdJYVM+9JtzZWnoS2VC23aun8+f5KuG2OY9IG9ivyv2cLx1RQh333WT:DJYVM+LtVt3P/KuG2ONG9iqLRQh333U
                              MD5:9F18A5E381F7509154D344A6946A533A
                              SHA1:3B4308BECDCFA810AE5B552A1067F360CE898C6E
                              SHA-256:A0060D5DE5421B06375AE0298C3BB4DB66E67C2CE94B4E0B1DC517D09B4289CE
                              SHA-512:998CC90205E7F05B009B9C298B3CE10C096D3C60693E144A44B62953FACF08694AF2C321C693449691B5A4DED981BFC02BEF34FB092EDF691A0A583D64F110D3
                              Malicious:true
                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*..P........*.......*...@...........................2...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                              \Device\ConDrv

                              Download File
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:ASCII text, with CRLF, CR line terminators
                              Category:dropped
                              Size (bytes):406
                              Entropy (8bit):5.117520345541057
                              Encrypted:false
                              SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                              MD5:9200058492BCA8F9D88B4877F842C148
                              SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                              SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                              SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                              Malicious:false
                              Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):7.983954571040596
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 98.45%
                              • Inno Setup installer (109748/4) 1.08%
                              • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                              • Win16/32 Executable Delphi generic (2074/23) 0.02%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              File name:Setup64v4.1.9.exe
                              File size:12'899'330 bytes
                              MD5:f07267a8be1916ac2b02700f5fdb65bc
                              SHA1:15380faa66ef42ba6171ffed2bbee6bba9cc3e16
                              SHA256:7157a44b6835911bb056cea9b6f5d53eab8a393f25e425caee5de1183c00c571
                              SHA512:5f07314e8555085ab6fbe78ca2acea7e8a8eb376c967ce23f5a9dc4bf23588ff0119b880353842e3bd1124b676c127ede0cc270e03fce9046c1a4385e3c557b8
                              SSDEEP:393216:gBH71D5PwzHeGyn9XHWtpMrd4qN5xR3zy:I71D5S+f19d4qN5xR+
                              TLSH:56D62323B7CBE03DF49E4B3B0673A25494FB662665276E2297F445ACCF220601D7E253
                              File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                              File Icon

                              Icon Hash:4c4d494959190d0c

                              Static PE Info

                              General

                              Entrypoint:0x4a83bc
                              Entrypoint Section:.itext
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                              Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:6
                              OS Version Minor:1
                              File Version Major:6
                              File Version Minor:1
                              Subsystem Version Major:6
                              Subsystem Version Minor:1
                              Import Hash:40ab50289f7ef5fae60801f88d4541fc

                              Entrypoint Preview

                              Instruction
                              push ebp
                              mov ebp, esp
                              add esp, FFFFFFA4h
                              push ebx
                              push esi
                              push edi
                              xor eax, eax
                              mov dword ptr [ebp-3Ch], eax
                              mov dword ptr [ebp-40h], eax
                              mov dword ptr [ebp-5Ch], eax
                              mov dword ptr [ebp-30h], eax
                              mov dword ptr [ebp-38h], eax
                              mov dword ptr [ebp-34h], eax
                              mov dword ptr [ebp-2Ch], eax
                              mov dword ptr [ebp-28h], eax
                              mov dword ptr [ebp-14h], eax
                              mov eax, 004A2EBCh
                              call 00007FCBC85602C5h
                              xor eax, eax
                              push ebp
                              push 004A8AC1h
                              push dword ptr fs:[eax]
                              mov dword ptr fs:[eax], esp
                              xor edx, edx
                              push ebp
                              push 004A8A7Bh
                              push dword ptr fs:[edx]
                              mov dword ptr fs:[edx], esp
                              mov eax, dword ptr [004B0634h]
                              call 00007FCBC85F1C4Bh
                              call 00007FCBC85F179Eh
                              lea edx, dword ptr [ebp-14h]
                              xor eax, eax
                              call 00007FCBC85EC478h
                              mov edx, dword ptr [ebp-14h]
                              mov eax, 004B41F4h
                              call 00007FCBC855A373h
                              push 00000002h
                              push 00000000h
                              push 00000001h
                              mov ecx, dword ptr [004B41F4h]
                              mov dl, 01h
                              mov eax, dword ptr [0049CD14h]
                              call 00007FCBC85ED7A3h
                              mov dword ptr [004B41F8h], eax
                              xor edx, edx
                              push ebp
                              push 004A8A27h
                              push dword ptr fs:[edx]
                              mov dword ptr fs:[edx], esp
                              call 00007FCBC85F1CD3h
                              mov dword ptr [004B4200h], eax
                              mov eax, dword ptr [004B4200h]
                              cmp dword ptr [eax+0Ch], 01h
                              jne 00007FCBC85F89BAh
                              mov eax, dword ptr [004B4200h]
                              mov edx, 00000028h
                              call 00007FCBC85EE098h
                              mov edx, dword ptr [004B4200h]

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                              IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x3dfc.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                              .rsrc0xcb0000x3dfc0x3e000eefb6d053a8779d574a753018b80d10False0.2716103830645161data3.9582158898435735IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_ICON0xcb4380x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.05054151624548736
                              RT_STRING0xcbce00x3f8data0.3198818897637795
                              RT_STRING0xcc0d80x2dcdata0.36475409836065575
                              RT_STRING0xcc3b40x430data0.40578358208955223
                              RT_STRING0xcc7e40x44cdata0.38636363636363635
                              RT_STRING0xccc300x2d4data0.39226519337016574
                              RT_STRING0xccf040xb8data0.6467391304347826
                              RT_STRING0xccfbc0x9cdata0.6410256410256411
                              RT_STRING0xcd0580x374data0.4230769230769231
                              RT_STRING0xcd3cc0x398data0.3358695652173913
                              RT_STRING0xcd7640x368data0.3795871559633027
                              RT_STRING0xcdacc0x2a4data0.4275147928994083
                              RT_RCDATA0xcdd700x10data1.5
                              RT_RCDATA0xcdd800x310data0.6173469387755102
                              RT_RCDATA0xce0900x2cdata1.1590909090909092
                              RT_GROUP_ICON0xce0bc0x14dataEnglishUnited States1.25
                              RT_VERSION0xce0d00x584dataEnglishUnited States0.24575070821529746
                              RT_MANIFEST0xce6540x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163

                              Imports

                              DLLImport
                              kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                              comctl32.dllInitCommonControls
                              user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                              oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                              advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

                              Exports

                              NameOrdinalAddress
                              __dbk_fcall_wrapper20x40fc10
                              dbkFCallWrapperAddr10x4b063c

                              Possible Origin

                              Language of compilation systemCountry where language is spokenMap
                              EnglishUnited States

                              Network Behavior

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Dec 26, 2024 11:16:44.733928919 CET1.1.1.1192.168.2.40x4b69No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                              Dec 26, 2024 11:16:44.733928919 CET1.1.1.1192.168.2.40x4b69No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:05:16:25
                              Start date:26/12/2024
                              Path:C:\Users\user\Desktop\Setup64v4.1.9.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\Setup64v4.1.9.exe"
                              Imagebase:0x8c0000
                              File size:12'899'330 bytes
                              MD5 hash:F07267A8BE1916AC2B02700F5FDB65BC
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:Borland Delphi
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:1
                              Start time:05:16:26
                              Start date:26/12/2024
                              Path:C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmp
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Local\Temp\is-I3HNQ.tmp\Setup64v4.1.9.tmp" /SL5="$1042C,11953450,792064,C:\Users\user\Desktop\Setup64v4.1.9.exe"
                              Imagebase:0x180000
                              File size:3'282'432 bytes
                              MD5 hash:9F18A5E381F7509154D344A6946A533A
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:Borland Delphi
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:2
                              Start time:05:16:27
                              Start date:26/12/2024
                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):false
                              Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                              Imagebase:0x7ff788560000
                              File size:452'608 bytes
                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:3
                              Start time:05:16:27
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:4
                              Start time:05:16:30
                              Start date:26/12/2024
                              Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                              Imagebase:0x7ff693ab0000
                              File size:496'640 bytes
                              MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                              Has elevated privileges:true
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:false

                              General

                              Target ID:5
                              Start time:05:16:32
                              Start date:26/12/2024
                              Path:C:\Users\user\Desktop\Setup64v4.1.9.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\Setup64v4.1.9.exe" /VERYSILENT
                              Imagebase:0x8c0000
                              File size:12'899'330 bytes
                              MD5 hash:F07267A8BE1916AC2B02700F5FDB65BC
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:Borland Delphi
                              Reputation:low
                              Has exited:false

                              General

                              Target ID:6
                              Start time:05:16:32
                              Start date:26/12/2024
                              Path:C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmp
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Local\Temp\is-8NH0L.tmp\Setup64v4.1.9.tmp" /SL5="$30418,11953450,792064,C:\Users\user\Desktop\Setup64v4.1.9.exe" /VERYSILENT
                              Imagebase:0xc40000
                              File size:3'282'432 bytes
                              MD5 hash:9F18A5E381F7509154D344A6946A533A
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:Borland Delphi
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:7
                              Start time:05:16:35
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                              Imagebase:0x7ff7199d0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:8
                              Start time:05:16:36
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                              Imagebase:0x7ff623eb0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:9
                              Start time:05:16:36
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:10
                              Start time:05:16:36
                              Start date:26/12/2024
                              Path:C:\Program Files (x86)\Windows NT\7zr.exe
                              Wow64 process (32bit):true
                              Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                              Imagebase:0xf40000
                              File size:831'200 bytes
                              MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Antivirus matches:
                              • Detection: 0%, ReversingLabs
                              • Detection: 0%, Virustotal, Browse
                              Has exited:true

                              General

                              Target ID:11
                              Start time:05:16:36
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:12
                              Start time:05:16:36
                              Start date:26/12/2024
                              Path:C:\Program Files (x86)\Windows NT\7zr.exe
                              Wow64 process (32bit):true
                              Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                              Imagebase:0xf40000
                              File size:831'200 bytes
                              MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:13
                              Start time:05:16:36
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:14
                              Start time:05:16:37
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff7199d0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:15
                              Start time:05:16:37
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff623eb0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:16
                              Start time:05:16:37
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:17
                              Start time:05:16:37
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff7199d0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:18
                              Start time:05:16:37
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff70f330000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:19
                              Start time:05:16:37
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:20
                              Start time:05:16:37
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff7199d0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:21
                              Start time:05:16:37
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff623eb0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:22
                              Start time:05:16:37
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:23
                              Start time:05:16:37
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff7199d0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:24
                              Start time:05:16:37
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff623eb0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:25
                              Start time:05:16:37
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:26
                              Start time:05:16:37
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff7199d0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:27
                              Start time:05:16:37
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff623eb0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:28
                              Start time:05:16:37
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:29
                              Start time:05:16:37
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff7199d0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:30
                              Start time:05:16:37
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff623eb0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:31
                              Start time:05:16:37
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:32
                              Start time:05:16:37
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff7199d0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:33
                              Start time:05:16:37
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff623eb0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:34
                              Start time:05:16:37
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:35
                              Start time:05:16:38
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff7199d0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:36
                              Start time:05:16:38
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff623eb0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:37
                              Start time:05:16:38
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:38
                              Start time:05:16:38
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff7199d0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:39
                              Start time:05:16:38
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff623eb0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:40
                              Start time:05:16:38
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:41
                              Start time:05:16:38
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff7199d0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:42
                              Start time:05:16:38
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff623eb0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:43
                              Start time:05:16:38
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:44
                              Start time:05:16:38
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff7199d0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:45
                              Start time:05:16:38
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff623eb0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:46
                              Start time:05:16:38
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:47
                              Start time:05:16:38
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff7199d0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:48
                              Start time:05:16:38
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff623eb0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:49
                              Start time:05:16:38
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:50
                              Start time:05:16:38
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff7199d0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:51
                              Start time:05:16:38
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff623eb0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:52
                              Start time:05:16:38
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:53
                              Start time:05:16:38
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff7199d0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:54
                              Start time:05:16:38
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff623eb0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:55
                              Start time:05:16:38
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:56
                              Start time:05:16:38
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff7199d0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:57
                              Start time:05:16:38
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff623eb0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:58
                              Start time:05:16:38
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:59
                              Start time:05:16:39
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff7199d0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:60
                              Start time:05:16:39
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff623eb0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:61
                              Start time:05:16:39
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:62
                              Start time:05:16:39
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff7199d0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:63
                              Start time:05:16:39
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff623eb0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:64
                              Start time:05:16:39
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:65
                              Start time:05:16:39
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff7199d0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:66
                              Start time:05:16:39
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff623eb0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:67
                              Start time:05:16:39
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:68
                              Start time:05:16:39
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff7199d0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:69
                              Start time:05:16:39
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff623eb0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:70
                              Start time:05:16:39
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:71
                              Start time:05:16:39
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff7199d0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:72
                              Start time:05:16:39
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff623eb0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:73
                              Start time:05:16:39
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:74
                              Start time:05:16:39
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff7199d0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:75
                              Start time:05:16:39
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff623eb0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:76
                              Start time:05:16:39
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:77
                              Start time:05:16:39
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff7199d0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:78
                              Start time:05:16:39
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff623eb0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:79
                              Start time:05:16:39
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:80
                              Start time:05:16:40
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff7199d0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:81
                              Start time:05:16:40
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff623eb0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:82
                              Start time:05:16:40
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:83
                              Start time:05:16:40
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff7199d0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:84
                              Start time:05:16:40
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff623eb0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:85
                              Start time:05:16:40
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:86
                              Start time:05:16:40
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff7199d0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:87
                              Start time:05:16:40
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff623eb0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:88
                              Start time:05:16:40
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:89
                              Start time:05:16:40
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff7199d0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:90
                              Start time:05:16:40
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff623eb0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:91
                              Start time:05:16:40
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:92
                              Start time:05:16:40
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff7199d0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:93
                              Start time:05:16:40
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff623eb0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:94
                              Start time:05:16:40
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:95
                              Start time:05:16:40
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff7199d0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:96
                              Start time:05:16:41
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff623eb0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:97
                              Start time:05:16:41
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:99
                              Start time:05:16:41
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff7199d0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:100
                              Start time:05:16:41
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff623eb0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:101
                              Start time:05:16:41
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:102
                              Start time:05:16:41
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff7199d0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:103
                              Start time:05:16:41
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff623eb0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:104
                              Start time:05:16:41
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:105
                              Start time:05:16:41
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff7199d0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:106
                              Start time:05:16:41
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff623eb0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:107
                              Start time:05:16:41
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:108
                              Start time:05:16:41
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff693e60000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:0.1%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:9.3%
                                Total number of Nodes:43
                                Total number of Limit Nodes:1
                                execution_graph 40127 6c67c974 40128 6c67c980 40127->40128 40129 6c67c987 GetLastError ExitThread 40128->40129 40130 6c67c994 40128->40130 40141 6c6822c2 GetLastError 40130->40141 40132 6c67c999 40168 6c687676 40132->40168 40135 6c67c9b0 40174 6c67c8df 11 API calls 40135->40174 40138 6c67c9d2 40175 6c67de29 GetLastError SetLastError TlsGetValue TlsSetValue GetProcAddress 40138->40175 40140 6c67c9e3 40142 6c6822d9 40141->40142 40143 6c6822df 40141->40143 40176 6c684433 TlsGetValue GetProcAddress 40142->40176 40159 6c6822e5 40143->40159 40177 6c684472 TlsSetValue GetProcAddress 40143->40177 40146 6c6822fd 40148 6c68232c 40146->40148 40149 6c682315 40146->40149 40146->40159 40147 6c682364 SetLastError 40150 6c682373 40147->40150 40154 6c682379 40147->40154 40179 6c684472 TlsSetValue GetProcAddress 40148->40179 40178 6c684472 TlsSetValue GetProcAddress 40149->40178 40150->40132 40153 6c682338 40153->40159 40180 6c684472 TlsSetValue GetProcAddress 40153->40180 40155 6c682390 40154->40155 40181 6c684433 TlsGetValue GetProcAddress 40154->40181 40167 6c682396 40155->40167 40182 6c684472 TlsSetValue GetProcAddress 40155->40182 40159->40147 40160 6c6823aa 40161 6c6823c2 40160->40161 40162 6c6823d7 40160->40162 40160->40167 40183 6c684472 TlsSetValue GetProcAddress 40161->40183 40184 6c684472 TlsSetValue GetProcAddress 40162->40184 40165 6c6823e3 40165->40167 40185 6c684472 TlsSetValue GetProcAddress 40165->40185 40167->40132 40169 6c687688 GetPEB 40168->40169 40170 6c67c9a4 40168->40170 40169->40170 40171 6c68769b 40169->40171 40170->40135 40173 6c68467f GetProcAddress 40170->40173 40186 6c684728 GetProcAddress 40171->40186 40173->40135 40174->40138 40175->40140 40176->40143 40177->40146 40178->40159 40179->40153 40180->40159 40181->40155 40182->40160 40183->40167 40184->40165 40185->40167 40186->40170

                                Executed Functions

                                Function 6C67C974 Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • GetLastError.KERNEL32(6C6A3A20,0000000C), ref: 6C67C987
                                • ExitThread.KERNEL32 ref: 6C67C98E
                                Memory Dump Source
                                • Source File: 00000006.00000002.1930770772.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                • Associated: 00000006.00000002.1930746173.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.1931553238.000000006C695000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.1936178509.000000006CBF3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID: ErrorExitLastThread
                                • String ID:
                                • API String ID: 1611280651-0
                                • Opcode ID: 06b0c3938003374256fea8a3bdc4bba4ff36cc28c0a0385a5169f737e4481f21
                                • Instruction ID: 42adb6265a48fd8f3563b99a766a9bcbae645ada47c864713c2ec471e60006d1
                                • Opcode Fuzzy Hash: 06b0c3938003374256fea8a3bdc4bba4ff36cc28c0a0385a5169f737e4481f21
                                • Instruction Fuzzy Hash: 9EF0A970A04204BFDB15ABB0C848AAE3B75FF06308F200A49E4069BB50CB34A945CBB9

                                Non-executed Functions

                                Function 6C6D3CE0 Relevance: 5.4, APIs: 1, Strings: 1, Instructions: 1923COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 6C6D3CE5
                                  • Part of subcall function 6C6A9C2A: __EH_prolog.LIBCMT ref: 6C6A9C2F
                                  • Part of subcall function 6C6AB6A6: __EH_prolog.LIBCMT ref: 6C6AB6AB
                                  • Part of subcall function 6C6D3A0E: __EH_prolog.LIBCMT ref: 6C6D3A13
                                  • Part of subcall function 6C6D3837: __EH_prolog.LIBCMT ref: 6C6D383C
                                  • Part of subcall function 6C6D7143: __EH_prolog.LIBCMT ref: 6C6D7148
                                  • Part of subcall function 6C6D7143: ctype.LIBCPMT ref: 6C6D716C
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID: H_prolog$ctype
                                • String ID:
                                • API String ID: 1039218491-3916222277
                                • Opcode ID: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                                • Instruction ID: 2e793eec105c21151d682b40db6013040a6f62a3d7a1672cd8c0d627e81dbcec
                                • Opcode Fuzzy Hash: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                                • Instruction Fuzzy Hash: 1B03BF30805289DEDF11CFA4C854BECBBB0AF16308F254099D44567A91DB74AF8ADF6E
                                Function 6C6A5EA1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 246COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: x=J
                                • API String ID: 3519838083-1497497802
                                • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                • Instruction ID: 1a8c3a4e697966cbfc66ee12c3bc3a17c520ea8193d2e286066cb4059d861a7c
                                • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                • Instruction Fuzzy Hash: 9691D171D051099ACF04DFE9C990AEDBBB1EF5630CF20806AD461A7A51DB319D8BCB9C
                                Function 6C6A5972 Relevance: 2.6, Strings: 2, Instructions: 91COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID:
                                • String ID: @4J$DsL
                                • API String ID: 0-2004129199
                                • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                • Instruction ID: fe95571fff3144733be504298df0570430b1db5e384f927a68b22744b3bd88a5
                                • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                • Instruction Fuzzy Hash: 49219E37AA4C560BD74CCA28EC33EB96680E744305B88527EE94BCB7E1DF6C8800C64C
                                Function 6C6C240A Relevance: 2.3, APIs: 1, Instructions: 760COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 6C6C240F
                                  • Part of subcall function 6C6C3137: __EH_prolog.LIBCMT ref: 6C6C313C
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                                • Instruction ID: 3b0b694b63b39c7fb7d1eff73ae33276518d44fdaa5c6d6f0e70269adc9a14f6
                                • Opcode Fuzzy Hash: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                                • Instruction Fuzzy Hash: 0D626A71E00259CFDB15CFA4C898BEDBBB1FF05308F1441AAE815AB680D7749A45CF9A
                                Function 6C71AAD0 Relevance: 1.9, Strings: 1, Instructions: 669COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID:
                                • String ID: YA1
                                • API String ID: 0-613462611
                                • Opcode ID: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                                • Instruction ID: b8142acce0772fd889b9405915a2445160b0d6e236bb23846cef189fc4b31e13
                                • Opcode Fuzzy Hash: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                                • Instruction Fuzzy Hash: 6A42C27064D3818FC315CF28C59069ABBE2FFD9318F19496DE8D68BB42D631D94ACB42
                                Function 6C6ADBCA Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID: __aullrem
                                • String ID:
                                • API String ID: 3758378126-0
                                • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                • Instruction ID: dd31a9bdf0d8c9db0e24fa98aa5dc7c050fda213599cb2b1884ba11a32711a9e
                                • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                • Instruction Fuzzy Hash: 1B51D871A052459BD710CFAAC4C02EDFBF6EF7A314F18C05AE88897242D27A5D9BC760
                                Function 6C726E80 Relevance: 1.7, Strings: 1, Instructions: 424COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID: 0-3916222277
                                • Opcode ID: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                • Instruction ID: 797b5c52047d6c595104daecb755d89650fc2abad063339470090f3c09349533
                                • Opcode Fuzzy Hash: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                • Instruction Fuzzy Hash: 3A02D3316083818BD725CF28C69079EBBE2BFC9348F144A2DE8D597752D778D945CB82
                                Function 6C6A97CF Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID:
                                • String ID: (SL
                                • API String ID: 0-669240678
                                • Opcode ID: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                • Instruction ID: c31341f947009ab3f6cd185c419b5f95ce028578e294f38948201c65d52a06a3
                                • Opcode Fuzzy Hash: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                • Instruction Fuzzy Hash: 36516473E208314AD78CCE24DC2177572D2E784310F8BC1B99D4BAB6E6DD78989587D4
                                Function 6C71D020 Relevance: .8, Instructions: 762COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                                • Instruction ID: 0229991b9ef9fa69bb88b9b53822ebf539f33a5f1ad94521a900b27a00d56d9c
                                • Opcode Fuzzy Hash: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                                • Instruction Fuzzy Hash: 27523E31608B458BD319CF29C5906AABBE2FBA5308F188A2DD4DAC7F41DB74F449CB45
                                Function 6C737930 Relevance: .7, Instructions: 740COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                • Instruction ID: 89d1d28d4e3f4801f212b715a1802d77ca78166ed9158dd6f4684627294fb5c4
                                • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                • Instruction Fuzzy Hash: F262F2B1A08355CFC714CF1AC68091ABBF5BFC8744F249A2EE89997716D770E845CB82
                                Function 6C720D50 Relevance: .5, Instructions: 547COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                • Instruction ID: c86b538cf2659e9e165060aa4042b4a38392e3c2ac934cb01f04bcd6c2c1a59a
                                • Opcode Fuzzy Hash: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                • Instruction Fuzzy Hash: BA12BE712097858FC718CF28C6A066AFBF2BF88344F64892DE59687B42D739E845CB51
                                Function 6C731AA0 Relevance: .5, Instructions: 474COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                • Instruction ID: aac4caced26df96be997d56bb9edc0791f8c6f5d3c8bb527df640d6c5fb1d6bf
                                • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                • Instruction Fuzzy Hash: DC022B32A483218FC318CE28C580269BBF2FBC4345F155B3EE49A97A97D774D844CB92
                                Function 6C71CA50 Relevance: .5, Instructions: 453COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                                • Instruction ID: aaedeb191e13b2e1d1ed73d0c9543629e4d8fa07b600b19c423ae7bb3fb0674f
                                • Opcode Fuzzy Hash: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                                • Instruction Fuzzy Hash: D9F123326082888BEB24DE6CD9517EEBBE2FBC5305F58453DD889CBB41DB35950AC781
                                Function 6C72C5C0 Relevance: .3, Instructions: 333COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                                • Instruction ID: 0e15a5d4f1b25cec2abfcce9873fe06c427aba6851a7ecfc74723b234e5de352
                                • Opcode Fuzzy Hash: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                                • Instruction Fuzzy Hash: B2D111715046168FE318EF2DC594636BBE1FF96305F054ABDDAA28B38AD738D605CB40
                                Function 6C71F580 Relevance: .3, Instructions: 316COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                • Instruction ID: 1c64b0dc07bbc7535c0c5cf908db349166226c05ff6d836b1aeb29e210c5abc0
                                • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                • Instruction Fuzzy Hash: 57C1B6352087418BC715DE39D1A06A7BBE2EFDA314F188A6DC4CE8BF55DA30A40ECB55
                                Function 6C71B810 Relevance: .3, Instructions: 296COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                • Instruction ID: 4b88a5cc9f750bbe72bdfd367fdd45eb70dbe1d80d98918a0eed83cdc5d80031
                                • Opcode Fuzzy Hash: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                • Instruction Fuzzy Hash: EEB1D071308B054BD324EE39CA94BEAB7E1BF85318F08452DC5AA87B41EF34B5098794
                                Function 6C71EAA0 Relevance: .3, Instructions: 291COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                                • Instruction ID: 13af9aded81464a694e3786110e27f89bca6e7d4700c4d7622a38df637e69a92
                                • Opcode Fuzzy Hash: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                                • Instruction Fuzzy Hash: C8B1D1756087068BC304DF29C9846ABF7E2FFC8304F18892DD499C7B11E771A559CB95
                                Function 6C7269F0 Relevance: .3, Instructions: 287COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                                • Instruction ID: db77ba5f877dced6a0d3adabf490386a64ccb3c87af2b15269f4694d25a95de1
                                • Opcode Fuzzy Hash: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                                • Instruction Fuzzy Hash: 24A1C4716083818FC315CF29C69069EBBE1EBD5308F544A3EE4D6C7B41D635EA8ACB42
                                Function 6C7266E0 Relevance: .2, Instructions: 223COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                                • Instruction ID: 1a6a82e5d84eb48c67e4b90b1b3b5c84fc7ef5f2af0534d202159b0c77efa1ba
                                • Opcode Fuzzy Hash: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                                • Instruction Fuzzy Hash: 0481AF35A047018FC320CF29C180646B7E1FF99714F288AAEC5D9DB711E776EA46CB81
                                Function 6C6BDB66 Relevance: .2, Instructions: 167COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                • Instruction ID: cfef39e1e1ae6928bc58ace9585cf0b8e718c27006f01402a48a68589888877c
                                • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                • Instruction Fuzzy Hash: C1518C72E006099BDB08CE98DD926EDB7F6EB88308F248169D115FB785D7749A41CB44
                                Function 6C6BFEC9 Relevance: .1, Instructions: 136COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                • Instruction ID: 7cbe65998259fcd82a0817af635090472d7156bf6841974dd775907a00a10ce7
                                • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                • Instruction Fuzzy Hash: 7331142B7A440113C70CCD3BCC1279F91575BD422A70ECB39A805DAF65D52CC8234249
                                Function 6C746700 Relevance: .1, Instructions: 70COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                                • Instruction ID: 02f1f3e488bcc8d85f3005d17531c9a853cfc34b2aefa3b6b3e0e24738fa8169
                                • Opcode Fuzzy Hash: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                                • Instruction Fuzzy Hash: 18219077320A0647E74C8A38D93737532D0A705318F98A26DEA6BCE2C2E73AC457C385
                                Function 6C687676 Relevance: .0, Instructions: 29COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000006.00000002.1930770772.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                • Associated: 00000006.00000002.1930746173.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.1931553238.000000006C695000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.1936178509.000000006CBF3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6fe82880b1d9691d46dc9a2acb10202cacc99dee778e5e53515e87e9c5cafa7a
                                • Instruction ID: d0d56ed6d018427651a8ba8ff9a432e254ee501c30ef9be812d0e8aaf641cb1a
                                • Opcode Fuzzy Hash: 6fe82880b1d9691d46dc9a2acb10202cacc99dee778e5e53515e87e9c5cafa7a
                                • Instruction Fuzzy Hash: FFF03071A16234DFCB22DA4CC905B89B3FCEB46B65F110196F511AB641C6B0DD80CBE8
                                Function 6C744720 Relevance: .0, Instructions: 16COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d8b2ce9af6ca23b39d287f27f794cd19cdb7301d321a8ca7d0b17b1edfa8364a
                                • Instruction ID: 1c7dad4f024bc0febbaad0ea9cc6316a0e716dc36d5db8bcf9c63785cf97f243
                                • Opcode Fuzzy Hash: d8b2ce9af6ca23b39d287f27f794cd19cdb7301d321a8ca7d0b17b1edfa8364a
                                • Instruction Fuzzy Hash: 87C08CA312810017C303EE3599C0BAAF6A37361330F22CC3EA0A2E7E43C328C0659511
                                Function 6C6DBB50 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 341COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 391 6c6dbb50-6c6dbb78 call 6c743f10 394 6c6dbb7e-6c6dbb88 391->394 395 6c6dbf6a-6c6dbf74 call 6c6a63a0 391->395 396 6c6dbb8a-6c6dbba2 call 6c6dc016 394->396 397 6c6dbba4-6c6dbba8 394->397 404 6c6dbf76-6c6dbf84 395->404 406 6c6dbbcb-6c6dbbd0 396->406 401 6c6dbbbe-6c6dbbc6 call 6c6a63b3 397->401 402 6c6dbbaa-6c6dbbbc 397->402 401->406 402->406 408 6c6dbc12-6c6dbc1c 406->408 409 6c6dbbd2-6c6dbbd4 406->409 412 6c6dbd2a-6c6dbd43 408->412 413 6c6dbc22-6c6dbc40 408->413 410 6c6dbbeb-6c6dbc05 call 6c6a64df 409->410 411 6c6dbbd6-6c6dbbea 409->411 425 6c6dbf5b-6c6dbf64 410->425 426 6c6dbc0b-6c6dbc0d 410->426 411->410 415 6c6dbd45-6c6dbd46 412->415 416 6c6dbdb0-6c6dbdb7 412->416 413->404 428 6c6dbc46-6c6dbc4b 413->428 422 6c6dbd9f-6c6dbda6 415->422 423 6c6dbd48-6c6dbd4b 415->423 419 6c6dbdb9-6c6dbdbc 416->419 420 6c6dbdca-6c6dbdcf 416->420 427 6c6dbdbe-6c6dbdc1 call 6c6ada04 419->427 429 6c6dbe0f-6c6dbe14 420->429 430 6c6dbdd1-6c6dbdd4 420->430 422->420 424 6c6dbda8-6c6dbdae 422->424 431 6c6dbd4d-6c6dbd64 423->431 432 6c6dbd6c-6c6dbd76 423->432 424->427 425->394 425->395 436 6c6dbf56 call 6c6a63a0 426->436 449 6c6dbdc6 427->449 438 6c6dbf4a-6c6dbf4f 428->438 439 6c6dbc51-6c6dbc58 428->439 434 6c6dbe3b-6c6dbe3f 429->434 435 6c6dbe16-6c6dbe19 429->435 440 6c6dbddc-6c6dbdfe call 6c6dbf9a 430->440 441 6c6dbdd6-6c6dbdda 430->441 465 6c6dbf8e-6c6dbf98 call 6c6ada5d 431->465 466 6c6dbd6a 431->466 432->420 433 6c6dbd78-6c6dbd9d call 6c6ada30 432->433 433->449 447 6c6dbeac-6c6dbeb0 434->447 448 6c6dbe41-6c6dbe7a call 6c6b9133 call 6c6dc0fe 434->448 445 6c6dbe1f 435->445 446 6c6dbf3e-6c6dbf45 call 6c6ada5d 435->446 436->425 438->425 442 6c6dbf51 438->442 450 6c6dbc5a-6c6dbc5e 439->450 451 6c6dbc85-6c6dbc88 439->451 471 6c6dbe09-6c6dbe0a 440->471 472 6c6dbe00-6c6dbe07 440->472 441->429 441->440 442->436 458 6c6dbe22-6c6dbe36 call 6c6dc016 445->458 446->438 459 6c6dbeee-6c6dbf02 call 6c6d2bff 447->459 460 6c6dbeb2-6c6dbed3 call 6c6a7497 call 6c6a649a 447->460 503 6c6dbe7c-6c6dbe82 448->503 504 6c6dbe90-6c6dbe9f call 6c744270 448->504 449->420 463 6c6dbc64-6c6dbc76 call 6c6d2da0 450->463 464 6c6dbf87-6c6dbf8c 450->464 456 6c6dbc8a-6c6dbca7 call 6c6a7204 call 6c6d317e 451->456 457 6c6dbcd2-6c6dbcd6 451->457 507 6c6dbcbd-6c6dbccc call 6c6a6240 456->507 508 6c6dbca9-6c6dbcb8 call 6c6a6410 456->508 457->464 470 6c6dbcdc-6c6dbce0 457->470 458->446 491 6c6dbf04-6c6dbf11 459->491 492 6c6dbf16-6c6dbf34 call 6c6dc091 459->492 509 6c6dbed5-6c6dbedf call 6c6a6410 460->509 510 6c6dbee1-6c6dbeec call 6c6dc042 460->510 488 6c6dbc78-6c6dbc80 463->488 464->404 465->404 466->449 478 6c6dbd07-6c6dbd25 call 6c6dc176 470->478 479 6c6dbce2-6c6dbd02 call 6c6a65d8 470->479 481 6c6dbf35-6c6dbf3d call 6c744270 471->481 480 6c6dbe83-6c6dbe8b 472->480 478->488 479->438 480->446 481->446 488->438 491->480 492->481 503->480 504->446 519 6c6dbea5-6c6dbea7 504->519 507->438 507->457 508->507 509->446 510->446 519->458
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                                • API String ID: 3519838083-609671
                                • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                • Instruction ID: 1902213912b4ae749dbc60e1b471e7f3386abe01f4459bd29764461eb02b9e46
                                • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                • Instruction Fuzzy Hash: 9DD1B171A0420AEFCB01CFA4D980BEEB7B5FF89308F154159E155A3A54DB70B909CB6D
                                Function 6C6C3798 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 461COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1110 6c6c3798-6c6c37ba call 6c743f10 1113 6c6c37bc 1110->1113 1114 6c6c37bf-6c6c37cf call 6c6af028 1110->1114 1113->1114 1117 6c6c37d5-6c6c37da 1114->1117 1118 6c6c3b20-6c6c3b25 1114->1118 1120 6c6c37dc 1117->1120 1121 6c6c37df-6c6c380f call 6c744210 call 6c7440e0 * 2 1117->1121 1119 6c6c3cf6-6c6c3d04 1118->1119 1120->1121 1128 6c6c381b-6c6c3833 1121->1128 1129 6c6c3811-6c6c3818 1121->1129 1130 6c6c3835-6c6c383a 1128->1130 1131 6c6c3840-6c6c3863 call 6c6c3dba call 6c6a620c 1128->1131 1129->1128 1130->1131 1132 6c6c3ace-6c6c3af9 call 6c6a6add call 6c6af36c 1130->1132 1140 6c6c387f 1131->1140 1141 6c6c3865-6c6c387d call 6c74402a 1131->1141 1145 6c6c3bbc-6c6c3bce call 6c6a6240 1132->1145 1146 6c6c3aff-6c6c3b04 1132->1146 1143 6c6c3881-6c6c3894 call 6c73c2e0 1140->1143 1141->1143 1156 6c6c38a9-6c6c38b2 1143->1156 1157 6c6c3896 1143->1157 1159 6c6c3bd6-6c6c3bd8 1145->1159 1160 6c6c3bd0-6c6c3bd2 1145->1160 1147 6c6c3b2a-6c6c3b42 1146->1147 1148 6c6c3b06-6c6c3b18 call 6c6a6240 1146->1148 1166 6c6c3b44-6c6c3b54 call 6c6b238c 1147->1166 1167 6c6c3b56-6c6c3b79 call 6c6bf10c 1147->1167 1148->1118 1161 6c6c3b1a-6c6c3b1c 1148->1161 1164 6c6c399d-6c6c39a3 1156->1164 1165 6c6c38b8-6c6c38bb 1156->1165 1162 6c6c3898-6c6c389d 1157->1162 1163 6c6c38a2-6c6c38a4 1157->1163 1159->1119 1160->1159 1161->1118 1162->1163 1168 6c6c3abd-6c6c3ac9 call 6c6c3dcd 1163->1168 1172 6c6c39a5 1164->1172 1173 6c6c39f0-6c6c39f6 1164->1173 1169 6c6c38be-6c6c38e8 call 6c6a6add call 6c6af36c 1165->1169 1166->1167 1185 6c6c3bab-6c6c3bb4 1166->1185 1187 6c6c3b7b-6c6c3ba1 call 6c6bcff7 call 6c6bf1fc 1167->1187 1188 6c6c3ba3-6c6c3ba6 call 6c72ae40 1167->1188 1168->1159 1206 6c6c38ee-6c6c38f0 1169->1206 1207 6c6c3a91-6c6c3a93 1169->1207 1180 6c6c39a8-6c6c39d2 call 6c6c3d07 1172->1180 1174 6c6c39f8 1173->1174 1175 6c6c3a2a-6c6c3a40 call 6c6bcff7 call 6c6bf4b1 1173->1175 1182 6c6c39fa-6c6c3a0b call 6c73c180 1174->1182 1175->1157 1208 6c6c3a46-6c6c3a5d call 6c6bd0a2 1175->1208 1198 6c6c39d4 1180->1198 1199 6c6c39d7-6c6c39d9 1180->1199 1182->1157 1205 6c6c3a11-6c6c3a16 1182->1205 1185->1145 1192 6c6c3bb6-6c6c3bb8 1185->1192 1187->1188 1216 6c6c3bdd-6c6c3c00 call 6c6bd0a2 call 6c72ae40 1187->1216 1188->1185 1192->1145 1198->1199 1199->1163 1204 6c6c39df-6c6c39ec 1199->1204 1204->1180 1210 6c6c39ee 1204->1210 1205->1168 1211 6c6c3a1c-6c6c3a28 1205->1211 1213 6c6c3a95-6c6c3a9a 1206->1213 1214 6c6c38f6-6c6c3910 1206->1214 1212 6c6c3aaf-6c6c3ab8 call 6c6a6240 1207->1212 1225 6c6c3a5f-6c6c3a62 1208->1225 1226 6c6c3a80-6c6c3a8c call 6c6c3dcd 1208->1226 1210->1173 1211->1175 1211->1182 1212->1168 1213->1212 1223 6c6c3928-6c6c394f 1214->1223 1224 6c6c3912-6c6c3922 call 6c6b238c 1214->1224 1239 6c6c3c08-6c6c3c1a call 6c6a6240 1216->1239 1240 6c6c3c02-6c6c3c04 1216->1240 1229 6c6c395a-6c6c396e 1223->1229 1230 6c6c3951-6c6c3957 1223->1230 1224->1223 1241 6c6c3a9c-6c6c3aa5 1224->1241 1231 6c6c3a65-6c6c3a6a 1225->1231 1245 6c6c3c22-6c6c3c62 call 6c744210 * 2 1226->1245 1236 6c6c3976-6c6c3997 call 6c6a6240 1229->1236 1237 6c6c3970-6c6c3972 1229->1237 1230->1229 1231->1168 1235 6c6c3a6c-6c6c3a6e 1231->1235 1242 6c6c3a77-6c6c3a7e 1235->1242 1243 6c6c3a70-6c6c3a75 1235->1243 1236->1164 1236->1169 1237->1236 1239->1245 1254 6c6c3c1c-6c6c3c1e 1239->1254 1240->1239 1246 6c6c3aad 1241->1246 1247 6c6c3aa7-6c6c3aa9 1241->1247 1242->1226 1242->1231 1243->1242 1249 6c6c3aba-6c6c3abc 1243->1249 1257 6c6c3ccc-6c6c3cf4 call 6c6bd2d6 call 6c6bd1df 1245->1257 1258 6c6c3c64-6c6c3c68 1245->1258 1246->1212 1247->1246 1249->1168 1254->1245 1257->1119 1260 6c6c3c6a-6c6c3c6e 1258->1260 1261 6c6c3cc0-6c6c3cca 1258->1261 1263 6c6c3c7f-6c6c3cbb call 6c744210 call 6c7441d0 call 6c6bd2d6 call 6c6bf7ff 1260->1263 1264 6c6c3c70-6c6c3c7a call 6c744210 1260->1264 1261->1119 1261->1257 1263->1261 1264->1263
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID: __aulldiv$H_prolog
                                • String ID: >WJ$x$x
                                • API String ID: 2300968129-3162267903
                                • Opcode ID: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                • Instruction ID: 708bb3a6cfa382852bd32322523dcd06ff48134ec3f13b6a06f1f69e81e81c26
                                • Opcode Fuzzy Hash: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                • Instruction Fuzzy Hash: CF128B71A00219EFDF10DFA8C884AEDBBB5FF09318F208169E919AB650D7319D49CF59
                                Function 6C6B1FA6 Relevance: 9.1, APIs: 6, Instructions: 95COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1276 6c6b1fa6-6c6b1fe0 call 6c7440e0 call 6c744150 1281 6c6b2009-6c6b200e 1276->1281 1282 6c6b1fe2-6c6b1fef call 6c7440e0 1276->1282 1283 6c6b2071-6c6b2074 1281->1283 1284 6c6b2010-6c6b201f call 6c7440e0 1281->1284 1290 6c6b1ff8-6c6b2006 call 6c744210 1282->1290 1291 6c6b1ff1 1282->1291 1287 6c6b2077-6c6b207b 1283->1287 1295 6c6b2041-6c6b2053 call 6c7440e0 call 6c744210 1284->1295 1296 6c6b2021 1284->1296 1290->1281 1292 6c6b206a-6c6b206f 1291->1292 1293 6c6b1ff3-6c6b1ff6 1291->1293 1292->1287 1293->1290 1293->1292 1305 6c6b2058-6c6b2061 1295->1305 1299 6c6b2028-6c6b203f call 6c744210 call 6c7440e0 1296->1299 1300 6c6b2023-6c6b2026 1296->1300 1299->1305 1300->1295 1300->1299 1305->1283 1307 6c6b2063 1305->1307 1307->1292 1309 6c6b2065-6c6b2068 1307->1309 1309->1283 1309->1292
                                APIs
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID: __aulldiv$__aullrem
                                • String ID:
                                • API String ID: 2022606265-0
                                • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                • Instruction ID: 98621956e311cf2614a5c499e9d616af7d426f9285239134bf3f13ff6e55ce0a
                                • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                • Instruction Fuzzy Hash: 04219170901229BADF118E949D8CDDF7BB9EB417A8F20C226B52471AA0D2718DB0E765
                                Function 6C6B76EC Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 183COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1310 6c6b76ec-6c6b7705 call 6c743f10 1313 6c6b771c-6c6b7723 1310->1313 1314 6c6b7707-6c6b770c 1310->1314 1317 6c6b7724-6c6b7787 call 6c6b7e93 call 6c6a7204 call 6c6b78f4 call 6c6e48d2 call 6c6b8009 1313->1317 1315 6c6b770e-6c6b7713 1314->1315 1316 6c6b7715-6c6b771a 1314->1316 1315->1317 1316->1317 1328 6c6b779a-6c6b77a3 1317->1328 1329 6c6b7789-6c6b7795 call 6c6b79b9 1317->1329 1331 6c6b77cc-6c6b77d9 1328->1331 1332 6c6b77a5-6c6b77b1 1328->1332 1329->1328 1333 6c6b77db-6c6b77eb call 6c6a73ec 1331->1333 1334 6c6b77f0-6c6b77f9 1331->1334 1335 6c6b77b3-6c6b77be call 6c6aa89f 1332->1335 1336 6c6b77c0-6c6b77c7 call 6c6a73ec 1332->1336 1333->1334 1338 6c6b77ff-6c6b780a 1334->1338 1339 6c6b7882-6c6b78ae call 6c6b7965 call 6c6a6240 1334->1339 1335->1331 1336->1331 1338->1339 1343 6c6b780c 1338->1343 1346 6c6b7811-6c6b7828 call 6c6d2109 1343->1346 1351 6c6b782e-6c6b783d 1346->1351 1352 6c6b78b1-6c6b78d2 call 6c6c6173 call 6c743f30 1346->1352 1354 6c6b7849-6c6b7880 call 6c6b4c9e 1351->1354 1355 6c6b783f-6c6b7843 1351->1355 1357 6c6b78d7-6c6b78ee call 6c6c6173 1352->1357 1354->1339 1363 6c6b780e 1354->1363 1355->1354 1355->1357 1364 6c6b78f4-6c6b7964 call 6c743f10 call 6c6a7204 * 7 1357->1364 1365 6c6b78ef call 6c743f30 1357->1365 1363->1346 1365->1364
                                APIs
                                • __EH_prolog.LIBCMT ref: 6C6B76F1
                                  • Part of subcall function 6C6C6173: __EH_prolog.LIBCMT ref: 6C6C6178
                                • __EH_prolog.LIBCMT ref: 6C6B78F9
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: IJ$WIJ$J
                                • API String ID: 3519838083-740443243
                                • Opcode ID: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                • Instruction ID: 8c464ccda6d4aa10acab13d62fddf2480f8720fa62b409d5be81a50848c08eab
                                • Opcode Fuzzy Hash: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                • Instruction Fuzzy Hash: 4571C030904255DFDB04DFA4C484BEDB7B0BF16308F1084A9E8596BB91CB74AE49CBA9
                                Function 6C6CB418 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • __EH_prolog.LIBCMT ref: 6C6CB41D
                                  • Part of subcall function 6C6CBE40: __EH_prolog.LIBCMT ref: 6C6CBE45
                                  • Part of subcall function 6C6CB8EB: __EH_prolog.LIBCMT ref: 6C6CB8F0
                                  • Part of subcall function 6C6CB593: __EH_prolog.LIBCMT ref: 6C6CB598
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: &qB$0aJ$A0$XqB
                                • API String ID: 3519838083-1326096578
                                • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                • Instruction ID: 8a796d9ded1e5f6f288947714218f13d330c2416de50eef6f841cf6c47e4160f
                                • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                • Instruction Fuzzy Hash: 6421BB70E05298AECF04CBE4D9849EDBBB4EF26308F20402AD41273780DB784E0DCB69
                                Function 6C6CB234 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 43COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: J$0J$DJ$`J
                                • API String ID: 3519838083-2453737217
                                • Opcode ID: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                                • Instruction ID: 3efbcde3972217346a720846f01ee59229d1abf65005b7ea790c76820351b535
                                • Opcode Fuzzy Hash: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                                • Instruction Fuzzy Hash: 8511C2B0904B64CEC720CF5AC55419AFBE4FFA6708B10C91FC4A687B50C7F8A909CB59
                                Function 6C6F3E3F Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 452COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1422 6c6f3e3f-6c6f3eea call 6c743f10 call 6c6f3c9d call 6c6f353e call 6c6f3314 call 6c6fc04a call 6c6f59c7 call 6c6fc04a * 2 1439 6c6f41ee-6c6f422d call 6c6a869a 1422->1439 1440 6c6f3ef0 1422->1440 1446 6c6f422f-6c6f423b call 6c7440c8 1439->1446 1447 6c6f423e-6c6f4276 call 6c6a6240 * 2 call 6c6f3284 call 6c6f3c9d call 6c6f599a 1439->1447 1441 6c6f3ef7-6c6f3f1d call 6c6f353e 1440->1441 1449 6c6f438b-6c6f439a call 6c743f30 1441->1449 1450 6c6f3f23-6c6f3f26 1441->1450 1446->1447 1475 6c6f4290-6c6f429c call 6c6f3447 1447->1475 1518 6c6f4278-6c6f428e call 6c6f3447 1447->1518 1459 6c6f439f-6c6f43a7 call 6c6f3434 1449->1459 1450->1449 1453 6c6f3f2c-6c6f3f32 1450->1453 1457 6c6f40bf-6c6f40c2 1453->1457 1458 6c6f3f38-6c6f3f47 call 6c6f33b5 1453->1458 1461 6c6f40a7-6c6f40ac 1457->1461 1473 6c6f3f4d-6c6f3f56 1458->1473 1474 6c6f42c3-6c6f42d2 call 6c743f30 1458->1474 1459->1475 1465 6c6f40ae-6c6f40b1 1461->1465 1466 6c6f40c4-6c6f40ca 1461->1466 1465->1466 1470 6c6f40b3-6c6f40ba 1465->1470 1471 6c6f4327-6c6f4336 call 6c743f30 1466->1471 1472 6c6f40d0-6c6f40ed call 6c6f43bd * 2 1466->1472 1479 6c6f41a9-6c6f41cb 1470->1479 1485 6c6f433b-6c6f434a call 6c743f30 1471->1485 1520 6c6f40ef-6c6f40fa call 6c6f353e 1472->1520 1521 6c6f4140-6c6f414f 1472->1521 1481 6c6f3f5c-6c6f3f65 1473->1481 1482 6c6f42d7-6c6f42e6 call 6c743f30 1473->1482 1474->1482 1495 6c6f43ac-6c6f43ba 1475->1495 1496 6c6f42a2-6c6f42a5 1475->1496 1486 6c6f41cd call 6c6f3367 1479->1486 1487 6c6f41d2-6c6f41e8 1479->1487 1491 6c6f3f6c-6c6f3f84 1481->1491 1492 6c6f3f67 call 6c6f3367 1481->1492 1501 6c6f42eb-6c6f42fa call 6c743f30 1482->1501 1506 6c6f434f-6c6f435e call 6c743f30 1485->1506 1486->1487 1487->1439 1500 6c6f3ef2-6c6f3ef5 1487->1500 1493 6c6f3f86 1491->1493 1494 6c6f3fc0-6c6f3fd2 1491->1494 1492->1491 1504 6c6f3f8b-6c6f3fb8 call 6c744250 1493->1504 1507 6c6f3fd4-6c6f3fdd call 6c6cb61b 1494->1507 1508 6c6f3fe2-6c6f3fed 1494->1508 1496->1459 1505 6c6f42ab-6c6f42ad 1496->1505 1500->1441 1519 6c6f42ff-6c6f430e call 6c743f30 1501->1519 1538 6c6f3fba-6c6f3fbd 1504->1538 1539 6c6f3f88 1504->1539 1505->1459 1513 6c6f42b3-6c6f42c1 call 6c6f3d1d 1505->1513 1527 6c6f4363-6c6f4372 call 6c743f30 1506->1527 1507->1508 1516 6c6f3fef-6c6f3ffc call 6c6f353e 1508->1516 1517 6c6f4012-6c6f401c 1508->1517 1513->1475 1516->1501 1553 6c6f4002-6c6f400c call 6c6f353e 1516->1553 1523 6c6f4313-6c6f4322 call 6c743f30 1517->1523 1524 6c6f4022-6c6f4026 1517->1524 1518->1475 1519->1523 1520->1506 1546 6c6f4100-6c6f4108 1520->1546 1528 6c6f4185-6c6f418a 1521->1528 1529 6c6f4151-6c6f4157 1521->1529 1523->1471 1536 6c6f4028-6c6f403a call 6c6f353e 1524->1536 1537 6c6f4095-6c6f409e 1524->1537 1548 6c6f4377-6c6f4386 call 6c743f30 1527->1548 1533 6c6f418c-6c6f4193 1528->1533 1534 6c6f41a3 1528->1534 1529->1528 1542 6c6f4159-6c6f4163 call 6c6f353e 1529->1542 1550 6c6f419d 1533->1550 1551 6c6f4195-6c6f4199 1533->1551 1534->1479 1534->1548 1562 6c6f403c-6c6f4041 call 6c6f3367 1536->1562 1563 6c6f4044-6c6f4048 1536->1563 1537->1458 1552 6c6f40a4 1537->1552 1538->1494 1539->1504 1542->1527 1564 6c6f4169-6c6f4171 1542->1564 1546->1506 1555 6c6f410e-6c6f411e call 6c6f353e 1546->1555 1548->1449 1557 6c6f41a0 1550->1557 1551->1533 1554 6c6f419b 1551->1554 1552->1461 1553->1517 1553->1519 1554->1557 1555->1485 1571 6c6f4124-6c6f412c 1555->1571 1557->1534 1562->1563 1568 6c6f406a-6c6f4071 1563->1568 1569 6c6f404a-6c6f404e 1563->1569 1564->1527 1570 6c6f4177-6c6f4183 1564->1570 1574 6c6f4073-6c6f4077 1568->1574 1575 6c6f4092 1568->1575 1569->1568 1573 6c6f4050-6c6f4053 1569->1573 1570->1528 1570->1542 1571->1485 1576 6c6f4132-6c6f413e 1571->1576 1573->1575 1577 6c6f4055-6c6f4063 1573->1577 1574->1575 1578 6c6f4079-6c6f407c 1574->1578 1575->1537 1576->1520 1576->1521 1577->1575 1579 6c6f4065-6c6f4068 1577->1579 1578->1575 1580 6c6f407e-6c6f408d 1578->1580 1579->1575 1580->1575 1581 6c6f408f 1580->1581 1581->1575
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: $!$@
                                • API String ID: 3519838083-2517134481
                                • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                • Instruction ID: 2e274ff34f9ed36bdc97343c2a477805e8b75f11c52efe2e3abf9d92c63fc4f9
                                • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                • Instruction Fuzzy Hash: 6712AE30D05249DFCF04CFA4C580AEDBBB2BF09308F148469E865ABB51DB71E946CB69
                                Function 6C6BFB91 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 284COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1582 6c6bfb91-6c6bfbba call 6c743f10 1585 6c6bfbbc 1582->1585 1586 6c6bfbc3-6c6bfbda call 6c7441d0 1582->1586 1585->1586 1589 6c6bfbdc-6c6bfbde 1586->1589 1590 6c6bfbe0-6c6bfbee call 6c7441d0 1586->1590 1589->1590 1591 6c6bfbf0-6c6bfbfa 1589->1591 1594 6c6bfbfd-6c6bfc0c 1590->1594 1591->1594 1595 6c6bfc19-6c6bfc3a call 6c6a620c 1594->1595 1596 6c6bfc0e-6c6bfc13 1594->1596 1601 6c6bfc5c 1595->1601 1602 6c6bfc3c-6c6bfc5a call 6c74402a 1595->1602 1596->1595 1597 6c6bfd6e-6c6bfd92 call 6c6bcff7 1596->1597 1606 6c6bfd98-6c6bfdae call 6c6bfec9 1597->1606 1607 6c6bfd94-6c6bfd96 1597->1607 1605 6c6bfc5e-6c6bfc6c 1601->1605 1602->1605 1611 6c6bfc9a-6c6bfcab call 6c6bcff7 1605->1611 1612 6c6bfc6e 1605->1612 1617 6c6bfdbf-6c6bfdc7 1606->1617 1618 6c6bfdb0-6c6bfdb9 1606->1618 1607->1606 1608 6c6bfdce-6c6bfdd1 1607->1608 1614 6c6bfdd4-6c6bfddb 1608->1614 1624 6c6bfd0b-6c6bfd15 call 6c6c003a 1611->1624 1625 6c6bfcad 1611->1625 1615 6c6bfc70-6c6bfc98 1612->1615 1619 6c6bfddd-6c6bfddf 1614->1619 1620 6c6bfdf0-6c6bfe6c call 6c6bd0a2 call 6c744210 * 2 call 6c6bd2d6 call 6c7440e0 call 6c6bd1df 1614->1620 1615->1611 1615->1615 1617->1606 1622 6c6bfdc9-6c6bfdcc 1617->1622 1618->1617 1634 6c6bfeb8-6c6bfec6 1618->1634 1619->1620 1623 6c6bfde1-6c6bfdea 1619->1623 1669 6c6bfe6e-6c6bfe76 1620->1669 1670 6c6bfeb6 1620->1670 1622->1606 1622->1608 1623->1620 1623->1634 1640 6c6bfd49 1624->1640 1641 6c6bfd17-6c6bfd1f 1624->1641 1630 6c6bfcb0-6c6bfcc0 1625->1630 1631 6c6bfce3-6c6bfce9 call 6c73c200 1630->1631 1632 6c6bfcc2-6c6bfce1 call 6c6bd506 call 6c73c240 1630->1632 1646 6c6bfcee-6c6bfcf3 1631->1646 1632->1646 1644 6c6bfd4b-6c6bfd50 1640->1644 1645 6c6bfd55-6c6bfd57 1640->1645 1647 6c6bfd38-6c6bfd44 call 6c6c007b 1641->1647 1648 6c6bfd21-6c6bfd24 1641->1648 1644->1645 1653 6c6bfd5b-6c6bfd69 call 6c6c007b 1645->1653 1654 6c6bfcf8-6c6bfcfa 1646->1654 1655 6c6bfcf5 1646->1655 1647->1614 1649 6c6bfd27-6c6bfd2b 1648->1649 1656 6c6bfd59 1649->1656 1657 6c6bfd2d-6c6bfd36 1649->1657 1653->1634 1654->1640 1662 6c6bfcfc-6c6bfd09 1654->1662 1655->1654 1656->1653 1657->1647 1657->1649 1662->1624 1662->1630 1671 6c6bfe78-6c6bfe82 1669->1671 1672 6c6bfe90-6c6bfe92 1669->1672 1670->1634 1674 6c6bfe88-6c6bfe8e 1671->1674 1675 6c6bfe84-6c6bfe86 1671->1675 1673 6c6bfe94-6c6bfeb4 call 6c6bf7ff 1672->1673 1673->1634 1673->1670 1674->1673 1675->1673
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID: H_prolog__aulldiv
                                • String ID: $SJ
                                • API String ID: 4125985754-3948962906
                                • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                • Instruction ID: 109efedbe309d9b4543b3a5d4d980e3a1667048301e9152a3c4aed65a5d54110
                                • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                • Instruction Fuzzy Hash: C8B160B9D002099FCB14CFA9C9905EEBBF1FF48318B20852EE415B7B61C730AA55CB59
                                Function 6C6C31D6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1679 6c6c31d6-6c6c3202 call 6c743f10 call 6c6c32bf 1684 6c6c321c-6c6c321e 1679->1684 1685 6c6c3204-6c6c3217 1679->1685 1686 6c6c3223-6c6c3229 1684->1686 1689 6c6c32a0-6c6c32ad 1685->1689 1686->1686 1688 6c6c322b-6c6c3238 call 6c6c3300 1686->1688 1692 6c6c323a-6c6c324d call 6c6bf173 1688->1692 1693 6c6c328b-6c6c329f 1688->1693 1697 6c6c3251-6c6c3257 1692->1697 1693->1689 1698 6c6c325a-6c6c3272 call 6c6c3300 call 6c7425a0 1697->1698 1703 6c6c32ae-6c6c32b0 1698->1703 1704 6c6c3274-6c6c327b 1698->1704 1703->1693 1704->1698 1705 6c6c327d-6c6c3287 1704->1705 1706 6c6c324f 1705->1706 1707 6c6c3289 1705->1707 1706->1697 1707->1693
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: $CK$CK
                                • API String ID: 3519838083-2957773085
                                • Opcode ID: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                                • Instruction ID: 372105ca7c0f8f35fa879553b7b963ffb982c25278e0963482515e9b941085b9
                                • Opcode Fuzzy Hash: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                                • Instruction Fuzzy Hash: E0219275F052058BCF04DFA9C5841EEF7B2FB95308F14463AC522A7B91C7785A068B9A
                                Function 6C6DA584 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1708 6c6da584-6c6da5ac call 6c743f10 call 6c6a6add 1713 6c6da5b1-6c6da5bb 1708->1713 1714 6c6da5bd-6c6da5c6 1713->1714 1715 6c6da5df-6c6da5eb 1713->1715 1716 6c6da5c8-6c6da5cb call 6c6a6c81 1714->1716 1717 6c6da5d0-6c6da5dd call 6c6a6ca1 1714->1717 1715->1713 1718 6c6da5ed-6c6da5ef 1715->1718 1716->1717 1717->1715 1721 6c6da61d-6c6da643 call 6c6a6b39 call 6c6a6240 1718->1721 1722 6c6da5f1-6c6da607 call 6c6a5d77 1718->1722 1729 6c6da609-6c6da60c call 6c6a6c81 1722->1729 1730 6c6da611-6c6da618 call 6c6a6ca1 1722->1730 1729->1730 1730->1721
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: 0$LrJ$x
                                • API String ID: 3519838083-658305261
                                • Opcode ID: 4d1a12b996d8cdd79ba2c3eb3f59f6bf691634cc710ec0f5f651f2212a36eb1c
                                • Instruction ID: c60ecb25a9c7be3610b97de625e841eadeebc059f028d636b16c1bbc9d59e7f6
                                • Opcode Fuzzy Hash: 4d1a12b996d8cdd79ba2c3eb3f59f6bf691634cc710ec0f5f651f2212a36eb1c
                                • Instruction Fuzzy Hash: CB218E36D01119DBCF04DBD8C990AEDB7B5EF99308F20015AE412B3A40DB75AE09CBA9
                                Function 6C6D1EC7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 54COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • __EH_prolog.LIBCMT ref: 6C6D1ECC
                                  • Part of subcall function 6C6BC58A: __EH_prolog.LIBCMT ref: 6C6BC58F
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: :hJ$dJ$xJ
                                • API String ID: 3519838083-2437443688
                                • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                • Instruction ID: c14ac1ed39baa0973bf9b6d8903794e4613034ce75ded583337233c4e4453bc5
                                • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                • Instruction Fuzzy Hash: 7121ECB0805B40CFC761CF6AC15428ABBF4FF2A708B00C95EC0AA97B11D7B4A609CF59
                                Function 6C6C8D0E Relevance: 6.4, Strings: 5, Instructions: 105COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2336 6c6c8d0e-6c6c8d26 2337 6c6c8d2c-6c6c8d30 2336->2337 2338 6c6c8e30-6c6c8e3d 2336->2338 2341 6c6c8d65-6c6c8d74 call 6c6a7204 2337->2341 2342 6c6c8d32-6c6c8d36 2337->2342 2339 6c6c8e3f-6c6c8e44 call 6c6ada04 2338->2339 2340 6c6c8e49-6c6c8e60 call 6c6adb36 call 6c6ada5d 2338->2340 2339->2340 2350 6c6c8d9a-6c6c8d9d 2341->2350 2351 6c6c8d76-6c6c8d95 call 6c6a7566 call 6c6a767a call 6c6a7621 2341->2351 2342->2340 2346 6c6c8d3c-6c6c8d42 2342->2346 2346->2340 2349 6c6c8d48-6c6c8d4b 2346->2349 2353 6c6c8d4d-6c6c8d50 2349->2353 2354 6c6c8d56-6c6c8d60 call 6c6ad997 2349->2354 2356 6c6c8d9f-6c6c8dae call 6c6a7566 call 6c6a75e5 2350->2356 2357 6c6c8db3-6c6c8db6 2350->2357 2351->2350 2353->2340 2353->2354 2354->2340 2356->2357 2360 6c6c8db8-6c6c8dc8 call 6c6c8e63 2357->2360 2361 6c6c8de2-6c6c8de5 2357->2361 2360->2361 2376 6c6c8dca-6c6c8ddd call 6c6a7621 * 2 2360->2376 2367 6c6c8df4-6c6c8df7 2361->2367 2368 6c6c8de7-6c6c8def call 6c6c8e63 2361->2368 2373 6c6c8df9-6c6c8e01 call 6c6c8e63 2367->2373 2374 6c6c8e06-6c6c8e0a 2367->2374 2368->2367 2373->2374 2379 6c6c8e0c-6c6c8e14 call 6c6c8e63 2374->2379 2380 6c6c8e19-6c6c8e2e call 6c6ad90d call 6c6a6240 2374->2380 2376->2361 2379->2380 2380->2340
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID:
                                • String ID: <J$DJ$HJ$TJ$]
                                • API String ID: 0-686860805
                                • Opcode ID: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                • Instruction ID: 4a88ace05355fd59781c805283d3cb4ef11748d73db71db8f57113b07f403d20
                                • Opcode Fuzzy Hash: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                • Instruction Fuzzy Hash: 76419870D05249AFCF24DBE0D4908EEB770EF5A308B10856ED12167A74DB35BA4ACB5E
                                Function 6C6C3331 Relevance: 6.1, APIs: 4, Instructions: 76COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2389 6c6c3331-6c6c334b 2390 6c6c334d-6c6c3351 2389->2390 2391 6c6c3353-6c6c3357 2389->2391 2392 6c6c3358-6c6c3369 call 6c7440e0 2390->2392 2391->2392 2395 6c6c3388-6c6c338e call 6c6bf8fe 2392->2395 2396 6c6c336b-6c6c336f 2392->2396 2400 6c6c3393-6c6c33d5 call 6c7440e0 * 3 call 6c6bf946 2395->2400 2396->2395 2397 6c6c3371-6c6c3386 call 6c7441d0 call 6c6bf89a 2396->2397 2397->2400
                                APIs
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID: __aulldiv
                                • String ID:
                                • API String ID: 3732870572-0
                                • Opcode ID: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                • Instruction ID: 97119822fa4ae20b20a08d094496cc643b4f4cc4e60b1872e498232111553c9f
                                • Opcode Fuzzy Hash: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                • Instruction Fuzzy Hash: 4311D57A200348BFEB204EA0DC44EEFBBBDEFC5744F10842DB25556A60CA71AC24E725
                                Function 6C6AB072 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 398COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2412 6c6ab072-6c6ab08e call 6c743f10 2415 6c6ab090-6c6ab094 2412->2415 2416 6c6ab096-6c6ab09e 2412->2416 2415->2416 2419 6c6ab0d3-6c6ab0dc call 6c6aca64 2415->2419 2417 6c6ab0a0-6c6ab0a4 2416->2417 2418 6c6ab0a6-6c6ab0ae 2416->2418 2417->2418 2417->2419 2418->2419 2420 6c6ab0b0-6c6ab0b5 2418->2420 2425 6c6ab0e2-6c6ab102 call 6c6aabf0 call 6c6a7388 call 6c6acbdf 2419->2425 2426 6c6ab187-6c6ab192 call 6c6accc6 2419->2426 2420->2419 2422 6c6ab0b7-6c6ab0ce call 6c6aabf0 call 6c6a7388 2420->2422 2438 6c6ab55d-6c6ab55f 2422->2438 2449 6c6ab14a-6c6ab161 call 6c6abf41 2425->2449 2450 6c6ab104-6c6ab109 2425->2450 2433 6c6ab198-6c6ab19e 2426->2433 2434 6c6ab34c-6c6ab362 call 6c6acbfa 2426->2434 2433->2434 2437 6c6ab1a4-6c6ab1c7 call 6c6a7247 * 2 2433->2437 2447 6c6ab367-6c6ab374 call 6c6ac9e2 2434->2447 2448 6c6ab364-6c6ab366 2434->2448 2461 6c6ab1c9-6c6ab1cf 2437->2461 2462 6c6ab1d4-6c6ab1da 2437->2462 2443 6c6ab518-6c6ab526 2438->2443 2457 6c6ab3d1-6c6ab3d8 2447->2457 2458 6c6ab376-6c6ab37c 2447->2458 2448->2447 2467 6c6ab163-6c6ab165 2449->2467 2468 6c6ab167-6c6ab16b 2449->2468 2450->2449 2454 6c6ab10b-6c6ab138 call 6c6ad652 2450->2454 2454->2449 2476 6c6ab13a-6c6ab145 2454->2476 2463 6c6ab3da-6c6ab3de 2457->2463 2464 6c6ab3e4-6c6ab3eb 2457->2464 2458->2457 2465 6c6ab37e-6c6ab38a call 6c6aaff5 2458->2465 2461->2462 2469 6c6ab1dc-6c6ab1ef call 6c6a6807 2462->2469 2470 6c6ab1f1-6c6ab1f9 call 6c6a7621 2462->2470 2463->2464 2472 6c6ab4e5-6c6ab4f3 call 6c6aac68 2463->2472 2473 6c6ab41d-6c6ab424 call 6c6acb82 2464->2473 2474 6c6ab3ed-6c6ab3f7 call 6c6aaff5 2464->2474 2465->2472 2491 6c6ab390-6c6ab393 2465->2491 2477 6c6ab17a-6c6ab182 call 6c6aba4c 2467->2477 2478 6c6ab178 2468->2478 2479 6c6ab16d-6c6ab175 2468->2479 2469->2470 2481 6c6ab1fe-6c6ab20b call 6c6acbdf 2469->2481 2470->2481 2499 6c6ab50c 2472->2499 2500 6c6ab4f5-6c6ab4f7 2472->2500 2473->2472 2498 6c6ab42a-6c6ab435 2473->2498 2474->2472 2496 6c6ab3fd-6c6ab400 2474->2496 2476->2438 2494 6c6ab516 2477->2494 2478->2477 2479->2478 2502 6c6ab20d-6c6ab210 2481->2502 2503 6c6ab243-6c6ab250 call 6c6ab072 2481->2503 2491->2472 2497 6c6ab399-6c6ab3b6 call 6c6aabf0 call 6c6a7388 2491->2497 2494->2443 2496->2472 2505 6c6ab406-6c6ab41b call 6c6aabf0 2496->2505 2533 6c6ab3b8-6c6ab3bd 2497->2533 2534 6c6ab3c2-6c6ab3c5 call 6c6ab57b 2497->2534 2498->2472 2507 6c6ab43b-6c6ab444 call 6c6ac978 2498->2507 2504 6c6ab50e-6c6ab511 call 6c6aac48 2499->2504 2500->2499 2501 6c6ab4f9-6c6ab502 2500->2501 2501->2499 2508 6c6ab504-6c6ab507 call 6c6ab57b 2501->2508 2509 6c6ab21e-6c6ab236 call 6c6aabf0 2502->2509 2510 6c6ab212-6c6ab215 2502->2510 2523 6c6ab33a-6c6ab34b call 6c6a6240 * 2 2503->2523 2524 6c6ab256 2503->2524 2504->2494 2527 6c6ab3ca-6c6ab3cc 2505->2527 2507->2472 2525 6c6ab44a-6c6ab454 call 6c6ab57b 2507->2525 2508->2499 2529 6c6ab258-6c6ab27e call 6c6a731c call 6c6a7204 2509->2529 2532 6c6ab238-6c6ab241 call 6c6a73ec 2509->2532 2510->2503 2517 6c6ab217-6c6ab21c 2510->2517 2517->2503 2517->2509 2523->2434 2524->2529 2541 6c6ab456-6c6ab45f call 6c6a7388 2525->2541 2542 6c6ab464-6c6ab497 call 6c6a7247 call 6c6a5489 * 2 call 6c6aac68 2525->2542 2527->2504 2549 6c6ab283-6c6ab299 call 6c6aafb5 2529->2549 2532->2529 2533->2534 2534->2527 2553 6c6ab555-6c6ab558 call 6c6aac48 2541->2553 2574 6c6ab499-6c6ab4af 2542->2574 2575 6c6ab4bf-6c6ab4cc call 6c6aaff5 2542->2575 2558 6c6ab29b-6c6ab29f 2549->2558 2559 6c6ab2cf-6c6ab2d1 2549->2559 2553->2438 2562 6c6ab2a1-6c6ab2ae call 6c6a66bf 2558->2562 2563 6c6ab2c7 2558->2563 2561 6c6ab309-6c6ab335 call 6c6a6240 * 2 call 6c6aac48 call 6c6a6240 * 2 2559->2561 2561->2494 2571 6c6ab2d3-6c6ab2d9 2562->2571 2572 6c6ab2b0-6c6ab2c5 call 6c6a6240 call 6c6a7204 2562->2572 2563->2559 2576 6c6ab2db-6c6ab2e0 2571->2576 2577 6c6ab2ec-6c6ab307 call 6c6a75e5 2571->2577 2572->2549 2588 6c6ab4bb 2574->2588 2589 6c6ab4b1-6c6ab4b6 2574->2589 2590 6c6ab529-6c6ab533 call 6c6aabf0 2575->2590 2591 6c6ab4ce-6c6ab4d1 2575->2591 2576->2577 2582 6c6ab2e2-6c6ab2e8 2576->2582 2577->2561 2582->2577 2588->2575 2596 6c6ab547-6c6ab554 call 6c6a7388 call 6c6a6240 2589->2596 2607 6c6ab53a 2590->2607 2608 6c6ab535-6c6ab538 2590->2608 2597 6c6ab4d8-6c6ab4e4 call 6c6a6240 2591->2597 2598 6c6ab4d3-6c6ab4d6 2591->2598 2596->2553 2597->2472 2598->2590 2598->2597 2611 6c6ab541-6c6ab544 2607->2611 2608->2611 2611->2596
                                APIs
                                • __EH_prolog.LIBCMT ref: 6C6AB077
                                  • Part of subcall function 6C6AAFF5: __EH_prolog.LIBCMT ref: 6C6AAFFA
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: :$\
                                • API String ID: 3519838083-1166558509
                                • Opcode ID: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                                • Instruction ID: 0dce38daabddeb94e61a4ac723d64c8d3675845641e33dddf8b995730c94a81c
                                • Opcode Fuzzy Hash: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                                • Instruction Fuzzy Hash: 26E1C0309042099ECB11DFE8C890BEDB7B1BF8631CF10411AD86667A91DB71AD8BCB1D
                                Function 6C6F7354 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 234COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID: H_prolog__aullrem
                                • String ID: d%K
                                • API String ID: 3415659256-3110269457
                                • Opcode ID: edd8db3a4067630c511c1f9d0118cc4b792e07b2613ebc31a4b030f5161dda76
                                • Instruction ID: 5cc2d5c3793e1d9f5d0f0efb757f83273ac7abc8becaf27b83c4f9db39287f7a
                                • Opcode Fuzzy Hash: edd8db3a4067630c511c1f9d0118cc4b792e07b2613ebc31a4b030f5161dda76
                                • Instruction Fuzzy Hash: B7810772A006099FDF01CF58C550BDEBBF6AF49349F248069D868AB741D771D90ACBA8
                                Function 6C6D0C20 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 224COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: @$hfJ
                                • API String ID: 3519838083-1391159562
                                • Opcode ID: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                • Instruction ID: e444b1dd243b23be0624923a2f07e81e12146033f6249b22b28f3a17aace6ae7
                                • Opcode Fuzzy Hash: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                • Instruction Fuzzy Hash: B3914870910249EFCB10DFA9C8849DEFBF4FF19308F54452EE556A7A90D770AA49CB28
                                Function 6C6C5C58 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 213COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 6C6C5C5D
                                  • Part of subcall function 6C6C461A: __EH_prolog.LIBCMT ref: 6C6C461F
                                  • Part of subcall function 6C6C4A2E: __EH_prolog.LIBCMT ref: 6C6C4A33
                                  • Part of subcall function 6C6C5EA5: __EH_prolog.LIBCMT ref: 6C6C5EAA
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: WZJ
                                • API String ID: 3519838083-1089469559
                                • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                • Instruction ID: f52ac430b3b11cd6da8f993ba300030c5c52fdbf359d3a0cd682fad8d5767b15
                                • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                • Instruction Fuzzy Hash: 82817D31E00159DFCF15DFA4D994ADDB7B4EF0A308F10409AE416A7790DB70AE09DB69
                                Function 6C6CCF9C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: <dJ$Q
                                • API String ID: 3519838083-2252229148
                                • Opcode ID: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                • Instruction ID: dc6f53bab358e4cecfb5cc1144ef49b8de2acafd4ac12a38108c797985d7d9a1
                                • Opcode Fuzzy Hash: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                • Instruction Fuzzy Hash: D5515A71A44209EFCF00DFD8C8808EDB7B1FF49318F10852EE525ABA50D7719A4ACB5A
                                Function 6C6C89B9 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: $D^J
                                • API String ID: 3519838083-3977321784
                                • Opcode ID: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                                • Instruction ID: 2302e087951cc79067540d58eedd0f53c4f98b3e486223e481699b8e7534b5fd
                                • Opcode Fuzzy Hash: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                                • Instruction Fuzzy Hash: 81415B70B046906ED7329BA884507E9BBA1DF2F348F14815BC49247EA1DB64998BC39F
                                Function 6C6E212C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 102COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: X&L$p|J
                                • API String ID: 3519838083-2944591232
                                • Opcode ID: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                                • Instruction ID: 48862328f03357a4578a9309dcbec1a28b4c1b5dc1530478c308fa3fb09c956b
                                • Opcode Fuzzy Hash: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                                • Instruction Fuzzy Hash: 8131D53168F107CFD7009B5CDD0DFE97762EB1A318F104127D610A6AA0CB618ACA8A5D
                                Function 6C6E1C24 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 100COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: 0|J$`)L
                                • API String ID: 3519838083-117937767
                                • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                • Instruction ID: ca9fa0b75626452deddedee296eca53b9072351c2714df1151f02186d392564b
                                • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                • Instruction Fuzzy Hash: 8241B131606745EFCF118FA4C4907EEBBE2FF4A308F00442EE45A97651CB31A806DB59
                                Function 6C6E4CB6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID: __aulldiv
                                • String ID: 3333
                                • API String ID: 3732870572-2924271548
                                • Opcode ID: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                • Instruction ID: 33b5a838e2414bb9b4ecb5f0cd3e9a49ea6a811b15f99a5a3cbf19e028e80b64
                                • Opcode Fuzzy Hash: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                • Instruction Fuzzy Hash: 3421B7B09057046ED730CFB98884BABBAFCEB88754F10C91FA146D3B40D770E9049769
                                Function 6C6DD906 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: @$LuJ
                                • API String ID: 3519838083-205571748
                                • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                • Instruction ID: d779faf85f7be95867235d8b931217bbad8f361ca224573cf8f7027e2ef5a97f
                                • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                • Instruction Fuzzy Hash: A2016D72E05209DACB10EFA988805AEFBB4EF59704F40842EE569F7A41C3346905CBAD
                                Function 6C6B90AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: @$xMJ
                                • API String ID: 3519838083-951924499
                                • Opcode ID: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                                • Instruction ID: ee80a73b723db979fac1b5108687df1f0c34ea480ad83b1083875fbe0bea62c6
                                • Opcode Fuzzy Hash: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                                • Instruction Fuzzy Hash: 20117C71A00209DBCB00CFD9C49459EB7B4FF29308B50C42ED429E7601D3349A15CB59
                                Function 6C6E0431 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID: H_prologctype
                                • String ID: |zJ
                                • API String ID: 3037903784-3782439380
                                • Opcode ID: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                                • Instruction ID: fdfabc5639fcc9c98f9e03422d1874b8505359b3d3ba1db26a80ddeb7e2b5506
                                • Opcode Fuzzy Hash: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                                • Instruction Fuzzy Hash: F8E0ED32A0A121EBEB048F48D900BDEF3A8FF58B14F10401FD016A3A40CFB0A8118A89
                                Function 6C6D7143 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID: H_prologctype
                                • String ID: <oJ
                                • API String ID: 3037903784-2791053824
                                • Opcode ID: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                                • Instruction ID: 33dd797b75602b40ab6374befeb937e0ac76bc17b4da81b6a99be6b0901102d4
                                • Opcode Fuzzy Hash: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                                • Instruction Fuzzy Hash: 7AE0ED32A051219FDB089F48EC14BEEF7B4EF41714F12021FA021A3B45CBB1B8008689
                                Function 6C70C4AB Relevance: 5.2, Strings: 4, Instructions: 237COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID:
                                • String ID: @ K$DJ$T)K$X/K
                                • API String ID: 0-3815299647
                                • Opcode ID: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                                • Instruction ID: f49977fdf41e1f3825ba145273090686ec1486f387115e28b96a891e3b35d6ac
                                • Opcode Fuzzy Hash: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                                • Instruction Fuzzy Hash: C791F2B47043059BCB00EE74C6507EE77F2AF4630EF104869C8669BB85CB75E94AC76A
                                Function 6C701E19 Relevance: 5.2, Strings: 4, Instructions: 161COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.1931614855.000000006C6A5000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C6A5000, based on PE: true
                                • Associated: 00000006.00000002.1932306579.000000006C776000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c5b0000_Setup64v4.jbxd
                                Similarity
                                • API ID:
                                • String ID: D)K$H)K$P)K$T)K
                                • API String ID: 0-2262112463
                                • Opcode ID: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                                • Instruction ID: 6224b21df9fbb050acab13b68332d330e198de6b6eab2a1aef67814718059bd7
                                • Opcode Fuzzy Hash: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                                • Instruction Fuzzy Hash: 3C51C3B1A092099BCF00CF94D944AEEB7F5BF1631CF10452AE811A7B90DB75ED4AC758

                                Execution Graph

                                Execution Coverage:4.3%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:1.7%
                                Total number of Nodes:2000
                                Total number of Limit Nodes:27
                                execution_graph 73005 f75475 73010 f42fec 73005->73010 73009 f754bb 73011 f42ffc 73010->73011 73012 f42ff8 73010->73012 73011->73012 73061 f41e0c 73011->73061 73016 f7c911 73012->73016 73017 f7c926 GetTickCount 73016->73017 73018 f7c92f 73016->73018 73017->73018 73019 f7c96d 73018->73019 73022 f7cb64 73018->73022 73092 f42ab1 strcmp 73018->73092 73019->73022 73067 f7c86a 73019->73067 73022->73009 73024 f7c9ce 73024->73022 73075 f427bb 73024->73075 73025 f7c95b 73025->73019 73093 f43542 wcscmp 73025->73093 73029 f7ca0a 73030 f7ca21 73029->73030 73031 f4286d 5 API calls 73029->73031 73032 f7cb10 73030->73032 73039 f4286d 5 API calls 73030->73039 73034 f7ca16 73031->73034 73081 f7cb74 73032->73081 73033 f7c9e2 73033->73029 73095 f4286d 73033->73095 73102 f428fa malloc _CxxThrowException free memcpy _CxxThrowException 73034->73102 73042 f7ca40 73039->73042 73041 f7cb59 73114 f7cb92 malloc _CxxThrowException free 73041->73114 73046 f42fec 3 API calls 73042->73046 73048 f7ca4e 73046->73048 73103 f42033 73048->73103 73049 f7cb50 73052 f427bb 3 API calls 73049->73052 73050 f7cb49 73113 f41f91 fflush 73050->73113 73052->73041 73054 f7caf5 73112 f428fa malloc _CxxThrowException free memcpy _CxxThrowException 73054->73112 73056 f42fec 3 API calls 73059 f7ca6a 73056->73059 73059->73054 73059->73056 73060 f42033 10 API calls 73059->73060 73110 f43599 memmove 73059->73110 73111 f43402 malloc _CxxThrowException free memmove _CxxThrowException 73059->73111 73060->73059 73062 f41e15 73061->73062 73063 f41e1c malloc 73061->73063 73062->73063 73064 f41e3e 73063->73064 73065 f41e2a _CxxThrowException 73063->73065 73066 f41e40 free 73064->73066 73065->73064 73066->73012 73069 f7c88c __aulldiv 73067->73069 73068 f7c8d3 strlen 73070 f7c8f1 73068->73070 73071 f7c900 73068->73071 73069->73068 73070->73071 73073 f4286d 5 API calls 73070->73073 73072 f428a1 5 API calls 73071->73072 73074 f7c90c 73072->73074 73073->73070 73074->73024 73094 f42ab1 strcmp 73074->73094 73076 f427c7 73075->73076 73080 f427e3 73075->73080 73077 f41e0c ctype 2 API calls 73076->73077 73076->73080 73078 f427da 73077->73078 73115 f41e40 free 73078->73115 73080->73033 73082 f7cb1c 73081->73082 73083 f7cb7c strcmp 73081->73083 73082->73041 73084 f7c7d7 73082->73084 73083->73082 73085 f7c7ea 73084->73085 73086 f7c849 73084->73086 73088 f7c7fe fputs 73085->73088 73116 f425cb malloc _CxxThrowException free _CxxThrowException ctype 73085->73116 73087 f7c85a fputs 73086->73087 73117 f41f91 fflush 73086->73117 73087->73049 73087->73050 73088->73086 73092->73025 73093->73019 73094->73024 73118 f41e9d 73095->73118 73098 f428a1 73099 f428b0 73098->73099 73123 f4267f 73099->73123 73102->73030 73104 f4203b 73103->73104 73105 f42054 73104->73105 73106 f42045 73104->73106 73131 f437ff 9 API calls 73105->73131 73130 f4421e malloc _CxxThrowException free _CxxThrowException _CxxThrowException 73106->73130 73109 f42052 73109->73059 73110->73059 73111->73059 73112->73032 73113->73049 73114->73022 73115->73080 73116->73088 73117->73087 73119 f41ead 73118->73119 73120 f41ea8 73118->73120 73119->73098 73122 f4263c malloc _CxxThrowException free memcpy _CxxThrowException 73120->73122 73122->73119 73124 f426c2 73123->73124 73125 f42693 73123->73125 73124->73029 73126 f426c8 _CxxThrowException 73125->73126 73127 f426bc 73125->73127 73129 f42595 malloc _CxxThrowException free memcpy ctype 73127->73129 73129->73124 73130->73109 73131->73109 73132 f88eb1 73137 f88ed1 73132->73137 73135 f88ec9 73138 f88edb __EH_prolog 73137->73138 73146 f89267 73138->73146 73142 f88efd 73151 f7e5f1 free ctype 73142->73151 73144 f88eb9 73144->73135 73145 f41e40 free 73144->73145 73145->73135 73147 f89271 __EH_prolog 73146->73147 73152 f41e40 free 73147->73152 73149 f88ef1 73150 f8922b free CloseHandle GetLastError ctype 73149->73150 73150->73142 73151->73144 73152->73149 73153 f4c3bd 73154 f4c3db 73153->73154 73155 f4c3ca 73153->73155 73155->73154 73157 f41e40 free 73155->73157 73157->73154 73161 fc69f0 free 73162 f6cefb 73163 f6d0cc 73162->73163 73164 f6cf03 73162->73164 73164->73163 73209 f6cae9 VariantClear 73164->73209 73166 f6cf59 73166->73163 73210 f6cae9 VariantClear 73166->73210 73168 f6cf71 73168->73163 73211 f6cae9 VariantClear 73168->73211 73170 f6cf87 73170->73163 73212 f6cae9 VariantClear 73170->73212 73172 f6cf9d 73172->73163 73213 f6cae9 VariantClear 73172->73213 73174 f6cfb3 73174->73163 73214 f6cae9 VariantClear 73174->73214 73176 f6cfc9 73176->73163 73215 f44504 malloc _CxxThrowException 73176->73215 73178 f6cfdc 73216 f42e04 73178->73216 73180 f6d009 73184 f6d080 73180->73184 73185 f6d030 73180->73185 73203 f6d07b 73180->73203 73181 f6cfe7 73181->73180 73219 f42f88 73181->73219 73229 f67a0c CharUpperW 73184->73229 73186 f42e04 2 API calls 73185->73186 73190 f6d038 73186->73190 73187 f6d0c4 73233 f41e40 free 73187->73233 73189 f6d08b 73230 f5fdbc 4 API calls 2 library calls 73189->73230 73192 f42e04 2 API calls 73190->73192 73194 f6d046 73192->73194 73225 f5fdbc 4 API calls 2 library calls 73194->73225 73195 f6d0a7 73197 f42fec 3 API calls 73195->73197 73199 f6d0b3 73197->73199 73198 f6d057 73200 f42fec 3 API calls 73198->73200 73231 f41e40 free 73199->73231 73202 f6d063 73200->73202 73226 f41e40 free 73202->73226 73232 f41e40 free 73203->73232 73205 f6d06b 73227 f41e40 free 73205->73227 73207 f6d073 73228 f41e40 free 73207->73228 73209->73166 73210->73168 73211->73170 73212->73172 73213->73174 73214->73176 73215->73178 73217 f41e0c ctype 2 API calls 73216->73217 73218 f42e11 73217->73218 73218->73181 73221 f42f9a 73219->73221 73220 f42fbe 73220->73180 73221->73220 73222 f41e0c ctype 2 API calls 73221->73222 73223 f42fb4 73222->73223 73234 f41e40 free 73223->73234 73225->73198 73226->73205 73227->73207 73228->73203 73229->73189 73230->73195 73231->73203 73232->73187 73233->73163 73234->73220 73235 f620fb 73253 f6210d 73235->73253 73236 f621f0 73237 f62209 73236->73237 73238 f41e0c ctype 2 API calls 73236->73238 73239 f41e0c ctype 2 API calls 73237->73239 73238->73237 73241 f62235 73239->73241 73240 f42e04 2 API calls 73240->73253 73420 f54250 73241->73420 73247 f6224c 73622 f4757d GetLastError 73247->73622 73249 f62251 73623 f62c6c 6 API calls 2 library calls 73249->73623 73251 f41e40 free ctype 73251->73253 73253->73236 73253->73240 73253->73247 73253->73249 73253->73251 73316 f42f1c 73253->73316 73319 f46c72 73253->73319 73621 f5089e malloc _CxxThrowException free _CxxThrowException memcpy 73253->73621 73254 f62277 73624 f41e40 free 73254->73624 73257 f6227f 73625 f41e40 free 73257->73625 73259 f62347 73639 f41e40 free 73259->73639 73260 f62287 73626 f41e40 free 73260->73626 73263 f62a55 73640 f41e40 free 73263->73640 73264 f42e04 2 API calls 73293 f6232b 73264->73293 73265 f6228f 73270 f42fec malloc _CxxThrowException free 73270->73293 73271 f62855 73631 f41e40 free 73271->73631 73273 f62860 73275 f63247 free 73273->73275 73274 f6289d 73633 f41e40 free 73274->73633 73277 f6286d 73275->73277 73279 f62bb5 free 73277->73279 73278 f628a8 73280 f63247 free 73278->73280 73281 f6287c 73279->73281 73282 f628b5 73280->73282 73632 f41e40 free 73281->73632 73286 f62bb5 free 73282->73286 73287 f628c4 73286->73287 73634 f41e40 free 73287->73634 73288 f42f1c 2 API calls 73288->73293 73293->73259 73293->73264 73293->73270 73293->73271 73293->73274 73293->73288 73294 f628e6 73293->73294 73295 f41e40 free ctype 73293->73295 73301 f62921 73293->73301 73314 f41fa0 fputc 73293->73314 73442 f547dd 73293->73442 73446 f76086 73293->73446 73458 f62b09 73293->73458 73464 f631d8 73293->73464 73470 f62a72 73293->73470 73474 f76359 73293->73474 73517 f62cdb 73293->73517 73603 f63247 73293->73603 73609 f62bb5 73293->73609 73627 f53e26 30 API calls 2 library calls 73293->73627 73628 f46456 9 API calls 2 library calls 73293->73628 73629 f4859e malloc _CxxThrowException free _CxxThrowException 73293->73629 73630 f6204d CharUpperW 73293->73630 73635 f41e40 free 73294->73635 73295->73293 73299 f628f1 73300 f63247 free 73299->73300 73302 f628fe 73300->73302 73637 f41e40 free 73301->73637 73303 f62bb5 free 73302->73303 73305 f6290d 73303->73305 73636 f41e40 free 73305->73636 73306 f6292c 73308 f63247 free 73306->73308 73309 f62939 73308->73309 73310 f62bb5 free 73309->73310 73311 f62948 73310->73311 73638 f41e40 free 73311->73638 73314->73293 73641 f42ba6 73316->73641 73321 f46c7c __EH_prolog 73319->73321 73320 f46cd3 73323 f46ce2 73320->73323 73326 f46d87 73320->73326 73321->73320 73322 f46cb7 73321->73322 73324 f42f88 3 API calls 73322->73324 73325 f42f88 3 API calls 73323->73325 73350 f46cc7 73324->73350 73330 f46cf5 73325->73330 73333 f46f4a 73326->73333 73665 f42e47 73326->73665 73329 f42e47 2 API calls 73341 f46dc0 73329->73341 73331 f46d4a 73330->73331 73334 f46d0b 73330->73334 73661 f47b41 28 API calls 73331->73661 73336 f46fd1 73333->73336 73338 f46f7e 73333->73338 73660 f49252 GetModuleHandleW GetProcAddress GetDiskFreeSpaceW 73334->73660 73335 f46d5f 73662 f4764c 73335->73662 73343 f470e5 73336->73343 73344 f46fed 73336->73344 73364 f4701d 73336->73364 73683 f46bf5 11 API calls 2 library calls 73338->73683 73339 f46d36 73339->73331 73340 f46d3a 73339->73340 73340->73350 73355 f46dfe 73341->73355 73669 f43221 malloc _CxxThrowException free _CxxThrowException 73341->73669 73644 f46868 73343->73644 73685 f46bf5 11 API calls 2 library calls 73344->73685 73349 f46f85 73349->73343 73353 f46f99 73349->73353 73350->73253 73351 f46ff2 73351->73343 73356 f47006 73351->73356 73352 f46fca 73359 f46848 FindClose 73352->73359 73360 f42f88 3 API calls 73353->73360 73354 f46e43 73358 f46c72 42 API calls 73354->73358 73355->73354 73367 f46e1e 73355->73367 73356->73352 73362 f46e4e 73358->73362 73359->73350 73363 f46fb0 73360->73363 73365 f46e41 73362->73365 73366 f46f3a 73362->73366 73684 f4717b 13 API calls 73363->73684 73364->73343 73686 f4717b 13 API calls 73364->73686 73374 f42f1c 2 API calls 73365->73374 73681 f41e40 free 73366->73681 73367->73365 73371 f42fec 3 API calls 73367->73371 73370 f46f42 73682 f41e40 free 73370->73682 73371->73365 73373 f47052 73376 f47064 73373->73376 73377 f47056 73373->73377 73378 f46e77 73374->73378 73379 f42e47 2 API calls 73376->73379 73380 f42f88 3 API calls 73377->73380 73381 f42e04 2 API calls 73378->73381 73382 f4706d 73379->73382 73383 f4705f 73380->73383 73406 f46e83 73381->73406 73687 f41089 malloc _CxxThrowException free _CxxThrowException 73382->73687 73387 f46848 FindClose 73383->73387 73386 f4707b 73688 f41089 malloc _CxxThrowException free _CxxThrowException 73386->73688 73387->73350 73388 f46ecf 73674 f41e40 free 73388->73674 73390 f46ec7 SetLastError 73390->73388 73391 f47085 73394 f46868 12 API calls 73391->73394 73396 f47095 73394->73396 73395 f46f11 73675 f41e40 free 73395->73675 73399 f470bb 73396->73399 73400 f47099 wcscmp 73396->73400 73397 f46ed3 73673 f431e5 malloc _CxxThrowException free _CxxThrowException 73397->73673 73689 f46bf5 11 API calls 2 library calls 73399->73689 73400->73399 73403 f470b1 73400->73403 73402 f46f19 73676 f46848 73402->73676 73409 f42f88 3 API calls 73403->73409 73406->73388 73406->73390 73406->73397 73410 f42e04 2 API calls 73406->73410 73670 f46bb5 17 API calls 73406->73670 73671 f422bf CharUpperW 73406->73671 73672 f41e40 free 73406->73672 73408 f470c6 73414 f470d8 73408->73414 73418 f47129 73408->73418 73412 f4714c 73409->73412 73410->73406 73692 f41e40 free 73412->73692 73690 f41e40 free 73414->73690 73417 f46f2b 73680 f41e40 free 73417->73680 73418->73403 73421 f5425a __EH_prolog 73420->73421 73422 f42e04 2 API calls 73421->73422 73423 f542c4 73422->73423 73424 f42e04 2 API calls 73423->73424 73425 f542d0 73424->73425 73817 f5440b 73425->73817 73428 f42e04 2 API calls 73429 f542f4 73428->73429 73430 f42e04 2 API calls 73429->73430 73431 f5435e 73430->73431 73825 f544a6 73431->73825 73434 f41e0c ctype 2 API calls 73435 f543c6 73434->73435 73828 f53d66 73435->73828 73438 f62c22 73439 f62c35 73438->73439 73440 f62c2e 73438->73440 73439->73293 73441 f41e0c ctype 2 API calls 73440->73441 73441->73439 73443 f547ee 73442->73443 73444 f547f4 73442->73444 73844 f41e40 free 73443->73844 73444->73293 73447 f76092 73446->73447 73448 f7612c 73447->73448 73845 f75d3c 73447->73845 73448->73293 73451 f76116 73451->73448 73863 f4275e malloc _CxxThrowException free ctype 73451->73863 73454 f760f0 fputs 73850 f4211a 73454->73850 73459 f62b13 __EH_prolog 73458->73459 73460 f42e04 2 API calls 73459->73460 73461 f62b48 73460->73461 73872 f62b63 73461->73872 73466 f631e2 __EH_prolog 73464->73466 73465 f63234 73465->73293 73466->73465 73467 f41e0c ctype 2 API calls 73466->73467 73469 f63216 73467->73469 73469->73465 73878 f632fd malloc _CxxThrowException ctype 73469->73878 73471 f62a82 73470->73471 73472 f42e04 2 API calls 73471->73472 73473 f62a9f 73472->73473 73473->73293 73475 f76363 __EH_prolog 73474->73475 73476 f7637f 73475->73476 73478 f7c7d7 ctype 6 API calls 73475->73478 73879 f75a4d 73476->73879 73478->73476 73479 f76624 73481 f76643 73479->73481 73911 f41f91 fflush 73479->73911 73480 f765f3 73487 f7661f 73480->73487 73883 f78012 73480->73883 73484 f76651 fputs 73481->73484 73481->73487 73486 f4211a 11 API calls 73484->73486 73488 f76671 73486->73488 73487->73293 73912 f41fa0 fputc 73488->73912 73490 f76134 9 API calls 73506 f763a6 73490->73506 73491 f76452 fputs 73907 f41fa0 fputc 73491->73907 73494 f7667c 73913 f78685 26 API calls 73494->73913 73495 f4210c 11 API calls 73495->73506 73497 f41f91 fflush ctype 73497->73506 73498 f765ec 73498->73479 73498->73480 73499 f7668d 73499->73487 73502 f766df 73499->73502 73504 f766b3 73499->73504 73505 f766a1 fputs 73499->73505 73500 f7653a fputs 73908 f41fa0 fputc 73500->73908 73929 f41f91 fflush 73502->73929 73914 f54f2a 6 API calls 73504->73914 73508 f766d3 73505->73508 73506->73490 73506->73491 73506->73495 73506->73497 73506->73498 73506->73500 73510 f41fb3 11 API calls 73506->73510 73511 f41fa0 fputc 73506->73511 73909 f76244 15 API calls 2 library calls 73506->73909 73928 f41fa0 fputc 73508->73928 73510->73506 73511->73506 73512 f766bb 73915 f41fb3 73512->73915 73518 f62ce5 __EH_prolog 73517->73518 73519 f42f1c 2 API calls 73518->73519 73520 f62d35 73519->73520 73521 f42f1c 2 API calls 73520->73521 73524 f62d48 73521->73524 73522 f62d85 74062 f6339a 73522->74062 73524->73522 73528 f42fec 3 API calls 73524->73528 73528->73522 73532 f62db9 74087 f41e40 free 73532->74087 73534 f62dc5 73535 f42e04 2 API calls 73534->73535 73536 f62dd2 73535->73536 73537 f42f1c 2 API calls 73536->73537 73538 f62de2 73537->73538 73539 f42e04 2 API calls 73538->73539 73540 f62e4f 73538->73540 73542 f62df8 73539->73542 73541 f62fc5 73540->73541 73551 f62e75 73540->73551 73557 f5440b 2 API calls 73540->73557 73544 f62fde 73541->73544 73545 f804d2 5 API calls 73541->73545 74182 f444ac malloc _CxxThrowException free 73542->74182 73546 f63057 73544->73546 73547 f62fe3 73544->73547 73548 f62fd2 73545->73548 74230 f45e10 53 API calls 2 library calls 73546->74230 73550 f430ea 3 API calls 73547->73550 74228 f41524 malloc _CxxThrowException __EH_prolog ctype 73548->74228 73556 f62ff0 73550->73556 74236 f41e40 free 73551->74236 73552 f62e3f 74183 f41e40 free 73552->74183 73554 f6305f 73554->73556 73558 f63063 73554->73558 74088 f547fe 73556->74088 73598 f62e87 73557->73598 74231 f4757d GetLastError 73558->74231 73562 f63128 74237 f41e40 free 73562->74237 73563 f62e0b 73563->73552 73565 f42fec 3 API calls 73563->73565 73564 f62f89 73566 f62fb6 73564->73566 73567 f62f8e 73564->73567 73565->73552 74227 f54733 free __EH_prolog ctype 73566->74227 74226 f54733 free __EH_prolog ctype 73567->74226 73568 f63068 74232 f62c6c 6 API calls 2 library calls 73568->74232 73570 f63040 73570->73551 73578 f630d7 73570->73578 73590 f6308e 73570->73590 73572 f63130 74238 f41e40 free 73572->74238 73577 f63138 74239 f41e40 free 73577->74239 74107 f8b05d 73578->74107 73582 f630d5 73587 f630f8 73582->73587 74234 f57832 108 API calls 73582->74234 73583 f63140 74240 f72db9 73583->74240 74148 f41fa0 fputc 73587->74148 74149 f76766 73587->74149 73591 f630c9 73590->73591 74233 f541ec _CxxThrowException 73590->74233 73595 f4965d VariantClear 73591->73595 73595->73582 73596 f63156 73596->73293 73597 f6310e 73597->73551 74235 f57832 108 API calls 73597->74235 73598->73564 73598->73567 74184 f68b80 VariantClear 73598->74184 74185 f68fa4 73598->74185 74219 f55110 9 API calls 73598->74219 74220 f804d2 73598->74220 73604 f6324e 73603->73604 73605 f63260 73604->73605 75063 f41e40 free 73604->75063 75062 f41e40 free 73605->75062 73608 f63267 73608->73293 73610 f62bbf __EH_prolog 73609->73610 75064 f6d24e 73610->75064 73616 f62be6 73617 f72db9 ctype free 73616->73617 73618 f62bf3 73617->73618 75074 f63187 free __EH_prolog ctype 73618->75074 73620 f62bfe 73620->73293 73621->73253 73622->73249 73623->73254 73624->73257 73625->73260 73626->73265 73627->73293 73628->73293 73629->73293 73630->73293 73631->73273 73632->73259 73633->73278 73634->73259 73635->73299 73636->73259 73637->73306 73638->73259 73639->73263 73640->73265 73642 f41e0c ctype 2 API calls 73641->73642 73643 f42bbb 73642->73643 73643->73253 73645 f46872 __EH_prolog 73644->73645 73646 f46848 FindClose 73645->73646 73648 f46880 73646->73648 73647 f468f6 73647->73352 73691 f4717b 13 API calls 73647->73691 73648->73647 73649 f468a9 73648->73649 73650 f4689b FindFirstFileW 73648->73650 73652 f42e04 2 API calls 73649->73652 73659 f468ee 73649->73659 73650->73649 73653 f468ba 73652->73653 73693 f48b4a 73653->73693 73655 f468d0 73656 f468d4 FindFirstFileW 73655->73656 73657 f468e2 73655->73657 73656->73657 73698 f41e40 free 73657->73698 73659->73647 73699 f46919 malloc _CxxThrowException free 73659->73699 73660->73339 73661->73335 73663 f47656 CloseHandle 73662->73663 73664 f47661 73662->73664 73663->73664 73664->73350 73666 f42e57 73665->73666 73667 f42ba6 2 API calls 73666->73667 73668 f42e6a 73667->73668 73668->73329 73669->73355 73670->73406 73671->73406 73672->73406 73673->73388 73674->73395 73675->73402 73677 f46852 FindClose 73676->73677 73678 f4685d 73676->73678 73677->73678 73679 f41e40 free 73678->73679 73679->73417 73680->73350 73681->73370 73682->73333 73683->73349 73684->73352 73685->73351 73686->73373 73687->73386 73688->73391 73689->73408 73690->73351 73691->73352 73692->73383 73700 f48b80 73693->73700 73696 f48b6e 73696->73655 73697 f42f88 3 API calls 73697->73696 73698->73659 73699->73647 73702 f48b8a __EH_prolog 73700->73702 73701 f48b55 73701->73696 73701->73697 73702->73701 73703 f48c7b 73702->73703 73710 f48be1 73702->73710 73704 f48d23 73703->73704 73706 f48c8f 73703->73706 73705 f48e8a 73704->73705 73707 f48d3b 73704->73707 73708 f42e47 2 API calls 73705->73708 73706->73707 73713 f48c9e 73706->73713 73709 f42e04 2 API calls 73707->73709 73711 f48e96 73708->73711 73712 f48d43 73709->73712 73710->73701 73714 f42e47 2 API calls 73710->73714 73718 f42e47 2 API calls 73711->73718 73797 f46332 6 API calls 2 library calls 73712->73797 73717 f42e47 2 API calls 73713->73717 73715 f48c05 73714->73715 73722 f48c24 73715->73722 73723 f48c17 73715->73723 73730 f48ca7 73717->73730 73720 f48eb8 73718->73720 73719 f48d52 73721 f48d56 73719->73721 73798 f4859e malloc _CxxThrowException free _CxxThrowException 73719->73798 73809 f48f57 memmove 73720->73809 73808 f41e40 free 73721->73808 73728 f42e47 2 API calls 73722->73728 73787 f41e40 free 73723->73787 73727 f48ec4 73732 f48ede 73727->73732 73733 f48ec8 73727->73733 73734 f48c35 73728->73734 73731 f42e47 2 API calls 73730->73731 73735 f48cd0 73731->73735 73812 f43221 malloc _CxxThrowException free _CxxThrowException 73732->73812 73810 f41e40 free 73733->73810 73788 f48f57 memmove 73734->73788 73792 f48f57 memmove 73735->73792 73740 f48ed0 73811 f41e40 free 73740->73811 73741 f48c41 73745 f48c6b 73741->73745 73789 f431e5 malloc _CxxThrowException free _CxxThrowException 73741->73789 73742 f48eeb 73813 f431e5 malloc _CxxThrowException free _CxxThrowException 73742->73813 73743 f48cdc 73748 f48d13 73743->73748 73793 f43221 malloc _CxxThrowException free _CxxThrowException 73743->73793 73791 f41e40 free 73745->73791 73796 f41e40 free 73748->73796 73749 f48f06 73814 f431e5 malloc _CxxThrowException free _CxxThrowException 73749->73814 73750 f48c73 73816 f41e40 free 73750->73816 73755 f48ced 73794 f431e5 malloc _CxxThrowException free _CxxThrowException 73755->73794 73756 f42e04 2 API calls 73761 f48ddf 73756->73761 73757 f48c60 73790 f431e5 malloc _CxxThrowException free _CxxThrowException 73757->73790 73759 f48f11 73815 f41e40 free 73759->73815 73764 f48e0e 73761->73764 73765 f48df1 73761->73765 73766 f42f88 3 API calls 73764->73766 73799 f43199 malloc _CxxThrowException free _CxxThrowException 73765->73799 73770 f48e0c 73766->73770 73767 f48d65 73767->73721 73767->73756 73768 f48d08 73795 f431e5 malloc _CxxThrowException free _CxxThrowException 73768->73795 73801 f48f57 memmove 73770->73801 73772 f48e03 73800 f43199 malloc _CxxThrowException free _CxxThrowException 73772->73800 73775 f48e22 73776 f48e26 73775->73776 73777 f48e3b 73775->73777 73802 f43221 malloc _CxxThrowException free _CxxThrowException 73775->73802 73807 f41e40 free 73776->73807 73803 f48f34 malloc _CxxThrowException 73777->73803 73781 f48e49 73804 f431e5 malloc _CxxThrowException free _CxxThrowException 73781->73804 73783 f48e56 73805 f41e40 free 73783->73805 73785 f48e62 73806 f431e5 malloc _CxxThrowException free _CxxThrowException 73785->73806 73787->73701 73788->73741 73789->73757 73790->73745 73791->73750 73792->73743 73793->73755 73794->73768 73795->73748 73796->73750 73797->73719 73798->73767 73799->73772 73800->73770 73801->73775 73802->73777 73803->73781 73804->73783 73805->73785 73806->73776 73807->73721 73808->73701 73809->73727 73810->73740 73811->73701 73812->73742 73813->73749 73814->73759 73815->73750 73816->73701 73818 f54415 __EH_prolog 73817->73818 73819 f42e04 2 API calls 73818->73819 73820 f54422 73819->73820 73821 f42e04 2 API calls 73820->73821 73822 f5443c 73821->73822 73823 f42e04 2 API calls 73822->73823 73824 f542e5 73823->73824 73824->73428 73826 f42e04 2 API calls 73825->73826 73827 f54384 73826->73827 73827->73434 73839 fdfb10 73828->73839 73830 f53d70 GetCurrentProcess 73840 f53e04 73830->73840 73832 f53d8d OpenProcessToken 73833 f53de3 73832->73833 73834 f53d9e LookupPrivilegeValueW 73832->73834 73836 f53e04 CloseHandle 73833->73836 73834->73833 73835 f53dc0 AdjustTokenPrivileges 73834->73835 73835->73833 73837 f53dd5 GetLastError 73835->73837 73838 f53def 73836->73838 73837->73833 73838->73438 73839->73830 73841 f53e11 CloseHandle 73840->73841 73842 f53e0d 73840->73842 73843 f53e21 73841->73843 73842->73832 73843->73832 73844->73444 73846 f75d46 73845->73846 73847 f75d58 73845->73847 73846->73847 73848 f7c7d7 ctype 6 API calls 73846->73848 73847->73451 73849 f41fa0 fputc 73847->73849 73848->73847 73849->73454 73851 f42124 __EH_prolog 73850->73851 73852 f42e47 2 API calls 73851->73852 73853 f42135 73852->73853 73864 f426dd 73853->73864 73857 f4215f 73870 f41e40 free 73857->73870 73859 f42167 73871 f41e40 free 73859->73871 73861 f4216f 73862 f41fa0 fputc 73861->73862 73862->73451 73863->73448 73865 f41e0c ctype 2 API calls 73864->73865 73866 f4214c 73865->73866 73867 f42010 73866->73867 73868 f42033 10 API calls 73867->73868 73869 f42022 fputs 73868->73869 73869->73857 73870->73859 73871->73861 73873 f62b6d __EH_prolog 73872->73873 73874 f42e04 2 API calls 73873->73874 73875 f62b9a 73874->73875 73876 f42e04 2 API calls 73875->73876 73877 f62b54 73876->73877 73877->73293 73878->73469 73880 f75a63 73879->73880 73881 f75a59 73879->73881 73880->73506 73882 f7c7d7 ctype 6 API calls 73881->73882 73882->73880 73896 f7801c __EH_prolog 73883->73896 73884 f7660c 73884->73487 73910 f41fa0 fputc 73884->73910 73885 f78038 fputs 73930 f78341 73885->73930 73887 f78073 fputs 73954 f41fa0 fputc 73887->73954 73889 f78341 16 API calls 73889->73896 73890 f42e47 2 API calls 73890->73896 73894 f78565 24 API calls 73894->73896 73896->73884 73896->73885 73896->73887 73896->73889 73896->73890 73896->73894 73898 f781c6 fputs 73896->73898 73900 f781a3 SysFreeString 73896->73900 73901 f78298 SysFreeString 73896->73901 73902 f782a3 73896->73902 73944 f78622 73896->73944 73955 f785c6 16 API calls 73896->73955 73956 f41e40 free 73896->73956 73957 f7831f fputc fputs fputs fputs 73896->73957 73958 f782bb fputc fputs fputs fputs 73896->73958 73959 f784a7 73896->73959 73983 f4965d 73896->73983 73898->73896 73900->73896 73901->73884 73904 f4965d VariantClear 73902->73904 73904->73901 73907->73506 73908->73506 73909->73506 73910->73487 73911->73481 73912->73494 73913->73499 73914->73512 73916 f41fbd __EH_prolog 73915->73916 73917 f426dd 2 API calls 73916->73917 73918 f41fcb 73917->73918 73919 f42e47 2 API calls 73918->73919 73920 f41fda 73919->73920 73921 f42010 11 API calls 73920->73921 73922 f41fed 73921->73922 74060 f41e40 free 73922->74060 73924 f41ff5 74061 f41e40 free 73924->74061 73926 f41ffd 73927 f41e40 free 73926->73927 73927->73508 73928->73502 73929->73487 73987 fdfb10 73930->73987 73932 f7834b fputs fputs 73933 f7836f 73932->73933 73934 f7837b 73932->73934 73988 f783bf 73933->73988 73936 f42e47 2 API calls 73934->73936 73938 f78386 73936->73938 73937 f78379 73937->73896 73939 f41fb3 11 API calls 73938->73939 73940 f7839f 73939->73940 74008 f41fa0 fputc 73940->74008 73942 f783a6 74009 f41e40 free 73942->74009 73945 f78631 73944->73945 74015 f76134 73945->74015 73948 f78657 73950 f76134 9 API calls 73948->73950 73949 f78341 16 API calls 73949->73948 73951 f7866b 73950->73951 73952 f78682 73951->73952 73953 f78341 16 API calls 73951->73953 73952->73896 73953->73952 73954->73896 73955->73896 73956->73896 73957->73896 73958->73896 73960 f784b1 __EH_prolog 73959->73960 73961 f42e04 2 API calls 73960->73961 73962 f784c2 73961->73962 74029 f6e969 73962->74029 73965 f426dd 2 API calls 73967 f784e2 73965->73967 73969 f42e04 2 API calls 73967->73969 73968 f78554 73968->73896 73970 f784ee 73969->73970 74037 f7750c 73970->74037 73973 f78510 fputs 73975 f78525 fputs 73973->73975 73974 f7851b 73976 f41fb3 11 API calls 73974->73976 73977 f783bf 14 API calls 73975->73977 73976->73975 73978 f7853a 73977->73978 74046 f41e40 free 73978->74046 73980 f78542 74047 f41e40 free 73980->74047 73982 f7854a 74048 f41e40 free 73982->74048 73984 f49685 SysFreeString 73983->73984 73986 f49665 73983->73986 73984->73896 73985 f4967e VariantClear 73985->73984 73986->73984 73986->73985 73987->73932 73989 f783c9 __EH_prolog 73988->73989 73990 f42e47 2 API calls 73989->73990 73991 f783d8 73990->73991 73992 f783ec 73991->73992 73993 f7843e 73991->73993 74010 f41fa0 fputc 73992->74010 73996 f41fb3 11 API calls 73993->73996 73995 f783f4 fputs 74011 f41fa0 fputc 73995->74011 73998 f78453 73996->73998 74013 f41fa0 fputc 73998->74013 74000 f7845a 74014 f41e40 free 74000->74014 74002 f7840c 74004 f41fb3 11 API calls 74002->74004 74003 f78462 74003->73937 74005 f78429 74004->74005 74012 f41fa0 fputc 74005->74012 74007 f78430 fputs 74007->73998 74008->73942 74009->73937 74010->73995 74011->74002 74012->74007 74013->74000 74014->74003 74016 f76147 74015->74016 74017 f7617c 74015->74017 74025 f76184 6 API calls 2 library calls 74016->74025 74017->73948 74017->73949 74019 f76150 fputs 74026 f41fa0 fputc 74019->74026 74021 f76166 fputs 74027 f41fa0 fputc 74021->74027 74023 f76174 74028 f41e40 free 74023->74028 74025->74019 74026->74021 74027->74023 74028->74017 74030 f6e982 74029->74030 74031 f6e978 74029->74031 74050 f6e7ff FileTimeToLocalFileTime FileTimeToSystemTime strlen strlen 74030->74050 74049 f43097 malloc _CxxThrowException free SysStringLen ctype 74031->74049 74034 f6e990 74051 f430ea 74034->74051 74035 f6e980 74035->73965 74035->73982 74038 f77523 74037->74038 74039 f77511 74037->74039 74041 f77527 74038->74041 74042 f77533 74038->74042 74058 f4275e malloc _CxxThrowException free ctype 74039->74058 74044 f42f88 3 API calls 74041->74044 74059 f42928 malloc _CxxThrowException free memcpy _CxxThrowException 74042->74059 74043 f77521 74043->73973 74043->73974 74044->74043 74046->73980 74047->73982 74048->73968 74049->74035 74050->74034 74052 f430fd 74051->74052 74053 f41e0c ctype 2 API calls 74052->74053 74054 f4311d 74052->74054 74055 f43113 74053->74055 74054->74035 74057 f41e40 free 74055->74057 74057->74054 74058->74043 74059->74043 74060->73924 74061->73926 74063 f633a4 __EH_prolog 74062->74063 74064 f42f1c 2 API calls 74063->74064 74065 f633b7 74064->74065 74247 f633fe 74065->74247 74068 f633db 74070 f42f1c 2 API calls 74068->74070 74071 f633e6 74070->74071 74251 f41e40 free 74071->74251 74073 f62d90 74074 f42e8a 74073->74074 74075 f42ea0 74074->74075 74076 f42ba6 2 API calls 74075->74076 74077 f42eaf 74076->74077 74078 f434d7 74077->74078 74079 f434e9 74078->74079 74080 f4353b 74078->74080 74254 f43542 wcscmp 74079->74254 74086 f41e40 free 74080->74086 74084 f434f5 74084->74080 74255 f432c5 wcsstr 74084->74255 74256 f43599 memmove 74084->74256 74257 f43451 malloc _CxxThrowException free memmove _CxxThrowException 74084->74257 74086->73532 74087->73534 74258 f57982 74088->74258 74096 f5485f 74272 f44fc0 74096->74272 74097 f42fec 3 API calls 74098 f5496e 74097->74098 74099 f42fec 3 API calls 74098->74099 74100 f54979 74099->74100 74101 f5499b 74100->74101 74282 f4859e malloc _CxxThrowException free _CxxThrowException 74100->74282 74101->73570 74229 f53f5c 9 API calls 74101->74229 74103 f5498b 74283 f4631f 74103->74283 74110 f8b067 __EH_prolog 74107->74110 74108 f8b143 74109 f41e0c ctype 2 API calls 74108->74109 74121 f8b0b5 74108->74121 74111 f8b167 74109->74111 74110->74121 74346 f75883 EnterCriticalSection 74110->74346 74112 f41e0c ctype 2 API calls 74111->74112 74124 f8b1d1 74112->74124 74113 f8b242 74115 f8b8dc ctype free 74113->74115 74114 f8b29a 74350 f8b8dc 74114->74350 74115->74121 74118 f8b3e9 74120 f8b8dc ctype free 74118->74120 74119 f8b456 74123 f8b8dc ctype free 74119->74123 74120->74121 74121->73582 74122 f42e04 2 API calls 74122->74124 74123->74121 74124->74113 74124->74114 74124->74118 74124->74119 74124->74122 74126 f8b028 107 API calls 74124->74126 74127 f8b566 74124->74127 74129 f8b6ce 74124->74129 74133 f8b5fb 74124->74133 74356 f8ad15 74124->74356 74359 f881ec 74124->74359 74451 f88e04 memset 74124->74451 74452 f41e40 free 74124->74452 74126->74124 74445 f88e04 memset 74127->74445 74449 f88e04 memset 74129->74449 74130 f8b572 74447 f88e04 memset 74133->74447 74148->73597 75036 fdfb10 74149->75036 74151 f76770 EnterCriticalSection 74152 f76794 74151->74152 74153 f7679e 74151->74153 74155 f7c7d7 ctype 6 API calls 74152->74155 74154 f767be 74153->74154 75037 f41f91 fflush 74153->75037 74157 f76892 74154->74157 74158 f767c9 74154->74158 74155->74153 74160 f76933 74157->74160 75043 f41fa0 fputc 74157->75043 74159 f76817 74158->74159 74161 f767df 74158->74161 74179 f76873 74159->74179 75038 f41fa0 fputc 74159->75038 74160->73597 74161->74179 74167 f768cb fputs 74179->74160 74182->73563 74183->73540 74184->73598 74186 f68fae __EH_prolog 74185->74186 74187 f67ebb free 74186->74187 74188 f68ff2 74187->74188 75050 f68b64 74188->75050 74191 f69131 74191->73598 74193 f69020 74193->74191 74194 f42fec 3 API calls 74193->74194 74195 f6903a 74194->74195 74208 f6904d 74195->74208 75054 f68b80 VariantClear 74195->75054 74197 f69244 75059 f443b7 5 API calls 2 library calls 74197->75059 74198 f691b0 75057 f68b9c 10 API calls 2 library calls 74198->75057 74199 f69144 74202 f42f88 3 API calls 74199->74202 74206 f6917b 74199->74206 74202->74206 74203 f69100 74207 f4965d VariantClear 74203->74207 74204 f691c0 74204->74191 74211 f42f88 3 API calls 74204->74211 74205 f690d6 74205->74203 74210 f690e7 74205->74210 75056 f68f2e 9 API calls 74205->75056 74206->74197 74206->74198 74207->74191 74208->74191 74208->74199 74208->74203 74208->74205 75055 f43097 malloc _CxxThrowException free SysStringLen ctype 74208->75055 74213 f4965d VariantClear 74210->74213 74217 f691ff 74211->74217 74213->74199 74214 f69112 74214->74203 74215 f68b64 VariantClear 74214->74215 74216 f69123 74215->74216 74216->74203 74216->74210 74217->74191 75058 f450ff free ctype 74217->75058 74219->73598 74221 f804df 74220->74221 74222 f80513 74220->74222 74223 f804e8 _CxxThrowException 74221->74223 74224 f804fd 74221->74224 74222->73598 74223->74224 75060 f80551 malloc _CxxThrowException free memcpy ctype 74224->75060 74226->73551 74227->73541 74228->73544 74229->73570 74230->73554 74231->73568 74232->73551 74233->73591 74234->73587 74235->73551 74236->73562 74237->73572 74238->73577 74239->73583 74241 f72dc4 74240->74241 74244 f72de2 74240->74244 74241->74244 74245 f41e40 free ctype 74241->74245 74243 f6314e 74246 f41e40 free 74243->74246 75061 f41e40 free 74244->75061 74245->74241 74246->73596 74248 f63406 74247->74248 74249 f633cb 74248->74249 74253 f433c9 malloc _CxxThrowException free _CxxThrowException memmove 74248->74253 74249->74068 74252 f42f4a malloc _CxxThrowException free ctype 74249->74252 74251->74073 74252->74068 74253->74249 74254->74084 74255->74084 74256->74084 74257->74084 74259 f54811 74258->74259 74261 f5798d 74258->74261 74263 f67ebb 74259->74263 74261->74259 74288 f558b4 free ctype 74261->74288 74289 f41e40 free 74261->74289 74265 f54854 74263->74265 74266 f67ec6 74263->74266 74264 f41e40 free ctype 74264->74266 74267 fac620 74265->74267 74266->74264 74266->74265 74268 fac62b 74267->74268 74269 fac648 74267->74269 74268->74269 74290 f562af free ctype 74268->74290 74291 f41e40 free 74268->74291 74269->74096 74273 f44fd2 74272->74273 74275 f44fce 74272->74275 74274 f67ebb free 74273->74274 74276 f44fd9 74274->74276 74275->74097 74277 f45006 74276->74277 74278 f44ffe 74276->74278 74279 f44fe9 _CxxThrowException 74276->74279 74277->74275 74293 f41524 malloc _CxxThrowException __EH_prolog ctype 74277->74293 74292 f80551 malloc _CxxThrowException free memcpy ctype 74278->74292 74279->74278 74282->74103 74284 f49245 74283->74284 74294 f490da 74284->74294 74287 f4859e malloc _CxxThrowException free _CxxThrowException 74287->74101 74288->74261 74289->74261 74290->74268 74291->74268 74292->74277 74293->74277 74295 f490e4 __EH_prolog 74294->74295 74296 f42f88 3 API calls 74295->74296 74297 f490f7 74296->74297 74298 f4915d 74297->74298 74303 f49109 74297->74303 74299 f42e04 2 API calls 74298->74299 74300 f49165 74299->74300 74301 f491be 74300->74301 74304 f49174 74300->74304 74340 f46332 6 API calls 2 library calls 74301->74340 74306 f42e47 2 API calls 74303->74306 74319 f49155 74303->74319 74307 f42f88 3 API calls 74304->74307 74305 f4917d 74309 f491ca 74305->74309 74338 f4859e malloc _CxxThrowException free _CxxThrowException 74305->74338 74308 f49122 74306->74308 74307->74305 74335 f48f57 memmove 74308->74335 74312 f4912e 74315 f4914d 74312->74315 74336 f431e5 malloc _CxxThrowException free _CxxThrowException 74312->74336 74337 f41e40 free 74315->74337 74319->74287 74335->74312 74336->74315 74337->74319 74340->74305 74347 f7589e 74346->74347 74349 f758b4 74346->74349 74348 f7c911 24 API calls 74347->74348 74348->74349 74349->74108 74455 f8aeeb 74356->74455 74360 f881f6 __EH_prolog 74359->74360 74445->74130 74451->74124 74452->74124 75036->74151 75037->74154 75043->74167 75051 f68b05 VariantClear 75050->75051 75052 f68b6f 75051->75052 75052->74191 75053 f68f2e 9 API calls 75052->75053 75053->74193 75054->74208 75055->74205 75056->74214 75057->74204 75058->74191 75059->74191 75060->74222 75061->74243 75062->73608 75063->73604 75066 f6d259 75064->75066 75065 f62bd2 75068 f62c0b 75065->75068 75066->75065 75075 f6e0f6 75066->75075 75097 f41e40 free 75068->75097 75070 f62c16 75098 f41e40 free 75070->75098 75072 f62bde 75073 f41e40 free 75072->75073 75073->73616 75074->73620 75076 f6e107 75075->75076 75077 f6e114 75075->75077 75081 f6326b 75076->75081 75077->75066 75082 f63275 __EH_prolog 75081->75082 75083 f62c0b ctype free 75082->75083 75084 f6328e 75083->75084 75085 f62c0b ctype free 75084->75085 75086 f63296 75085->75086 75094 f41e40 free 75086->75094 75088 f6329e 75095 f41e40 free 75088->75095 75090 f632a6 75096 f41e40 free 75090->75096 75092 f632ae 75093 f41e40 free 75092->75093 75093->75077 75094->75088 75095->75090 75096->75092 75097->75070 75098->75072 75099 fdffb0 75100 fdffb4 __setusermatherr 75099->75100 75105 fe0068 _controlfp 75100->75105 75102 fdffc2 _initterm __getmainargs _initterm __p___initenv 75106 f7c27c 75102->75106 75105->75102 75107 f7c286 __EH_prolog 75106->75107 75120 f7c54c GetVersionExW 75107->75120 75110 f7c2ac fputs 75112 f7c53b exit _XcptFilter 75110->75112 75111 f7c2c8 75122 f753fd SetConsoleCtrlHandler 75111->75122 75121 f7c2a8 75120->75121 75121->75110 75121->75111 75123 f75415 _CxxThrowException 75122->75123 75124 f7542a 75122->75124 75123->75124 75125 fdd290 GetVersion 75124->75125 75126 fdd29c GetModuleHandleW GetProcAddress 75125->75126 75127 f7c2e1 75125->75127 75126->75127 75128 fdd2b7 75126->75128 75129 f797b8 75127->75129 75128->75127 75493 fdfb10 75129->75493 75131 f797c2 SetFileApisToOEM GetCommandLineW 75132 f42e47 2 API calls 75131->75132 75133 f797ee 75132->75133 75494 f410b7 75133->75494 75137 f7980b 75138 f7981a 75137->75138 75887 f45125 free memmove ctype 75137->75887 75140 f79831 75138->75140 75141 f7981f 75138->75141 75516 f7adb7 75140->75516 75888 f7b5b1 75141->75888 75147 f72db9 ctype free 75343 f7992d 75147->75343 75149 f42e04 2 API calls 75150 f7985d 75149->75150 75538 f51ade 75150->75538 75492 f7544f SetConsoleCtrlHandler 75343->75492 75492->75112 75493->75131 75495 f410bc __EH_prolog 75494->75495 75496 f42f1c 2 API calls 75495->75496 75497 f410d0 75496->75497 75982 f43340 75497->75982 75500 f67ebb free 75514 f410eb 75500->75514 75501 f42e04 malloc _CxxThrowException 75501->75514 75503 f804d2 5 API calls 75503->75514 75504 f41152 75992 f41e40 free 75504->75992 75506 f42fec 3 API calls 75506->75514 75507 f4115a 75993 f41e40 free 75507->75993 75510 f41e40 free ctype 75510->75514 75511 f41162 75994 f41e40 free 75511->75994 75513 f4116a 75515 f41e40 free 75513->75515 75514->75501 75514->75503 75514->75504 75514->75506 75514->75510 75986 f41000 75514->75986 75995 f41524 malloc _CxxThrowException __EH_prolog ctype 75514->75995 75515->75137 75517 f7adc1 __EH_prolog 75516->75517 75518 f426dd 2 API calls 75517->75518 75519 f7ae1d 75518->75519 75520 f42e04 2 API calls 75519->75520 75521 f7ae38 75520->75521 75522 f42e04 2 API calls 75521->75522 75523 f7ae44 75522->75523 75524 f42e04 2 API calls 75523->75524 75525 f7ae68 75524->75525 75997 f7ad29 75525->75997 75529 f7ae94 75530 f42e04 2 API calls 75529->75530 75531 f7983c 75530->75531 75532 f4117a 75531->75532 75533 f4117f __EH_prolog 75532->75533 75534 f426dd 2 API calls 75533->75534 75535 f411a7 75534->75535 75536 f42e04 2 API calls 75535->75536 75537 f411b3 75536->75537 75537->75149 75539 f51ae8 __EH_prolog 75538->75539 76031 f413f5 75539->76031 75542 f51b32 6 API calls 75544 f51b8d 75542->75544 75553 f51bf8 75544->75553 76049 f51ea4 9 API calls 75544->76049 75545 f51b24 _CxxThrowException 75545->75542 75547 f51bdf 75548 f427bb 3 API calls 75547->75548 75549 f51bec 75548->75549 76050 f41e40 free 75549->76050 75551 f51c89 76045 f51eb9 75551->76045 75553->75551 76051 f61d73 5 API calls __EH_prolog 75553->76051 75556 f51cb2 _CxxThrowException 75556->75551 75887->75138 75889 f7982c 75888->75889 75890 f7b5bc fputs 75888->75890 75889->75147 76406 f41fa0 fputc 75890->76406 75892 f7b5d5 75892->75889 75893 f7b5d9 fputs 75892->75893 75893->75889 75983 f43348 75982->75983 75984 f410e4 75983->75984 75985 f43369 memmove 75983->75985 75984->75500 75985->75984 75990 f41067 75986->75990 75991 f4102a 75986->75991 75987 f41075 75988 f42f88 3 API calls 75987->75988 75988->75990 75990->75514 75991->75987 75991->75990 75996 f41089 malloc _CxxThrowException free _CxxThrowException 75991->75996 75992->75507 75993->75511 75994->75513 75995->75514 75996->75991 75998 f7ad33 __EH_prolog 75997->75998 75999 f42e04 2 API calls 75998->75999 76000 f7ad5f 75999->76000 76001 f42e04 2 API calls 76000->76001 76002 f7ad72 76001->76002 76003 f7af2d 76002->76003 76004 f7af37 __EH_prolog 76003->76004 76015 f534f4 76004->76015 76007 f42e04 2 API calls 76008 f7afbb 76007->76008 76009 f42e04 2 API calls 76008->76009 76010 f7afca 76009->76010 76011 f42e04 2 API calls 76010->76011 76012 f7afd9 76011->76012 76013 f42e04 2 API calls 76012->76013 76014 f7afe8 76013->76014 76014->75529 76016 f534fe __EH_prolog 76015->76016 76017 f42e04 2 API calls 76016->76017 76018 f5350a 76017->76018 76019 f42e04 2 API calls 76018->76019 76020 f53516 76019->76020 76021 f42e04 2 API calls 76020->76021 76022 f53522 76021->76022 76023 f42e04 2 API calls 76022->76023 76024 f5352e 76023->76024 76025 f42e04 2 API calls 76024->76025 76026 f5353a 76025->76026 76027 f42e04 2 API calls 76026->76027 76028 f5354a 76027->76028 76029 f42e04 2 API calls 76028->76029 76030 f53556 76029->76030 76030->76007 76032 f413fa __EH_prolog 76031->76032 76033 f67ebb free 76032->76033 76034 f4142b 76033->76034 76035 f41438 76034->76035 76052 f41212 free ctype 76034->76052 76037 f41e0c ctype 2 API calls 76035->76037 76038 f4144d 76037->76038 76039 f804d2 5 API calls 76038->76039 76042 f41507 76038->76042 76044 f414f4 76038->76044 76053 f41265 5 API calls 2 library calls 76038->76053 76054 f41524 malloc _CxxThrowException __EH_prolog ctype 76038->76054 76039->76038 76043 f42fec 3 API calls 76042->76043 76043->76044 76044->75542 76048 f61d73 5 API calls __EH_prolog 76044->76048 76055 f49313 GetCurrentProcess OpenProcessToken 76045->76055 76048->75545 76049->75547 76050->75553 76051->75556 76052->76035 76053->76038 76054->76038 76056 f49390 76055->76056 76057 f4933a LookupPrivilegeValueW 76055->76057 76058 f49382 76057->76058 76059 f4934c AdjustTokenPrivileges 76057->76059 76059->76058 76406->75892 76407 f47b20 76410 f47ab2 76407->76410 76411 f47ac5 76410->76411 76412 f4759a 12 API calls 76411->76412 76413 f47ade 76412->76413 76414 f47aeb SetFileTime 76413->76414 76415 f47b03 76413->76415 76414->76415 76418 f47919 76415->76418 76419 f47aac 76418->76419 76420 f4793c 76418->76420 76420->76419 76421 f47945 DeviceIoControl 76420->76421 76422 f479e6 76421->76422 76423 f47969 76421->76423 76424 f479ef DeviceIoControl 76422->76424 76427 f47a14 76422->76427 76423->76422 76429 f479a7 76423->76429 76425 f47a22 DeviceIoControl 76424->76425 76424->76427 76426 f47a44 DeviceIoControl 76425->76426 76425->76427 76426->76427 76427->76419 76435 f4780d 8 API calls ctype 76427->76435 76434 f49252 GetModuleHandleW GetProcAddress GetDiskFreeSpaceW 76429->76434 76430 f47aa5 76432 f477de 5 API calls 76430->76432 76432->76419 76433 f479d0 76433->76422 76434->76433 76435->76430 76436 fd7da0 WaitForSingleObject 76437 fd7dbb GetLastError 76436->76437 76438 fd7dc1 76436->76438 76437->76438 76439 fd7dce CloseHandle 76438->76439 76441 fd7ddf 76438->76441 76440 fd7dd9 GetLastError 76439->76440 76439->76441 76440->76441 76442 f51368 76445 f5136d 76442->76445 76444 f5138c 76445->76444 76448 fd7d80 WaitForSingleObject 76445->76448 76451 f7f745 76445->76451 76455 fd7ea0 SetEvent GetLastError 76445->76455 76449 fd7d8e GetLastError 76448->76449 76450 fd7d98 76448->76450 76449->76450 76450->76445 76452 f7f74f __EH_prolog 76451->76452 76456 f7f784 76452->76456 76454 f7f765 76454->76445 76455->76445 76457 f7f78e __EH_prolog 76456->76457 76458 f512d4 4 API calls 76457->76458 76459 f7f7c7 76458->76459 76460 f512d4 4 API calls 76459->76460 76461 f7f7d4 76460->76461 76462 f7f871 76461->76462 76465 f4c4d6 76461->76465 76471 fc6b23 VirtualAlloc 76461->76471 76462->76454 76466 f4c4e9 76465->76466 76469 f4c6f3 76466->76469 76470 f4c695 memmove 76466->76470 76472 f5111c 76466->76472 76477 f511b4 76466->76477 76469->76462 76470->76466 76471->76462 76473 f51130 76472->76473 76474 f5115f 76473->76474 76482 f4d331 76473->76482 76486 f4b668 76473->76486 76474->76466 76478 f511c1 76477->76478 76479 f511eb 76478->76479 76513 f8af27 76478->76513 76520 f8ae7c 76478->76520 76479->76466 76483 f4d355 76482->76483 76484 f4d374 76483->76484 76485 f4b668 10 API calls 76483->76485 76484->76473 76485->76484 76498 f4b675 76486->76498 76487 f4b864 76505 f47b7c 76487->76505 76490 f4b8aa GetLastError 76491 f4b6aa 76490->76491 76491->76473 76492 f4b81b 76492->76491 76495 f4b839 memcpy 76492->76495 76493 f47731 5 API calls 76493->76498 76494 f4b7e7 76494->76487 76497 f47731 5 API calls 76494->76497 76495->76491 76496 f4b811 76511 f4b8ec GetLastError 76496->76511 76500 f4b80d 76497->76500 76498->76487 76498->76491 76498->76492 76498->76493 76498->76494 76498->76496 76499 f4b7ad 76498->76499 76510 f47b4f ReadFile 76498->76510 76499->76498 76504 f4b8c7 76499->76504 76509 fc6a20 VirtualAlloc 76499->76509 76500->76487 76500->76496 76504->76491 76506 f47b89 76505->76506 76512 f47b4f ReadFile 76506->76512 76508 f47b9a 76508->76490 76508->76491 76509->76499 76510->76498 76511->76491 76512->76508 76514 f8af36 76513->76514 76515 f8ad3a 99 API calls 76514->76515 76517 f8b010 76514->76517 76518 f8aeeb 107 API calls 76514->76518 76525 f4bd0c 76514->76525 76530 f8aebf 107 API calls 76514->76530 76515->76514 76517->76478 76518->76514 76521 f8ae86 76520->76521 76524 f57140 7 API calls 76521->76524 76539 f57190 76521->76539 76522 f8aebb 76522->76478 76524->76522 76531 f47ca2 76525->76531 76528 f4bd3d 76528->76514 76530->76514 76533 f47caf 76531->76533 76534 f47cdb 76533->76534 76536 f47c68 76533->76536 76534->76528 76535 f4b8ec GetLastError 76534->76535 76535->76528 76537 f47c76 76536->76537 76538 f47c79 WriteFile 76536->76538 76537->76538 76538->76533 76540 f5719a __EH_prolog 76539->76540 76541 f571b0 76540->76541 76544 f571dd 76540->76544 76542 f54d78 VariantClear 76541->76542 76548 f571b7 76542->76548 76552 f56fc5 76544->76552 76545 f572b4 76546 f54d78 VariantClear 76545->76546 76547 f572c0 76545->76547 76546->76547 76547->76548 76549 f57140 7 API calls 76547->76549 76548->76522 76549->76548 76550 f57236 76550->76545 76550->76548 76551 f572a3 SetFileSecurityW 76550->76551 76551->76545 76553 f56fcf __EH_prolog 76552->76553 76554 f544a6 2 API calls 76553->76554 76556 f56fec 76554->76556 76555 f5706a 76578 f568ac 76555->76578 76556->76555 76561 f57029 76556->76561 76596 f56e71 12 API calls 2 library calls 76556->76596 76559 f5709e 76602 f41e40 free 76559->76602 76561->76555 76597 f54dff 7 API calls 2 library calls 76561->76597 76562 f57051 76562->76555 76566 f511b4 107 API calls 76562->76566 76565 f570c0 76598 f46096 15 API calls 2 library calls 76565->76598 76566->76555 76567 f5712e 76567->76550 76569 f570d1 76570 f570e2 76569->76570 76599 f54dff 7 API calls 2 library calls 76569->76599 76575 f570e6 76570->76575 76600 f56b5e 69 API calls 2 library calls 76570->76600 76573 f570fd 76574 f57103 76573->76574 76573->76575 76601 f41e40 free 76574->76601 76575->76559 76577 f5710b 76577->76567 76579 f568b6 __EH_prolog 76578->76579 76580 f47d4b 6 API calls 76579->76580 76582 f56921 76579->76582 76594 f568c5 76579->76594 76583 f56906 76580->76583 76581 f56962 76585 f56998 76581->76585 76606 f42dcd malloc _CxxThrowException 76581->76606 76582->76581 76582->76585 76605 f56a17 6 API calls 2 library calls 76582->76605 76583->76582 76604 f54dff 7 API calls 2 library calls 76583->76604 76584 f569e1 76609 f4bcf8 CloseHandle 76584->76609 76585->76584 76603 f47c3b SetFileTime 76585->76603 76588 f5697a 76607 f56b09 13 API calls __EH_prolog 76588->76607 76593 f5698c 76608 f41e40 free 76593->76608 76594->76559 76594->76565 76596->76561 76597->76562 76598->76569 76599->76570 76600->76573 76601->76577 76602->76567 76603->76584 76604->76582 76605->76581 76606->76588 76607->76593 76608->76585 76609->76594 76610 fc6ba3 VirtualFree 76611 f8bf67 76612 f8bf85 76611->76612 76613 f8bf74 76611->76613 76613->76612 76617 f8bf8c 76613->76617 76618 f8bf96 __EH_prolog 76617->76618 76634 f8d144 76618->76634 76622 f8bfd0 76641 f41e40 free 76622->76641 76624 f8bfdb 76642 f41e40 free 76624->76642 76626 f8bfe6 76643 f8c072 free ctype 76626->76643 76628 f8bff4 76644 f5aafa free VariantClear ctype 76628->76644 76630 f8c023 76645 f673d2 free VariantClear __EH_prolog ctype 76630->76645 76632 f8bf7f 76633 f41e40 free 76632->76633 76633->76612 76637 f8d14e __EH_prolog 76634->76637 76646 f8d1b7 76637->76646 76639 f8bfc5 76640 f41e40 free 76639->76640 76640->76622 76641->76624 76642->76626 76643->76628 76644->76630 76645->76632 76654 f8d23c 76646->76654 76648 f8d1ed 76661 f41e40 free 76648->76661 76650 f8d209 76662 f41e40 free 76650->76662 76652 f8d180 76653 f88e04 memset 76652->76653 76653->76639 76663 f8d2b8 76654->76663 76657 f8d25e 76680 f41e40 free 76657->76680 76660 f8d275 76660->76648 76661->76650 76662->76652 76682 f41e40 free 76663->76682 76665 f8d2c8 76683 f41e40 free 76665->76683 76667 f8d2dc 76684 f41e40 free 76667->76684 76669 f8d2e7 76685 f41e40 free 76669->76685 76671 f8d2f2 76686 f41e40 free 76671->76686 76673 f8d2fd 76687 f41e40 free 76673->76687 76675 f8d308 76688 f41e40 free 76675->76688 76677 f8d313 76678 f8d246 76677->76678 76689 f41e40 free 76677->76689 76678->76657 76681 f41e40 free 76678->76681 76680->76660 76681->76657 76682->76665 76683->76667 76684->76669 76685->76671 76686->76673 76687->76675 76688->76677 76689->76678 76690 f7acd3 76691 f7acf1 76690->76691 76692 f7ace0 76690->76692 76692->76691 76696 f7acf8 76692->76696 76697 f7c0b3 __EH_prolog 76696->76697 76698 f7c0ed 76697->76698 76701 f67193 free 76697->76701 76704 f41e40 free 76697->76704 76705 f41e40 free 76698->76705 76700 f7aceb 76703 f41e40 free 76700->76703 76701->76697 76703->76691 76704->76697 76705->76700 76706 f442d1 76707 f442bd 76706->76707 76708 f442c5 76707->76708 76709 f41e0c ctype 2 API calls 76707->76709 76709->76708 76710 fbf190 76711 f41e0c ctype 2 API calls 76710->76711 76712 fbf1b0 76711->76712 76713 fc69d0 76714 fc69d4 76713->76714 76715 fc69d7 malloc 76713->76715 76717 f4b5d9 76718 f4b5e6 76717->76718 76719 f4b5f7 76717->76719 76718->76719 76723 f4b5fe 76718->76723 76724 f4b608 __EH_prolog 76723->76724 76730 fc6a40 VirtualFree 76724->76730 76726 f4b63d 76727 f4764c CloseHandle 76726->76727 76728 f4b5f1 76727->76728 76729 f41e40 free 76728->76729 76729->76719 76730->76726 76731 f4b144 76732 f4b153 76731->76732 76734 f4b159 76731->76734 76733 f511b4 107 API calls 76732->76733 76733->76734 76735 f6a7c5 76752 f6a7e9 76735->76752 76783 f6a96b 76735->76783 76736 f6ade3 76838 f41e40 free 76736->76838 76738 f6a952 76738->76783 76820 f6e0b0 6 API calls 76738->76820 76739 f6adeb 76839 f41e40 free 76739->76839 76743 f6ac1e 76825 f41e40 free 76743->76825 76744 f6ae99 76745 f41e0c ctype 2 API calls 76744->76745 76750 f6aea9 memset memset 76745->76750 76748 f804d2 malloc _CxxThrowException free _CxxThrowException memcpy 76749 f6adf3 76748->76749 76749->76744 76749->76748 76753 f6aedd 76750->76753 76751 f6ac26 76826 f41e40 free 76751->76826 76752->76738 76760 f804d2 5 API calls 76752->76760 76819 f6e0b0 6 API calls 76752->76819 76840 f41e40 free 76753->76840 76757 f6aee5 76841 f41e40 free 76757->76841 76760->76752 76761 f6aef0 76842 f41e40 free 76761->76842 76765 f6c430 76844 f41e40 free 76765->76844 76767 f6ac6c 76827 f41e40 free 76767->76827 76768 f6c438 76845 f41e40 free 76768->76845 76772 f6c443 76846 f41e40 free 76772->76846 76773 f6ac85 76828 f41e40 free 76773->76828 76776 f6c44e 76847 f41e40 free 76776->76847 76777 f6ac2e 76843 f41e40 free 76777->76843 76779 f6c459 76780 f6ad88 76835 f68125 free ctype 76780->76835 76783->76736 76783->76743 76783->76767 76783->76780 76785 f6ad17 76783->76785 76787 f6acbc 76783->76787 76801 f5101c 76783->76801 76804 f698f2 76783->76804 76810 f6cc6f 76783->76810 76821 f69531 5 API calls __EH_prolog 76783->76821 76822 f680c1 malloc _CxxThrowException __EH_prolog 76783->76822 76823 f6814d 6 API calls 76783->76823 76824 f68125 free ctype 76783->76824 76832 f68125 free ctype 76785->76832 76786 f6ad93 76836 f41e40 free 76786->76836 76829 f68125 free ctype 76787->76829 76791 f6adac 76837 f41e40 free 76791->76837 76792 f6acc7 76830 f41e40 free 76792->76830 76793 f6ad3c 76833 f41e40 free 76793->76833 76797 f6ad55 76834 f41e40 free 76797->76834 76798 f6ace0 76831 f41e40 free 76798->76831 76803 f4b95a 6 API calls 76801->76803 76802 f51028 76802->76783 76803->76802 76805 f698fc __EH_prolog 76804->76805 76848 f69987 76805->76848 76807 f69970 76807->76783 76809 f69911 76809->76807 76852 f6ef8d 12 API calls 2 library calls 76809->76852 76892 f8f445 76810->76892 76898 f8cf91 76810->76898 76906 f85505 76810->76906 76811 f6cc8b 76815 f6cccb 76811->76815 76910 f6979e VariantClear __EH_prolog 76811->76910 76813 f6ccb1 76813->76815 76911 f6cae9 VariantClear 76813->76911 76815->76783 76819->76752 76820->76783 76821->76783 76822->76783 76823->76783 76824->76783 76825->76751 76826->76777 76827->76773 76828->76777 76829->76792 76830->76798 76831->76777 76832->76793 76833->76797 76834->76777 76835->76786 76836->76791 76837->76777 76838->76739 76839->76749 76840->76757 76841->76761 76842->76777 76843->76765 76844->76768 76845->76772 76846->76776 76847->76779 76849 f69991 __EH_prolog 76848->76849 76853 f980aa 76849->76853 76850 f699a8 76850->76809 76852->76807 76854 f980b4 __EH_prolog 76853->76854 76855 f41e0c ctype 2 API calls 76854->76855 76856 f980bf 76855->76856 76857 f980d3 76856->76857 76859 f8bdb5 76856->76859 76857->76850 76860 f8bdbf __EH_prolog 76859->76860 76865 f8be69 76860->76865 76862 f8bdef 76863 f42e04 2 API calls 76862->76863 76864 f8be16 76863->76864 76864->76857 76866 f8be73 __EH_prolog 76865->76866 76869 f85e2b 76866->76869 76868 f8be7f 76868->76862 76870 f85e35 __EH_prolog 76869->76870 76875 f808b6 76870->76875 76872 f85e41 76880 f5dfc9 malloc _CxxThrowException __EH_prolog 76872->76880 76874 f85e57 76874->76868 76881 f49c60 76875->76881 76877 f808c4 76886 f49c8f GetModuleHandleA GetProcAddress 76877->76886 76879 f808f3 __aulldiv 76879->76872 76880->76874 76891 f49c4d GetCurrentProcess GetProcessAffinityMask 76881->76891 76883 f49c6e 76884 f49c80 GetSystemInfo 76883->76884 76885 f49c79 76883->76885 76884->76877 76885->76877 76887 f49cc4 GlobalMemoryStatusEx 76886->76887 76888 f49cef GlobalMemoryStatus 76886->76888 76887->76888 76890 f49cce 76887->76890 76889 f49d08 76888->76889 76889->76890 76890->76879 76891->76883 76893 f8f455 76892->76893 76912 f51092 76893->76912 76897 f8f478 76897->76811 76899 f8cf9b __EH_prolog 76898->76899 76900 f8f445 14 API calls 76899->76900 76901 f8d018 76900->76901 76903 f8d01f 76901->76903 76928 f91511 76901->76928 76903->76811 76904 f8d08b 76904->76903 76934 f92c5d 11 API calls 2 library calls 76904->76934 76907 f8550f __EH_prolog 76906->76907 77056 f84e8a 76907->77056 76910->76813 76911->76815 76914 f4b95a 6 API calls 76912->76914 76913 f510aa 76913->76897 76915 f8f1b2 76913->76915 76914->76913 76916 f8f1bc __EH_prolog 76915->76916 76925 f51168 76916->76925 76918 f8f1d3 76919 f8f21c _CxxThrowException 76918->76919 76920 f8f231 memcpy 76918->76920 76921 f8f1e6 76918->76921 76919->76920 76923 f8f24c 76920->76923 76921->76897 76922 f8f2f0 memmove 76922->76923 76923->76921 76923->76922 76924 f8f31a memcpy 76923->76924 76924->76921 76926 f5111c 10 API calls 76925->76926 76927 f5117b 76926->76927 76927->76918 76929 f9151b __EH_prolog 76928->76929 76935 f910d3 76929->76935 76932 f91589 76932->76904 76933 f91552 _CxxThrowException 76933->76904 76933->76932 76934->76903 76936 f910dd __EH_prolog 76935->76936 76937 f8d1b7 free 76936->76937 76942 f910f2 76937->76942 76938 f912ef 76938->76932 76938->76933 76939 f911f4 76939->76938 76966 f4b95a 6 API calls 76939->76966 76940 f9139e 76940->76938 76941 f913c4 76940->76941 76943 f41e0c ctype 2 API calls 76940->76943 76944 f51168 10 API calls 76941->76944 76942->76938 76942->76939 76945 f51168 10 API calls 76942->76945 76943->76941 76948 f913da 76944->76948 76945->76939 76946 f913de 77007 f41e40 free 76946->77007 76948->76946 76950 f913f9 76948->76950 77002 f8ef67 _CxxThrowException 76948->77002 76967 f8f047 76950->76967 76953 f914ba 77006 f90943 50 API calls 2 library calls 76953->77006 76954 f91450 76971 f906ae 76954->76971 76958 f914e7 76959 f72db9 ctype free 76958->76959 76959->76946 76962 f9148e 76963 f8f047 _CxxThrowException 76962->76963 76964 f914ac 76963->76964 76964->76953 77005 f8ef67 _CxxThrowException 76964->77005 76966->76940 76968 f8f063 76967->76968 76969 f8f072 76968->76969 77008 f8ef67 _CxxThrowException 76968->77008 76969->76953 76969->76954 77003 f8ef67 _CxxThrowException 76969->77003 76972 f906b8 __EH_prolog 76971->76972 77009 f903f4 76972->77009 76974 f90877 76976 f8b8dc ctype free 76974->76976 76975 f512a5 5 API calls 77000 f90715 76975->77000 76977 f908a6 76976->76977 77039 f41e40 free 76977->77039 76979 f908e3 _CxxThrowException 76981 f908f7 76979->76981 76980 f908ae 77040 f41e40 free 76980->77040 76985 f8b8dc ctype free 76981->76985 76983 f4429a 3 API calls 76983->77000 76984 f908b6 77041 f41e40 free 76984->77041 76988 f90914 76985->76988 76986 f41e0c ctype 2 API calls 76986->77000 77043 f41e40 free 76988->77043 76990 f908be 77042 f8c149 free ctype 76990->77042 76991 f9091c 77044 f41e40 free 76991->77044 76994 f908d0 76994->76958 76994->76962 77004 f8ef67 _CxxThrowException 76994->77004 76995 f90924 77045 f41e40 free 76995->77045 76997 f881ec 29 API calls 76997->77000 76998 f9092c 77046 f8c149 free ctype 76998->77046 77000->76974 77000->76975 77000->76979 77000->76981 77000->76983 77000->76986 77000->76997 77001 f8ef67 _CxxThrowException 77000->77001 77001->77000 77002->76950 77003->76954 77004->76962 77005->76953 77006->76958 77007->76938 77008->76969 77010 f8f047 _CxxThrowException 77009->77010 77011 f90407 77010->77011 77013 f8f047 _CxxThrowException 77011->77013 77036 f90475 77011->77036 77012 f9049a 77014 f904b8 77012->77014 77051 f9159a malloc _CxxThrowException free ctype 77012->77051 77016 f90421 77013->77016 77015 f904e8 77014->77015 77019 f904cd 77014->77019 77053 f97c4a malloc _CxxThrowException free ctype 77015->77053 77020 f9043e 77016->77020 77047 f8ef67 _CxxThrowException 77016->77047 77052 f8fff0 9 API calls 2 library calls 77019->77052 77048 f8f93c 7 API calls 2 library calls 77020->77048 77022 f90492 77024 f8f047 _CxxThrowException 77022->77024 77024->77012 77026 f904db 77031 f8f047 _CxxThrowException 77026->77031 77028 f904e3 77033 f9054a 77028->77033 77055 f8ef67 _CxxThrowException 77028->77055 77029 f90446 77030 f9046d 77029->77030 77049 f8ef67 _CxxThrowException 77029->77049 77032 f8f047 _CxxThrowException 77030->77032 77031->77028 77032->77036 77033->77000 77034 f904f3 77034->77028 77054 f5089e malloc _CxxThrowException free _CxxThrowException memcpy 77034->77054 77036->77012 77050 f8fa3f 22 API calls 2 library calls 77036->77050 77039->76980 77040->76984 77041->76990 77042->76994 77043->76991 77044->76995 77045->76998 77046->76994 77047->77020 77048->77029 77049->77030 77050->77022 77051->77014 77052->77026 77053->77034 77054->77034 77055->77033 77057 f84e94 __EH_prolog 77056->77057 77058 f42e04 2 API calls 77057->77058 77074 f84f1d 77057->77074 77059 f84ed7 77058->77059 77188 f57fc5 77059->77188 77061 f84f0a 77065 f4965d VariantClear 77061->77065 77062 f84f37 77063 f84f41 77062->77063 77064 f84f63 77062->77064 77066 f4965d VariantClear 77063->77066 77067 f42f88 3 API calls 77064->77067 77068 f84f15 77065->77068 77069 f84f4c 77066->77069 77070 f84f71 77067->77070 77209 f41e40 free 77068->77209 77210 f41e40 free 77069->77210 77073 f4965d VariantClear 77070->77073 77075 f84f80 77073->77075 77074->76811 77211 f55bcf malloc _CxxThrowException 77075->77211 77077 f84f9a 77078 f42e47 2 API calls 77077->77078 77079 f84fad 77078->77079 77080 f42f1c 2 API calls 77079->77080 77081 f84fbd 77080->77081 77082 f42e04 2 API calls 77081->77082 77083 f84fd1 77082->77083 77084 f42e04 2 API calls 77083->77084 77092 f84fdd 77084->77092 77085 f85404 77250 f41e40 free 77085->77250 77087 f8540c 77251 f41e40 free 77087->77251 77089 f85414 77252 f41e40 free 77089->77252 77092->77085 77212 f55bcf malloc _CxxThrowException 77092->77212 77093 f85099 77096 f42da9 2 API calls 77093->77096 77094 f8541c 77253 f41e40 free 77094->77253 77097 f850a9 77096->77097 77099 f42fec 3 API calls 77097->77099 77098 f85424 77254 f41e40 free 77098->77254 77101 f850b6 77099->77101 77213 f41e40 free 77101->77213 77102 f8542c 77255 f41e40 free 77102->77255 77105 f850be 77214 f41e40 free 77105->77214 77107 f850cd 77108 f42f88 3 API calls 77107->77108 77109 f850e3 77108->77109 77110 f85100 77109->77110 77111 f850f1 77109->77111 77215 f43044 malloc _CxxThrowException free ctype 77110->77215 77112 f430ea 3 API calls 77111->77112 77114 f850fe 77112->77114 77216 f51029 6 API calls 77114->77216 77116 f8511a 77117 f8516b 77116->77117 77118 f85120 77116->77118 77223 f5089e malloc _CxxThrowException free _CxxThrowException memcpy 77117->77223 77217 f41e40 free 77118->77217 77121 f85187 77125 f804d2 5 API calls 77121->77125 77122 f85128 77218 f41e40 free 77122->77218 77124 f85130 77219 f41e40 free 77124->77219 77127 f851ba 77125->77127 77224 f80516 malloc _CxxThrowException ctype 77127->77224 77128 f85138 77220 f41e40 free 77128->77220 77131 f851c5 77135 f8522d 77131->77135 77136 f851f5 77131->77136 77132 f85140 77221 f41e40 free 77132->77221 77134 f85148 77222 f41e40 free 77134->77222 77139 f42e04 2 API calls 77135->77139 77225 f41e40 free 77136->77225 77153 f85235 77139->77153 77140 f851fd 77226 f41e40 free 77140->77226 77143 f85205 77227 f41e40 free 77143->77227 77144 f8532e 77236 f41e40 free 77144->77236 77146 f8520d 77228 f41e40 free 77146->77228 77148 f85347 77148->77085 77150 f85358 77148->77150 77237 f41e40 free 77150->77237 77151 f85215 77229 f41e40 free 77151->77229 77153->77144 77154 f853a3 77153->77154 77172 f804d2 5 API calls 77153->77172 77186 f42e04 2 API calls 77153->77186 77231 f8545c 5 API calls 2 library calls 77153->77231 77232 f51029 6 API calls 77153->77232 77233 f5089e malloc _CxxThrowException free _CxxThrowException memcpy 77153->77233 77234 f80516 malloc _CxxThrowException ctype 77153->77234 77235 f41e40 free 77153->77235 77243 f41e40 free 77154->77243 77156 f85360 77238 f41e40 free 77156->77238 77157 f8521d 77230 f41e40 free 77157->77230 77161 f85368 77239 f41e40 free 77161->77239 77164 f853bc 77244 f41e40 free 77164->77244 77165 f85370 77240 f41e40 free 77165->77240 77169 f853c4 77245 f41e40 free 77169->77245 77170 f85378 77241 f41e40 free 77170->77241 77172->77153 77174 f853cc 77246 f41e40 free 77174->77246 77175 f85380 77242 f41e40 free 77175->77242 77179 f853d4 77247 f41e40 free 77179->77247 77181 f853dc 77248 f41e40 free 77181->77248 77183 f853e4 77249 f41e40 free 77183->77249 77186->77153 77189 f57fcf __EH_prolog 77188->77189 77191 f58061 77189->77191 77193 f5805c 77189->77193 77194 f58019 77189->77194 77197 f57ff4 77189->77197 77190 f5800a 77265 f49736 VariantClear 77190->77265 77191->77193 77206 f58025 77191->77206 77264 f49630 VariantClear 77193->77264 77194->77197 77198 f5801e 77194->77198 77196 f580b8 77200 f4965d VariantClear 77196->77200 77197->77190 77256 f4950d 77197->77256 77201 f58042 77198->77201 77202 f58022 77198->77202 77205 f580c0 77200->77205 77262 f49597 VariantClear 77201->77262 77203 f58032 77202->77203 77202->77206 77261 f49604 VariantClear 77203->77261 77205->77061 77205->77062 77206->77190 77263 f495df VariantClear 77206->77263 77209->77074 77210->77074 77211->77077 77212->77093 77213->77105 77214->77107 77215->77114 77216->77116 77217->77122 77218->77124 77219->77128 77220->77132 77221->77134 77222->77074 77223->77121 77224->77131 77225->77140 77226->77143 77227->77146 77228->77151 77229->77157 77230->77074 77231->77153 77232->77153 77233->77153 77234->77153 77235->77153 77236->77148 77237->77156 77238->77161 77239->77165 77240->77170 77241->77175 77242->77074 77243->77164 77244->77169 77245->77174 77246->77179 77247->77181 77248->77183 77249->77074 77250->77087 77251->77089 77252->77094 77253->77098 77254->77102 77255->77074 77266 f49767 77256->77266 77258 f49518 SysAllocStringLen 77259 f4954f 77258->77259 77260 f49539 _CxxThrowException 77258->77260 77259->77190 77260->77259 77261->77190 77262->77190 77263->77190 77264->77190 77265->77196 77267 f49770 77266->77267 77268 f49779 77266->77268 77267->77258 77271 f49686 VariantClear 77268->77271 77270 f49780 77270->77258 77271->77270 77272 f6d3c2 77273 f6d3e9 77272->77273 77274 f4965d VariantClear 77273->77274 77275 f6d42a 77274->77275 77276 f6d883 2 API calls 77275->77276 77277 f6d4b1 77276->77277 77363 f68d4a 77277->77363 77280 f68b05 VariantClear 77282 f6d4e3 77280->77282 77281 f62a72 2 API calls 77283 f6d54c 77281->77283 77282->77281 77284 f42fec 3 API calls 77283->77284 77285 f6d594 77284->77285 77286 f6d742 77285->77286 77287 f6d5cd 77285->77287 77395 f6cd49 malloc _CxxThrowException free 77286->77395 77288 f6d7d9 77287->77288 77380 f69317 77287->77380 77398 f41e40 free 77288->77398 77291 f6d754 77294 f42fec 3 API calls 77291->77294 77297 f6d763 77294->77297 77295 f6d7e1 77399 f41e40 free 77295->77399 77296 f6d5f1 77300 f804d2 5 API calls 77296->77300 77396 f41e40 free 77297->77396 77299 f6d7e9 77302 f6326b free 77299->77302 77303 f6d5f9 77300->77303 77305 f6d69a 77302->77305 77386 f6e332 77303->77386 77304 f6d76b 77397 f41e40 free 77304->77397 77308 f6d773 77310 f6326b free 77308->77310 77310->77305 77312 f6d610 77393 f41e40 free 77312->77393 77314 f6d618 77315 f6326b free 77314->77315 77316 f6d2a8 77315->77316 77316->77305 77338 f6d883 77316->77338 77319 f42fec 3 API calls 77320 f6d361 77319->77320 77321 f42fec 3 API calls 77320->77321 77322 f6d36d 77321->77322 77350 f6d0e1 77322->77350 77324 f6d380 77325 f6d665 77324->77325 77326 f6d38a 77324->77326 77327 f6d68b 77325->77327 77394 f6cd49 malloc _CxxThrowException free 77325->77394 77328 f804d2 5 API calls 77326->77328 77330 f6326b free 77327->77330 77331 f6d392 77328->77331 77330->77305 77333 f6e332 2 API calls 77331->77333 77332 f6d67c 77334 f42fec 3 API calls 77332->77334 77335 f6d3a1 77333->77335 77334->77327 77336 f6326b free 77335->77336 77337 f6d3b0 77336->77337 77339 f6d88d __EH_prolog 77338->77339 77340 f42e04 2 API calls 77339->77340 77341 f6d8c6 77340->77341 77342 f42e04 2 API calls 77341->77342 77343 f6d8d2 77342->77343 77344 f42e04 2 API calls 77343->77344 77345 f6d8de 77344->77345 77346 f62b63 2 API calls 77345->77346 77347 f6d8fa 77346->77347 77348 f62b63 2 API calls 77347->77348 77349 f6d34f 77348->77349 77349->77319 77351 f6d0eb __EH_prolog 77350->77351 77352 f6d10b 77351->77352 77353 f6d138 77351->77353 77354 f41e0c ctype 2 API calls 77352->77354 77355 f41e0c ctype 2 API calls 77353->77355 77356 f6d112 77353->77356 77354->77356 77357 f6d14b 77355->77357 77356->77324 77358 f42fec 3 API calls 77357->77358 77359 f6d17b 77358->77359 77400 f47b41 28 API calls 77359->77400 77361 f6d18a 77361->77356 77401 f4757d GetLastError 77361->77401 77370 f68d54 __EH_prolog 77363->77370 77364 f68e15 77367 f68e2d 77364->77367 77369 f68e5e 77364->77369 77372 f68e21 77364->77372 77365 f68e09 77366 f4965d VariantClear 77365->77366 77371 f68e11 77366->77371 77368 f68e2b 77367->77368 77367->77369 77375 f4965d VariantClear 77368->77375 77373 f4965d VariantClear 77369->77373 77378 f68da4 77370->77378 77402 f42b55 malloc _CxxThrowException free _CxxThrowException ctype 77370->77402 77371->77280 77403 f43097 malloc _CxxThrowException free SysStringLen ctype 77372->77403 77373->77371 77377 f68e47 77375->77377 77377->77371 77404 f68e7c 6 API calls __EH_prolog 77377->77404 77378->77364 77378->77365 77378->77371 77383 f69321 __EH_prolog 77380->77383 77381 f4965d VariantClear 77382 f693d0 77381->77382 77382->77288 77382->77296 77385 f69360 77383->77385 77405 f49686 VariantClear 77383->77405 77385->77381 77387 f6e33c __EH_prolog 77386->77387 77388 f41e0c ctype 2 API calls 77387->77388 77389 f6e34a 77388->77389 77390 f6d608 77389->77390 77406 f6e3d1 malloc _CxxThrowException __EH_prolog 77389->77406 77392 f41e40 free 77390->77392 77392->77312 77393->77314 77394->77332 77395->77291 77396->77304 77397->77308 77398->77295 77399->77299 77400->77361 77401->77356 77402->77378 77403->77368 77404->77371 77405->77385 77406->77390 77407 fc6bc6 77408 fc6bcd 77407->77408 77409 fc6bca 77407->77409 77408->77409 77410 fc6bd1 malloc 77408->77410 77410->77409 77411 f80343 77416 f8035f 77411->77416 77414 f80358 77417 f80369 __EH_prolog 77416->77417 77433 f5139e 77417->77433 77422 f80143 ctype free 77423 f8039a 77422->77423 77443 f41e40 free 77423->77443 77425 f803a2 77444 f41e40 free 77425->77444 77427 f803aa 77445 f803d8 77427->77445 77432 f41e40 free 77432->77414 77434 f513b3 77433->77434 77435 f513ae 77433->77435 77437 f801c4 77434->77437 77461 fd7ea0 SetEvent GetLastError 77435->77461 77441 f801ce __EH_prolog 77437->77441 77438 f80203 77462 f41e40 free 77438->77462 77440 f8020b 77440->77422 77441->77438 77463 f41e40 free 77441->77463 77443->77425 77444->77427 77446 f803e2 __EH_prolog 77445->77446 77447 f5139e ctype 2 API calls 77446->77447 77448 f803fb 77447->77448 77464 fd7d50 77448->77464 77450 f80403 77451 fd7d50 ctype 2 API calls 77450->77451 77452 f8040b 77451->77452 77453 fd7d50 ctype 2 API calls 77452->77453 77454 f803b7 77453->77454 77455 f8004a 77454->77455 77456 f80054 __EH_prolog 77455->77456 77470 f41e40 free 77456->77470 77458 f80067 77471 f41e40 free 77458->77471 77460 f8006f 77460->77414 77460->77432 77461->77434 77462->77440 77463->77441 77465 fd7d59 CloseHandle 77464->77465 77466 fd7d7b 77464->77466 77467 fd7d75 77465->77467 77468 fd7d64 GetLastError 77465->77468 77466->77450 77467->77466 77468->77466 77469 fd7d6e 77468->77469 77469->77450 77470->77458 77471->77460 77472 f6d948 77502 f6dac7 77472->77502 77474 f6d94f 77475 f42e04 2 API calls 77474->77475 77476 f6d97b 77475->77476 77477 f42e04 2 API calls 77476->77477 77478 f6d987 77477->77478 77481 f6d9e7 77478->77481 77510 f46404 77478->77510 77483 f6da36 77481->77483 77484 f6da0f 77481->77484 77486 f6da94 77483->77486 77492 f42da9 2 API calls 77483->77492 77499 f804d2 5 API calls 77483->77499 77537 f41524 malloc _CxxThrowException __EH_prolog ctype 77483->77537 77538 f41e40 free 77483->77538 77535 f41e40 free 77484->77535 77539 f41e40 free 77486->77539 77488 f6d9bf 77533 f41e40 free 77488->77533 77489 f6da17 77536 f41e40 free 77489->77536 77492->77483 77494 f6d9c7 77534 f41e40 free 77494->77534 77495 f6da9c 77540 f41e40 free 77495->77540 77498 f6d9cf 77499->77483 77503 f6dad1 __EH_prolog 77502->77503 77504 f42e04 2 API calls 77503->77504 77505 f6db33 77504->77505 77506 f42e04 2 API calls 77505->77506 77507 f6db3f 77506->77507 77508 f42e04 2 API calls 77507->77508 77509 f6db55 77508->77509 77509->77474 77511 f4631f 9 API calls 77510->77511 77512 f46414 77511->77512 77513 f46423 77512->77513 77514 f42f88 3 API calls 77512->77514 77515 f42f88 3 API calls 77513->77515 77514->77513 77516 f4643d 77515->77516 77517 f57e5a 77516->77517 77518 f57e64 __EH_prolog 77517->77518 77541 f58179 77518->77541 77521 f67ebb free 77522 f57e7f 77521->77522 77523 f42fec 3 API calls 77522->77523 77524 f57e9a 77523->77524 77525 f42da9 2 API calls 77524->77525 77526 f57ea7 77525->77526 77527 f46c72 44 API calls 77526->77527 77528 f57eb7 77527->77528 77546 f41e40 free 77528->77546 77530 f57ecb 77531 f57ed8 77530->77531 77547 f4757d GetLastError 77530->77547 77531->77481 77531->77488 77533->77494 77534->77498 77535->77489 77536->77498 77537->77483 77538->77483 77539->77495 77540->77498 77544 f58906 77541->77544 77543 f57e77 77543->77521 77544->77543 77548 f58804 free ctype 77544->77548 77549 f41e40 free 77544->77549 77546->77530 77547->77531 77548->77544 77549->77544

                                Executed Functions

                                Function 00F53D66 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 53COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • __EH_prolog.LIBCMT ref: 00F53D6B
                                • GetCurrentProcess.KERNEL32 ref: 00F53D7D
                                • OpenProcessToken.ADVAPI32(00000000,00000028,?), ref: 00F53D94
                                • LookupPrivilegeValueW.ADVAPI32(00000000,SeSecurityPrivilege,?), ref: 00F53DB6
                                • AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000), ref: 00F53DCB
                                • GetLastError.KERNEL32 ref: 00F53DD5
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: ProcessToken$AdjustCurrentErrorH_prologLastLookupOpenPrivilegePrivilegesValue
                                • String ID: SeSecurityPrivilege
                                • API String ID: 3475889169-2333288578
                                • Opcode ID: 61421539e01763c5baed50b1b1aa31a2738cf5445a7393512668d3495948db58
                                • Instruction ID: 1a74bd461acf2f414edd7bc0e78765b704bd9ba117c53423262f1bf87735f5b0
                                • Opcode Fuzzy Hash: 61421539e01763c5baed50b1b1aa31a2738cf5445a7393512668d3495948db58
                                • Instruction Fuzzy Hash: 791130B194125D9FDB10DFE5CCC5AFEBBBCFB04795F000529F912E2191D7348A09AA60
                                Function 00F49313 Relevance: 9.1, APIs: 6, Instructions: 55COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1102 f49313-f49338 GetCurrentProcess OpenProcessToken 1103 f49390 1102->1103 1104 f4933a-f4934a LookupPrivilegeValueW 1102->1104 1105 f49393-f49398 1103->1105 1106 f49382 1104->1106 1107 f4934c-f49370 AdjustTokenPrivileges 1104->1107 1108 f49385-f4938e CloseHandle 1106->1108 1107->1106 1109 f49372-f49380 GetLastError 1107->1109 1108->1105 1109->1108
                                APIs
                                • GetCurrentProcess.KERNEL32(00000020,?), ref: 00F49329
                                • OpenProcessToken.ADVAPI32(00000000), ref: 00F49330
                                • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00F49342
                                • AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000000,00000000,00000000,?,?), ref: 00F49368
                                • GetLastError.KERNEL32(?,?), ref: 00F49372
                                • CloseHandle.KERNELBASE(?,?,?), ref: 00F49388
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                                • String ID:
                                • API String ID: 3398352648-0
                                • Opcode ID: 30583293e05c627a98153370f69d0e11f934d025a974f07a10d7f0f2f416bb7b
                                • Instruction ID: a292fcbd968270af6f80f38564cc4a1d0368e5b324002d13e8498d08041909ce
                                • Opcode Fuzzy Hash: 30583293e05c627a98153370f69d0e11f934d025a974f07a10d7f0f2f416bb7b
                                • Instruction Fuzzy Hash: EC01C072A49258AFCB109FF19C89BEF7F7CAF02340F040165F941E2190D6B58609E7E0
                                Function 00F881EC Relevance: 8.0, APIs: 3, Strings: 1, Instructions: 995COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F881F1
                                  • Part of subcall function 00F8F749: _CxxThrowException.MSVCRT(?,00FF4A58), ref: 00F8F792
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: ExceptionH_prologThrow
                                • String ID:
                                • API String ID: 461045715-3916222277
                                • Opcode ID: 62aa3b7678c9f6d438ced1072f7c78eb2bc913915e5d2824cb848d59d86b05be
                                • Instruction ID: a6661ea8882b3a7a976485d173fe6f80d10a24f5fe8b6c10a9fccef696a7640b
                                • Opcode Fuzzy Hash: 62aa3b7678c9f6d438ced1072f7c78eb2bc913915e5d2824cb848d59d86b05be
                                • Instruction Fuzzy Hash: 34929F31D00249DFDF15EFA8C844BEEBBB1BF44354F644099E805AB292CB74AD46EB61
                                Function 00F46868 Relevance: 4.6, APIs: 3, Instructions: 60fileCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F4686D
                                  • Part of subcall function 00F46848: FindClose.KERNELBASE(00000000,?,00F46880), ref: 00F46853
                                • FindFirstFileW.KERNELBASE(?,?,?,00000000), ref: 00F468A5
                                • FindFirstFileW.KERNELBASE(?,?,00000000,?,00000000), ref: 00F468DE
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: Find$FileFirst$CloseH_prolog
                                • String ID:
                                • API String ID: 3371352514-0
                                • Opcode ID: 415ec5869d7e95fa337d84dfe32dc92a026698d61f426ee883a5a5acfce2838d
                                • Instruction ID: f72c46b96b287a27c62eb21dd23f4328a7973e92494186adab2b59291798da24
                                • Opcode Fuzzy Hash: 415ec5869d7e95fa337d84dfe32dc92a026698d61f426ee883a5a5acfce2838d
                                • Instruction Fuzzy Hash: 8B1190319002099BCF10EF64CC559EDBB79EF51324F104629EDA197192DB359EC6FB41
                                Function 00F797B8 Relevance: 148.5, APIs: 57, Strings: 27, Instructions: 1515stringCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F797BD
                                • SetFileApisToOEM.KERNEL32 ref: 00F797CB
                                • GetCommandLineW.KERNEL32 ref: 00F797DF
                                  • Part of subcall function 00F410B7: __EH_prolog.LIBCMT ref: 00F410BC
                                  • Part of subcall function 00F41E40: free.MSVCRT ref: 00F41E44
                                  • Part of subcall function 00F7ADB7: __EH_prolog.LIBCMT ref: 00F7ADBC
                                  • Part of subcall function 00F4117A: __EH_prolog.LIBCMT ref: 00F4117F
                                  • Part of subcall function 00F51ADE: __EH_prolog.LIBCMT ref: 00F51AE3
                                  • Part of subcall function 00F51ADE: _CxxThrowException.MSVCRT(?,00FF6010), ref: 00F51B2D
                                  • Part of subcall function 00F51ADE: _fileno.MSVCRT ref: 00F51B3E
                                  • Part of subcall function 00F51ADE: _isatty.MSVCRT ref: 00F51B47
                                  • Part of subcall function 00F51ADE: _fileno.MSVCRT ref: 00F51B5D
                                  • Part of subcall function 00F51ADE: _isatty.MSVCRT ref: 00F51B60
                                  • Part of subcall function 00F51ADE: _fileno.MSVCRT ref: 00F51B73
                                  • Part of subcall function 00F51ADE: _isatty.MSVCRT ref: 00F51B76
                                • GetStdHandle.KERNEL32(000000F5,?,00000000), ref: 00F799BD
                                • GetConsoleScreenBufferInfo.KERNELBASE(00000000), ref: 00F799C4
                                  • Part of subcall function 00F67018: __EH_prolog.LIBCMT ref: 00F6701D
                                • _CxxThrowException.MSVCRT(?,00FF55B8), ref: 00F79A77
                                • _CxxThrowException.MSVCRT(?,00FF55B8), ref: 00F79ABB
                                • fputs.MSVCRT ref: 00F79B6A
                                • strlen.MSVCRT ref: 00F79B7E
                                • strlen.MSVCRT ref: 00F79B8D
                                • fputs.MSVCRT ref: 00F79BBD
                                • fputc.MSVCRT ref: 00F79BD7
                                • _CxxThrowException.MSVCRT(?,00FF55B8), ref: 00F79C0B
                                • fputc.MSVCRT ref: 00F79C18
                                • fputc.MSVCRT ref: 00F79C2B
                                • fputc.MSVCRT ref: 00F79C5C
                                • fputc.MSVCRT ref: 00F79C7D
                                • fputc.MSVCRT ref: 00F79C85
                                • fputc.MSVCRT ref: 00F79C99
                                • fputc.MSVCRT ref: 00F79D20
                                • fputs.MSVCRT ref: 00F79D31
                                • fputc.MSVCRT ref: 00F79D47
                                • fputs.MSVCRT ref: 00F79D66
                                • fputc.MSVCRT ref: 00F79D8E
                                • fputc.MSVCRT ref: 00F79DC1
                                • fputc.MSVCRT ref: 00F79DDE
                                • fputs.MSVCRT ref: 00F79E33
                                • fputc.MSVCRT ref: 00F79E75
                                • fputc.MSVCRT ref: 00F79E97
                                • fputc.MSVCRT ref: 00F79EAC
                                • fputc.MSVCRT ref: 00F79EC2
                                • fputc.MSVCRT ref: 00F79EC8
                                • fputc.MSVCRT ref: 00F79EDE
                                • fputs.MSVCRT ref: 00F79EE6
                                  • Part of subcall function 00F421D8: fputs.MSVCRT ref: 00F421F2
                                • fputc.MSVCRT ref: 00F79F60
                                • fputc.MSVCRT ref: 00F79F75
                                • fputs.MSVCRT ref: 00F79F7D
                                • fputs.MSVCRT ref: 00F79FF2
                                  • Part of subcall function 00F7B6AB: __EH_prolog.LIBCMT ref: 00F7B6B0
                                  • Part of subcall function 00F7B6AB: fputs.MSVCRT ref: 00F7B6EB
                                  • Part of subcall function 00F7B6AB: fputs.MSVCRT ref: 00F7B71A
                                  • Part of subcall function 00F7B6AB: fputs.MSVCRT ref: 00F7B79D
                                • fputs.MSVCRT ref: 00F79F1A
                                  • Part of subcall function 00F41FA0: fputc.MSVCRT ref: 00F41FA7
                                  • Part of subcall function 00F7B650: fputc.MSVCRT ref: 00F7B673
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: fputc$fputs$H_prolog$ExceptionThrow$_fileno_isatty$strlen$ApisBufferCommandConsoleFileHandleInfoLineScreenfree
                                • String ID: Decoding ERROR$ $ || $7zCon.sfx$Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Codecs:$Compressed: $ERROR:$Errors: $Files: $Folders: $Formats:$Hashers:$KSNFMGOPBELHXCc+a+m+r+$OK archives: $Open Errors: $P$Scanning the drive for archives:$Size: $Sub items Errors: $Warnings: $offset=
                                • API String ID: 1415005349-4135723878
                                • Opcode ID: ddf26024732798aabd21f8ca169c9bbea63260be3c20ac4facf11e5664eaeef4
                                • Instruction ID: 95e3b6995f9e6e2b67877840325115f0cd982d19f3899c9eea347310ebf031fe
                                • Opcode Fuzzy Hash: ddf26024732798aabd21f8ca169c9bbea63260be3c20ac4facf11e5664eaeef4
                                • Instruction Fuzzy Hash: D0D29931D04218DFDF26EBA4CC85BEDBBB5BF44310F10809AE549A7291DB785A85EF12
                                Function 00F51ADE Relevance: 40.5, APIs: 16, Strings: 7, Instructions: 288COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 529 f51ade-f51b14 call fdfb10 call f413f5 534 f51b16-f51b2d call f61d73 _CxxThrowException 529->534 535 f51b32-f51b8b _fileno _isatty _fileno _isatty _fileno _isatty 529->535 534->535 537 f51b9d-f51b9f 535->537 538 f51b8d-f51b91 535->538 541 f51ba0-f51bcd 537->541 538->537 540 f51b93-f51b97 538->540 540->537 544 f51b99-f51b9b 540->544 542 f51bcf-f51bf8 call f51ea4 call f427bb call f41e40 541->542 543 f51bf9-f51c12 541->543 542->543 546 f51c14-f51c18 543->546 547 f51c20 543->547 544->541 546->547 549 f51c1a-f51c1e 546->549 550 f51c27-f51c2b 547->550 549->547 549->550 552 f51c34-f51c3e 550->552 553 f51c2d 550->553 555 f51c40-f51c43 552->555 556 f51c49-f51c53 552->556 553->552 555->556 557 f51c55-f51c58 556->557 558 f51c5e-f51c68 556->558 557->558 560 f51c73-f51c79 558->560 561 f51c6a-f51c6d 558->561 563 f51cc9-f51cd2 560->563 564 f51c7b-f51c87 560->564 561->560 567 f51cd4-f51ce6 563->567 568 f51cea-f51cf8 call f51eb9 563->568 565 f51c95-f51ca1 call f51ed1 564->565 566 f51c89-f51c93 564->566 575 f51cc0-f51cc3 565->575 576 f51ca3-f51cbb call f61d73 _CxxThrowException 565->576 566->563 567->568 573 f51d37-f51d40 568->573 574 f51cfa-f51d0a 568->574 580 f51d46-f51d52 573->580 581 f51e93-f51ea1 573->581 577 f51d10 574->577 578 f51dc2-f51dd4 wcscmp 574->578 575->563 576->575 582 f51d17-f51d1f call f49399 577->582 578->582 584 f51dda-f51de6 call f51ed1 578->584 580->581 585 f51d58-f51d93 call f426dd call f4280c call f43221 call f43bbf 580->585 582->573 594 f51d21-f51d32 call fc6a60 call f49313 582->594 584->582 592 f51dec-f51e04 call f61d73 _CxxThrowException 584->592 613 f51d95-f51d9c 585->613 614 f51d9f-f51da3 585->614 601 f51e09-f51e0c 592->601 594->573 604 f51e31-f51e4a call f51f0c GetCurrentProcess SetProcessAffinityMask 601->604 605 f51e0e 601->605 618 f51e83-f51e92 call f43172 call f41e40 604->618 619 f51e4c-f51e82 GetLastError call f43221 call f458a9 call f431e5 call f41e40 604->619 608 f51e14-f51e2c call f61d73 _CxxThrowException 605->608 609 f51e10-f51e12 605->609 608->604 609->604 609->608 613->614 614->601 617 f51da5-f51dbd call f61d73 _CxxThrowException 614->617 617->578 618->581 619->618
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F51AE3
                                  • Part of subcall function 00F413F5: __EH_prolog.LIBCMT ref: 00F413FA
                                • _CxxThrowException.MSVCRT(?,00FF6010), ref: 00F51B2D
                                • _fileno.MSVCRT ref: 00F51B3E
                                • _isatty.MSVCRT ref: 00F51B47
                                • _fileno.MSVCRT ref: 00F51B5D
                                • _isatty.MSVCRT ref: 00F51B60
                                • _fileno.MSVCRT ref: 00F51B73
                                • _CxxThrowException.MSVCRT(?,00FF6010), ref: 00F51CBB
                                • _CxxThrowException.MSVCRT(?,00FF6010), ref: 00F51DBD
                                • wcscmp.MSVCRT ref: 00F51DCA
                                • _CxxThrowException.MSVCRT(?,00FF6010), ref: 00F51E04
                                • _isatty.MSVCRT ref: 00F51B76
                                  • Part of subcall function 00F61D73: __EH_prolog.LIBCMT ref: 00F61D78
                                • _CxxThrowException.MSVCRT(?,00FF6010), ref: 00F51E2C
                                • GetCurrentProcess.KERNEL32(00000000,?), ref: 00F51E3B
                                • SetProcessAffinityMask.KERNEL32(00000000), ref: 00F51E42
                                • GetLastError.KERNEL32 ref: 00F51E4C
                                Strings
                                • Unsupported switch postfix -stm, xrefs: 00F51DAA
                                • SeLockMemoryPrivilege, xrefs: 00F51D28
                                • : ERROR : , xrefs: 00F51E52
                                • Unsupported switch postfix -bb, xrefs: 00F51CA8
                                • Unsupported switch postfix for -slp, xrefs: 00F51DF1
                                • unsupported value -stm, xrefs: 00F51E19
                                • Set process affinity mask: , xrefs: 00F51D74
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: ExceptionThrow$H_prolog_fileno_isatty$Process$AffinityCurrentErrorLastMaskwcscmp
                                • String ID: : ERROR : $SeLockMemoryPrivilege$Set process affinity mask: $Unsupported switch postfix -bb$Unsupported switch postfix -stm$Unsupported switch postfix for -slp$unsupported value -stm
                                • API String ID: 1826148334-1115009270
                                • Opcode ID: c1943e23dba6f51dab82bf9260907166dab8e9e5ba63eb047b7a33a3a9d8dd4c
                                • Instruction ID: 59fc9a552d0310dd6e1ffb26a2dd4c95e3a08c70440dd1d0af83c7db6f8d039f
                                • Opcode Fuzzy Hash: c1943e23dba6f51dab82bf9260907166dab8e9e5ba63eb047b7a33a3a9d8dd4c
                                • Instruction Fuzzy Hash: 26C1D231900285AFDB11EFB4C889BD9BFF1BF09314F088459E99597292CB78F948EB51
                                Function 00F78012 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 240COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 634 f78012-f78032 call fdfb10 637 f78285 634->637 638 f78038-f7806c fputs call f78341 634->638 639 f78287-f78295 637->639 642 f7806e-f78071 638->642 643 f780c8-f780cd 638->643 646 f78073-f78089 fputs call f41fa0 642->646 647 f7808b-f7808d 642->647 644 f780d6-f780df 643->644 645 f780cf-f780d4 643->645 650 f780e2-f78110 call f78341 call f78622 644->650 645->650 646->643 648 f78096-f7809f 647->648 649 f7808f-f78094 647->649 652 f780a2-f780c7 call f42e47 call f785c6 call f41e40 648->652 649->652 661 f78112-f78119 call f7831f 650->661 662 f7811e-f7812f call f78565 650->662 652->643 661->662 662->639 669 f78135-f7813f 662->669 670 f78141-f78148 call f782bb 669->670 671 f7814d-f7815b 669->671 670->671 671->639 674 f78161-f78164 671->674 675 f781b6-f781c0 674->675 676 f78166-f78186 674->676 677 f78276-f7827f 675->677 678 f781c6-f781e1 fputs 675->678 680 f7818c-f78196 call f78565 676->680 681 f78298-f7829d 676->681 677->637 677->638 678->677 684 f781e7-f781fb 678->684 686 f7819b-f7819d 680->686 685 f782b1-f782b9 SysFreeString 681->685 687 f78273 684->687 688 f781fd-f7821f 684->688 685->639 686->681 689 f781a3-f781b4 SysFreeString 686->689 687->677 691 f78221-f78245 688->691 692 f7829f-f782a1 688->692 689->675 689->676 695 f78247-f78271 call f784a7 call f4965d SysFreeString 691->695 696 f782a3-f782ab call f4965d 691->696 693 f782ae 692->693 693->685 695->687 695->688 696->693
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F78017
                                • fputs.MSVCRT ref: 00F7804D
                                  • Part of subcall function 00F78341: __EH_prolog.LIBCMT ref: 00F78346
                                  • Part of subcall function 00F78341: fputs.MSVCRT ref: 00F7835B
                                  • Part of subcall function 00F78341: fputs.MSVCRT ref: 00F78364
                                • fputs.MSVCRT ref: 00F7807A
                                  • Part of subcall function 00F41FA0: fputc.MSVCRT ref: 00F41FA7
                                  • Part of subcall function 00F4965D: VariantClear.OLEAUT32(?), ref: 00F4967F
                                • SysFreeString.OLEAUT32(00000000), ref: 00F781AA
                                • fputs.MSVCRT ref: 00F781CD
                                • SysFreeString.OLEAUT32(00000000), ref: 00F78267
                                • SysFreeString.OLEAUT32(00000000), ref: 00F782B1
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: fputs$FreeString$H_prolog$ClearVariantfputc
                                • String ID: --$----$Path$Type$Warning: The archive is open with offset
                                • API String ID: 2889736305-3797937567
                                • Opcode ID: 0b18882717cf6ce12f0c5f93a04ffb5e330ad5b70edde6ab86d63f4aa494fc60
                                • Instruction ID: 9ec98d7415e744583f697994000f0c8d9ca01b01b6f1f3736f1544acb6e25f68
                                • Opcode Fuzzy Hash: 0b18882717cf6ce12f0c5f93a04ffb5e330ad5b70edde6ab86d63f4aa494fc60
                                • Instruction Fuzzy Hash: 82919D31A00605EFCB14DFA4CC88AAEB7B5FF48350F10812AE506E7291DB74AD06EB51
                                Function 00F76766 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 135COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 703 f76766-f76792 call fdfb10 EnterCriticalSection 706 f76794-f76799 call f7c7d7 703->706 707 f767af-f767b7 703->707 714 f7679e-f767ac 706->714 708 f767be-f767c3 707->708 709 f767b9 call f41f91 707->709 712 f76892-f768a8 708->712 713 f767c9-f767d5 708->713 709->708 717 f76941 712->717 718 f768ae-f768b4 712->718 715 f76817-f7682f 713->715 716 f767d7-f767dd 713->716 714->707 721 f76873-f7687b 715->721 722 f76831-f76842 call f41fa0 715->722 716->715 719 f767df-f767eb 716->719 723 f76943-f7695a 717->723 718->717 720 f768ba-f768c2 718->720 726 f767f3-f76801 719->726 727 f767ed 719->727 724 f76933-f7693f call f7c5cd 720->724 728 f768c4-f768e6 call f41fa0 fputs 720->728 721->724 725 f76881-f76887 721->725 722->721 740 f76844-f7686c fputs call f42201 722->740 724->723 725->724 730 f7688d 725->730 726->721 732 f76803-f76815 fputs 726->732 727->726 743 f768fb-f76917 call f54f2a call f41fb3 call f41e40 728->743 744 f768e8-f768f9 fputs 728->744 736 f7692e call f41f91 730->736 738 f7686e call f41fa0 732->738 736->724 738->721 740->738 747 f7691c-f76928 call f41fa0 743->747 744->747 747->736
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F7676B
                                • EnterCriticalSection.KERNEL32(01002938), ref: 00F76781
                                • fputs.MSVCRT ref: 00F7680B
                                • LeaveCriticalSection.KERNEL32(01002938), ref: 00F76944
                                  • Part of subcall function 00F7C7D7: fputs.MSVCRT ref: 00F7C840
                                • fputs.MSVCRT ref: 00F76851
                                  • Part of subcall function 00F42201: fputs.MSVCRT ref: 00F4221E
                                • fputs.MSVCRT ref: 00F768D9
                                • fputs.MSVCRT ref: 00F768F6
                                  • Part of subcall function 00F41FA0: fputc.MSVCRT ref: 00F41FA7
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: fputs$CriticalSection$EnterH_prologLeavefputc
                                • String ID: v$Sub items Errors:
                                • API String ID: 2670240366-2468115448
                                • Opcode ID: 26a9da0826ac971c7e87f2c14252a528ea33ba93752b56e070ff9349b94548ad
                                • Instruction ID: 6c869b31e1261a8df9e5c58951018632570dcd3fe74f400e117004b293fe14f8
                                • Opcode Fuzzy Hash: 26a9da0826ac971c7e87f2c14252a528ea33ba93752b56e070ff9349b94548ad
                                • Instruction Fuzzy Hash: 9451B231900A40CFC7259F64DC94AAABBF1FF44320F14842EE69E8B251CB347C45EB52
                                Function 00F76359 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 252COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 755 f76359-f76373 call fdfb10 758 f76375-f76385 call f7c7d7 755->758 759 f7639e-f763af call f75a4d 755->759 758->759 764 f76387-f7639b 758->764 765 f763b5-f763cd 759->765 766 f765ee-f765f1 759->766 764->759 767 f763d2-f763d4 765->767 768 f763cf 765->768 769 f76624-f7663c 766->769 770 f765f3-f765fb 766->770 773 f763d6-f763d9 767->773 774 f763df-f763e7 767->774 768->767 771 f76643-f7664b 769->771 772 f7663e call f41f91 769->772 775 f76601-f76607 call f78012 770->775 776 f766ea call f7c5cd 770->776 771->776 780 f76651-f7668f fputs call f4211a call f41fa0 call f78685 771->780 772->771 773->774 779 f764b1-f764bc call f76700 773->779 781 f76411-f76413 774->781 782 f763e9-f763f2 call f41fa0 774->782 784 f7660c-f7660e 775->784 790 f766ef-f766fd 776->790 801 f764c7-f764cf 779->801 802 f764be-f764c1 779->802 780->790 837 f76691-f76697 780->837 785 f76415-f7641d 781->785 786 f76442-f76446 781->786 782->781 806 f763f4-f7640c call f4210c call f41fa0 782->806 784->790 791 f76614-f7661f call f41fa0 784->791 792 f7641f-f76425 call f76134 785->792 793 f7642a-f7643b 785->793 795 f76497-f7649f 786->795 796 f76448-f76450 786->796 791->776 792->793 793->786 795->779 807 f764a1-f764ac call f41fa0 call f41f91 795->807 803 f76452-f7647a fputs call f41fa0 call f41fb3 call f41fa0 796->803 804 f7647f-f76490 796->804 811 f764d1-f764da call f41fa0 801->811 812 f764f9-f764fb 801->812 802->801 810 f765a2-f765a6 802->810 803->804 804->795 806->781 807->779 819 f765da-f765e6 810->819 820 f765a8-f765b6 810->820 811->812 842 f764dc-f764f4 call f4210c call f41fa0 811->842 816 f764fd-f76505 812->816 817 f7652a-f7652e 812->817 825 f76507-f7650d call f76134 816->825 826 f76512-f76523 816->826 828 f76530-f76538 817->828 829 f7657f-f76587 817->829 819->765 834 f765ec 819->834 830 f765d3 820->830 831 f765b8-f765ca call f76244 820->831 825->826 826->817 839 f76567-f76578 828->839 840 f7653a-f76562 fputs call f41fa0 call f41fb3 call f41fa0 828->840 829->810 844 f76589-f76595 call f41fa0 829->844 830->819 831->830 856 f765cc-f765ce call f41f91 831->856 834->766 845 f766df-f766e5 call f41f91 837->845 846 f76699-f7669f 837->846 839->829 840->839 842->812 844->810 859 f76597-f7659d call f41f91 844->859 845->776 853 f766b3-f766ce call f54f2a call f41fb3 call f41e40 846->853 854 f766a1-f766b1 fputs 846->854 860 f766d3-f766da call f41fa0 853->860 854->860 856->830 859->810 860->845
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F7635E
                                • fputs.MSVCRT ref: 00F7645F
                                  • Part of subcall function 00F7C7D7: fputs.MSVCRT ref: 00F7C840
                                • fputs.MSVCRT ref: 00F76547
                                • fputs.MSVCRT ref: 00F7665F
                                • fputs.MSVCRT ref: 00F766AE
                                  • Part of subcall function 00F41F91: fflush.MSVCRT ref: 00F41F93
                                  • Part of subcall function 00F41FB3: __EH_prolog.LIBCMT ref: 00F41FB8
                                  • Part of subcall function 00F41E40: free.MSVCRT ref: 00F41E44
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: fputs$H_prolog$fflushfree
                                • String ID: Can't allocate required memory$ERRORS:$WARNINGS:
                                • API String ID: 1750297421-1898165966
                                • Opcode ID: 904f575128eb2cad8f69bd68d47008de39431d2ed12f87d2f1962cf131740e37
                                • Instruction ID: afa98259398594b9afeabe64121ed56440aaf1ca5a42295c453b50794413f1cf
                                • Opcode Fuzzy Hash: 904f575128eb2cad8f69bd68d47008de39431d2ed12f87d2f1962cf131740e37
                                • Instruction Fuzzy Hash: E7B16530A01B018FDB24EF60CD91BAAB7E1BF44324F44852EE95E97251CB74AD49EF51
                                Function 00F49C8F Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 47libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 873 f49c8f-f49cc2 GetModuleHandleA GetProcAddress 874 f49cc4-f49ccc GlobalMemoryStatusEx 873->874 875 f49cef-f49d06 GlobalMemoryStatus 873->875 874->875 878 f49cce-f49cd7 874->878 876 f49d08 875->876 877 f49d0b-f49d0d 875->877 876->877 879 f49d11-f49d15 877->879 880 f49ce5 878->880 881 f49cd9 878->881 882 f49ce8-f49ced 880->882 883 f49ce0-f49ce3 881->883 884 f49cdb-f49cde 881->884 882->879 883->882 884->880 884->883
                                APIs
                                • GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 00F49CB3
                                • GetProcAddress.KERNEL32(00000000), ref: 00F49CBA
                                • GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 00F49CC8
                                • GlobalMemoryStatus.KERNEL32(?), ref: 00F49CFA
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: GlobalMemoryStatus$AddressHandleModuleProc
                                • String ID: $@$GlobalMemoryStatusEx$kernel32.dll
                                • API String ID: 180289352-802862622
                                • Opcode ID: e4737b1847182288817695331898bfa3233c4831cf716bd90e663750a6225318
                                • Instruction ID: 44cde42c832e3d815bec624f41c6180ae41be7d3d06395a5de5f9608eabca5d5
                                • Opcode Fuzzy Hash: e4737b1847182288817695331898bfa3233c4831cf716bd90e663750a6225318
                                • Instruction Fuzzy Hash: BD115B71A0430A9FCF20DF94D889BAEBBF4BF04705F100418E942BB240D7B8E940EB54
                                Function 00F46C72 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 398COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 896 f46c72-f46c8e call fdfb10 899 f46c96-f46c9e 896->899 900 f46c90-f46c94 896->900 902 f46ca6-f46cae 899->902 903 f46ca0-f46ca4 899->903 900->899 901 f46cd3-f46cdc call f48664 900->901 908 f46d87-f46d92 call f488c6 901->908 909 f46ce2-f46d02 call f467f0 call f42f88 call f487df 901->909 902->901 905 f46cb0-f46cb5 902->905 903->901 903->902 905->901 907 f46cb7-f46cce call f467f0 call f42f88 905->907 921 f4715d-f4715f 907->921 919 f46f4c-f46f62 call f487fa 908->919 920 f46d98-f46d9e 908->920 935 f46d04-f46d09 909->935 936 f46d4a-f46d61 call f47b41 909->936 930 f46f64-f46f66 919->930 931 f46f67-f46f74 call f485e2 919->931 920->919 924 f46da4-f46dc7 call f42e47 * 2 920->924 928 f47118-f47126 921->928 942 f46dd4-f46dda 924->942 943 f46dc9-f46dcf 924->943 930->931 944 f46f76-f46f7c 931->944 945 f46fd1-f46fd8 931->945 935->936 940 f46d0b-f46d38 call f49252 935->940 947 f46d67-f46d6b 936->947 948 f46d63-f46d65 936->948 940->936 955 f46d3a-f46d45 940->955 949 f46df1-f46df9 call f43221 942->949 950 f46ddc-f46def call f42407 942->950 943->942 944->945 953 f46f7e-f46f8a call f46bf5 944->953 951 f46fe4-f46feb 945->951 952 f46fda-f46fde 945->952 957 f46d6d-f46d75 947->957 958 f46d78 947->958 956 f46d7a-f46d82 call f4764c 948->956 969 f46dfe-f46e0b call f487df 949->969 950->949 950->969 962 f4701d-f47024 call f48782 951->962 963 f46fed-f46ff7 call f46bf5 951->963 952->951 961 f470e5-f470ea call f46868 952->961 953->961 977 f46f90-f46f93 953->977 955->921 981 f47116 956->981 957->958 958->956 973 f470ef-f470f3 961->973 962->961 978 f4702a-f47035 962->978 963->961 983 f46ffd-f47000 963->983 989 f46e43-f46e50 call f46c72 969->989 990 f46e0d-f46e10 969->990 979 f470f5-f470f7 973->979 980 f4710c 973->980 977->961 984 f46f99-f46fb6 call f467f0 call f42f88 977->984 978->961 986 f4703b-f47044 call f48578 978->986 979->980 987 f470f9-f47102 979->987 988 f4710e-f47111 call f46848 980->988 981->928 983->961 991 f47006-f4701b call f467f0 983->991 1013 f46fc2-f46fc5 call f4717b 984->1013 1014 f46fb8-f46fbd 984->1014 986->961 1010 f4704a-f47054 call f4717b 986->1010 987->980 995 f47104-f47107 call f4717b 987->995 988->981 1011 f46e56 989->1011 1012 f46f3a-f46f4b call f41e40 * 2 989->1012 998 f46e12-f46e15 990->998 999 f46e1e-f46e36 call f467f0 990->999 1007 f46fca-f46fcc 991->1007 995->980 998->989 1000 f46e17-f46e1c 998->1000 1015 f46e58-f46e7e call f42f1c call f42e04 999->1015 1016 f46e38-f46e41 call f42fec 999->1016 1000->989 1000->999 1007->988 1026 f47064-f47097 call f42e47 call f41089 * 2 call f46868 1010->1026 1027 f47056-f4705f call f42f88 1010->1027 1011->1015 1012->919 1013->1007 1014->1013 1035 f46e83-f46e99 call f46bb5 1015->1035 1016->1015 1058 f470bf-f470cc call f46bf5 1026->1058 1059 f47099-f470af wcscmp 1026->1059 1038 f47155-f47158 call f46848 1027->1038 1042 f46ecf-f46ed1 1035->1042 1043 f46e9b-f46e9f 1035->1043 1038->921 1048 f46f09-f46f35 call f41e40 * 2 call f46848 call f41e40 * 2 1042->1048 1045 f46ec7-f46ec9 SetLastError 1043->1045 1046 f46ea1-f46eae call f422bf 1043->1046 1045->1042 1055 f46eb0-f46ec5 call f41e40 call f42e04 1046->1055 1056 f46ed3-f46ed9 1046->1056 1048->981 1055->1035 1065 f46eec-f46f07 call f431e5 1056->1065 1066 f46edb-f46ee0 1056->1066 1077 f470ce-f470d1 1058->1077 1078 f47129-f47133 call f467f0 1058->1078 1062 f470b1-f470b6 1059->1062 1063 f470bb 1059->1063 1070 f47147-f47154 call f42f88 call f41e40 1062->1070 1063->1058 1065->1048 1066->1065 1072 f46ee2-f46ee8 1066->1072 1070->1038 1072->1065 1083 f470d3-f470d6 1077->1083 1084 f470d8-f470e4 call f41e40 1077->1084 1089 f47135-f47138 1078->1089 1090 f4713a 1078->1090 1083->1078 1083->1084 1084->961 1094 f47141-f47144 1089->1094 1090->1094 1094->1070
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F46C77
                                • SetLastError.KERNEL32(00000002,?,?,?,?,00000000,?,?,00000001), ref: 00F46EC9
                                  • Part of subcall function 00F46C72: wcscmp.MSVCRT ref: 00F470A5
                                  • Part of subcall function 00F46BF5: __EH_prolog.LIBCMT ref: 00F46BFA
                                  • Part of subcall function 00F46BF5: GetFileAttributesW.KERNEL32(?,?,?,00000000,?,?,00000000), ref: 00F46C1A
                                  • Part of subcall function 00F46BF5: GetFileAttributesW.KERNEL32(?,00000000,?,?,00000000,?,?,00000000), ref: 00F46C49
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: AttributesFileH_prolog$ErrorLastwcscmp
                                • String ID: :$:$DATA$\
                                • API String ID: 3316598575-1004618218
                                • Opcode ID: 1a8feeba0190223679a08d3b28cfd07fe550a0ebbc960abeb16178d9c587a078
                                • Instruction ID: e83d5cafd53f3577ab330835b4c8991bb94004b787c4c0f673f40f03b0442cfd
                                • Opcode Fuzzy Hash: 1a8feeba0190223679a08d3b28cfd07fe550a0ebbc960abeb16178d9c587a078
                                • Instruction Fuzzy Hash: 09E10830D003099ACF15EFA4CC91BEDBFB1BF55324F104519EC46A7292EB78A989E752
                                Function 00FDFFB0 Relevance: 10.5, APIs: 7, Instructions: 45COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: _initterm$FilterXcpt__getmainargs__p___initenv__setusermatherrexit
                                • String ID:
                                • API String ID: 288034905-0
                                • Opcode ID: 1177e861e0acfbc05be8410bb1cedf514b82f9253eb5e9a764cb6e6d8ac3448d
                                • Instruction ID: 759bf16d1228423d85faebe9c724188e8bf6d97e61cd5050d20293fe7a47dbc3
                                • Opcode Fuzzy Hash: 1177e861e0acfbc05be8410bb1cedf514b82f9253eb5e9a764cb6e6d8ac3448d
                                • Instruction Fuzzy Hash: 2D012D72900348AFDF05DBE0DC89CED7B7AFB0D304F10405AF641BA262DA799841EB60
                                Function 00F61858 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 213COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • __EH_prolog.LIBCMT ref: 00F6185D
                                  • Part of subcall function 00F6021A: __EH_prolog.LIBCMT ref: 00F6021F
                                  • Part of subcall function 00F6062E: __EH_prolog.LIBCMT ref: 00F60633
                                • _CxxThrowException.MSVCRT(?,00FF6010), ref: 00F61961
                                  • Part of subcall function 00F61AA5: __EH_prolog.LIBCMT ref: 00F61AAA
                                Strings
                                • Duplicate archive path:, xrefs: 00F61A8D
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$ExceptionThrow
                                • String ID: Duplicate archive path:
                                • API String ID: 2366012087-4000988232
                                • Opcode ID: d0a6036e2af3a5c49b25af5847994cb9d18a18fe6e484ccd09958b85c9173493
                                • Instruction ID: d54586b361d1194ef8fc584f743b3c6cc41cea97b82c68062de64c80d2d09578
                                • Opcode Fuzzy Hash: d0a6036e2af3a5c49b25af5847994cb9d18a18fe6e484ccd09958b85c9173493
                                • Instruction Fuzzy Hash: D9819F31D00149DFCF25EFA4D991ADDBBB1BF08310F1440AAE90677292DB38AE45EB61
                                Function 00F8F1B2 Relevance: 7.7, APIs: 5, Instructions: 168COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1569 f8f1b2-f8f1ce call fdfb10 call f51168 1573 f8f1d3-f8f1d5 1569->1573 1574 f8f36a-f8f378 1573->1574 1575 f8f1db-f8f1e4 call f8f3e4 1573->1575 1578 f8f1ed-f8f1f2 1575->1578 1579 f8f1e6-f8f1e8 1575->1579 1580 f8f203-f8f21a 1578->1580 1581 f8f1f4-f8f1f9 1578->1581 1579->1574 1584 f8f21c-f8f22c _CxxThrowException 1580->1584 1585 f8f231-f8f248 memcpy 1580->1585 1581->1580 1582 f8f1fb-f8f1fe 1581->1582 1582->1574 1584->1585 1586 f8f24c-f8f257 1585->1586 1587 f8f259 1586->1587 1588 f8f25c-f8f25e 1586->1588 1587->1588 1589 f8f260-f8f26f 1588->1589 1590 f8f281-f8f299 1588->1590 1591 f8f279-f8f27b 1589->1591 1592 f8f271 1589->1592 1598 f8f29b-f8f2a0 1590->1598 1599 f8f311-f8f313 1590->1599 1591->1590 1595 f8f315-f8f318 1591->1595 1593 f8f273-f8f275 1592->1593 1594 f8f277 1592->1594 1593->1591 1593->1594 1594->1591 1597 f8f357-f8f368 1595->1597 1597->1574 1598->1595 1600 f8f2a2-f8f2b5 call f8f37b 1598->1600 1599->1597 1604 f8f2f0-f8f30c memmove 1600->1604 1605 f8f2b7-f8f2cf call fde1a0 1600->1605 1604->1586 1608 f8f31a-f8f355 memcpy 1605->1608 1609 f8f2d1-f8f2eb call f8f37b 1605->1609 1608->1597 1609->1605 1613 f8f2ed 1609->1613 1613->1604
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 1e9681d1978b7fb064dbde28e67ecb67d78c284b4f277509994f9c0ecfcf33e0
                                • Instruction ID: 82542c49c504e3f55229c458a5f70c35b48168123ac84eed51f91dd4ba4d172f
                                • Opcode Fuzzy Hash: 1e9681d1978b7fb064dbde28e67ecb67d78c284b4f277509994f9c0ecfcf33e0
                                • Instruction Fuzzy Hash: A1515176E003099FDB14EFA4C8C5BFEB3B5FF88354F148429E901AB241D774A949AB60
                                Function 00F56FC5 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1614 f56fc5-f56ff5 call fdfb10 call f544a6 1619 f57088-f5708a call f568ac 1614->1619 1620 f56ffb-f5700b 1614->1620 1625 f5708f-f57095 1619->1625 1621 f5700d-f57013 1620->1621 1622 f5703e-f57045 1620->1622 1621->1622 1624 f57015-f5702e call f56e71 1621->1624 1626 f5704a-f5705c call f54dff 1622->1626 1635 f57030-f5703c 1624->1635 1636 f57072-f5707a 1624->1636 1628 f57097-f5709c 1625->1628 1629 f5709e-f570a1 1625->1629 1626->1636 1639 f5705e-f5706d call f511b4 1626->1639 1628->1629 1632 f570a6-f570a9 1628->1632 1633 f57126-f5712f call f41e40 1629->1633 1637 f57123 1632->1637 1638 f570ab-f570be 1632->1638 1647 f57131-f5713f 1633->1647 1635->1626 1636->1619 1644 f5707c-f57082 1636->1644 1637->1633 1638->1637 1641 f570c0-f570d3 call f46096 1638->1641 1639->1636 1650 f5706f 1639->1650 1651 f570d5-f570e4 call f54dff 1641->1651 1652 f570ea-f57101 call f56b5e 1641->1652 1644->1619 1650->1636 1651->1652 1659 f570e6-f570e8 1651->1659 1657 f57110-f57113 1652->1657 1658 f57103-f5710e call f41e40 1652->1658 1661 f57115-f5711e 1657->1661 1662 f57120 1657->1662 1658->1647 1659->1633 1661->1637 1662->1637
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F56FCA
                                  • Part of subcall function 00F56E71: __EH_prolog.LIBCMT ref: 00F56E76
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: Incorrect reparse stream$Unknown reparse stream$can't delete file
                                • API String ID: 3519838083-394804653
                                • Opcode ID: 8779f5e2cfca8d885be6d5f5856a472c06f88d8298f4b26ada44d29e68acf365
                                • Instruction ID: 97283abdf3a288d382845bbc986368213e81ad0522cc5a03e82a3e80c9735a33
                                • Opcode Fuzzy Hash: 8779f5e2cfca8d885be6d5f5856a472c06f88d8298f4b26ada44d29e68acf365
                                • Instruction Fuzzy Hash: 5C410932D047849BCF21EFA59450AEEFBF5BF45311F58446EDA86A3241C6306E4CE761
                                Function 00F784A7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: fputs$H_prolog
                                • String ID: =
                                • API String ID: 2614055831-2525689732
                                • Opcode ID: 56168f8ab235af5f45efb87e0cb6b461060babc8b88986069c334df29992021c
                                • Instruction ID: ab7e5bcc692a75c9f2c93b0dbf60db3dd93269fd78004d4d4d2d50bb425ba0d6
                                • Opcode Fuzzy Hash: 56168f8ab235af5f45efb87e0cb6b461060babc8b88986069c334df29992021c
                                • Instruction Fuzzy Hash: A7216D32904118AACF05EB94ED46AEDBBB5EF44320F24402BF80572192DF796E95EA91
                                Function 00F78341 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1691 f78341-f7836d call fdfb10 fputs * 2 1694 f7836f-f78379 call f783bf 1691->1694 1695 f7837b-f7839a call f42e47 call f4209a call f41fb3 1691->1695 1700 f783af-f783bc 1694->1700 1704 f7839f-f783ae call f41fa0 call f41e40 1695->1704 1704->1700
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F78346
                                • fputs.MSVCRT ref: 00F7835B
                                • fputs.MSVCRT ref: 00F78364
                                  • Part of subcall function 00F783BF: __EH_prolog.LIBCMT ref: 00F783C4
                                  • Part of subcall function 00F783BF: fputs.MSVCRT ref: 00F78401
                                  • Part of subcall function 00F783BF: fputs.MSVCRT ref: 00F78437
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: fputs$H_prolog
                                • String ID: =
                                • API String ID: 2614055831-2525689732
                                • Opcode ID: dd193b406771e8ca4a115ea8437b45551196015329db2b5127f8377da99bfb4f
                                • Instruction ID: e12041400fa4cfbfa39c9deeddd060d872f88237083d604d3d24199dfce25a96
                                • Opcode Fuzzy Hash: dd193b406771e8ca4a115ea8437b45551196015329db2b5127f8377da99bfb4f
                                • Instruction Fuzzy Hash: 7D01DB31A00005ABCB55BB68DC56AED7F75EF84750F00801BF84552161CF784996FBD2
                                Function 00FD7DA0 Relevance: 6.0, APIs: 4, Instructions: 38synchronizationCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1709 fd7da0-fd7db9 WaitForSingleObject 1710 fd7dbb-fd7dbf GetLastError 1709->1710 1711 fd7dc6 1709->1711 1710->1711 1712 fd7dc1-fd7dc4 1710->1712 1713 fd7dc8-fd7dcc 1711->1713 1712->1713 1714 fd7dec 1713->1714 1715 fd7dce-fd7dd7 CloseHandle 1713->1715 1716 fd7dee-fd7df0 1714->1716 1717 fd7dd9-fd7ddd GetLastError 1715->1717 1718 fd7de6 1715->1718 1719 fd7df4-fd7df7 1716->1719 1720 fd7df2 1716->1720 1717->1716 1721 fd7ddf-fd7de4 1717->1721 1718->1714 1720->1719 1721->1716
                                APIs
                                • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,?,00000000,00F5AB57), ref: 00FD7DAA
                                • GetLastError.KERNEL32(?,00000000,00F5AB57), ref: 00FD7DBB
                                • CloseHandle.KERNELBASE(00000000,?,00000000,00F5AB57), ref: 00FD7DCF
                                • GetLastError.KERNEL32(?,00000000,00F5AB57), ref: 00FD7DD9
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: ErrorLast$CloseHandleObjectSingleWait
                                • String ID:
                                • API String ID: 1796208289-0
                                • Opcode ID: a98767aada4977716c7d50da8ea5e6711fb04359dacf349be73044a6638006e2
                                • Instruction ID: 988ca13e854e7a09316c720d829d8736144de085ff89b79952bfb17eac772f3a
                                • Opcode Fuzzy Hash: a98767aada4977716c7d50da8ea5e6711fb04359dacf349be73044a6638006e2
                                • Instruction Fuzzy Hash: E9F054717083414BDB207A7D9C84B36769BAF55374728072BF560CA3D0FA61CC01A650
                                Function 00F7C911 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: CountTickfputs
                                • String ID: .
                                • API String ID: 290905099-4150638102
                                • Opcode ID: 91f33998bf1055403b44dac4f3a01efcaafd7dad367a1f9851e444649fdf7f8e
                                • Instruction ID: 4fdc9d804ad71fa60ccf691d1c203ba54634e33eb72def833d3dc63e83fccc19
                                • Opcode Fuzzy Hash: 91f33998bf1055403b44dac4f3a01efcaafd7dad367a1f9851e444649fdf7f8e
                                • Instruction Fuzzy Hash: A2714D30A00B049FDB61DB68C891AAEBBF5BF80314F40881EF58B97641DB74F945DB52
                                Function 00F808B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00F49C8F: GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 00F49CB3
                                  • Part of subcall function 00F49C8F: GetProcAddress.KERNEL32(00000000), ref: 00F49CBA
                                  • Part of subcall function 00F49C8F: GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 00F49CC8
                                • __aulldiv.LIBCMT ref: 00F8093F
                                • __aulldiv.LIBCMT ref: 00F8094B
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: __aulldiv$AddressGlobalHandleMemoryModuleProcStatus
                                • String ID: 3333
                                • API String ID: 3520896023-2924271548
                                • Opcode ID: 63777584fba951397a1aa2254dc20f19df8c00bff44c76c1fd1965851998c4a1
                                • Instruction ID: c9feb4b1e54e14548c6ef6e1693eaff48806d14d6628dbab896fdfa301bdfe92
                                • Opcode Fuzzy Hash: 63777584fba951397a1aa2254dc20f19df8c00bff44c76c1fd1965851998c4a1
                                • Instruction Fuzzy Hash: A021BAB1D007046FE730EF698C81A5BBAF9EB84750F04892FF186D3341DA7499049755
                                Function 00F7C27C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F7C281
                                  • Part of subcall function 00F7C54C: GetVersionExW.KERNEL32(?), ref: 00F7C566
                                • fputs.MSVCRT ref: 00F7C2B8
                                Strings
                                • Unsupported Windows version, xrefs: 00F7C2B3
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prologVersionfputs
                                • String ID: Unsupported Windows version
                                • API String ID: 1051792753-2397968907
                                • Opcode ID: f522bb02f5df7b48b0d27de05174dba6b70dcac868f95dbfcab25135b494da13
                                • Instruction ID: 76977e2e04b4a35b745970eedac1713715905434e5547772fddf7c2c0ab97bc0
                                • Opcode Fuzzy Hash: f522bb02f5df7b48b0d27de05174dba6b70dcac868f95dbfcab25135b494da13
                                • Instruction Fuzzy Hash: B2012472901205DFCB05EFD8ED0A7EDB7B0EB00364F20811FE001A3192C7B92A05EBA2
                                Function 00F6A7C5 Relevance: 5.1, APIs: 2, Strings: 1, Instructions: 606COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00F41E40: free.MSVCRT ref: 00F41E44
                                • memset.MSVCRT ref: 00F6AEBA
                                • memset.MSVCRT ref: 00F6AECD
                                  • Part of subcall function 00F804D2: _CxxThrowException.MSVCRT(00000000,00FF4A58), ref: 00F804F8
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: memset$ExceptionThrowfree
                                • String ID: Split
                                • API String ID: 1404239998-1882502421
                                • Opcode ID: 9e1863ac4dc988f1bc6416f9b3efc7b93bd025523c194c1892fd60f60b3f7102
                                • Instruction ID: bd109161f44900b2c3d2fb14e293dca29205ea6739b665c764adfbf2f9d1c108
                                • Opcode Fuzzy Hash: 9e1863ac4dc988f1bc6416f9b3efc7b93bd025523c194c1892fd60f60b3f7102
                                • Instruction Fuzzy Hash: 4A424B30E00249DFDF25DBA4C984BADBBB5BF45314F244099E849B7252CB35AE85EF12
                                Function 00F4759A Relevance: 4.6, APIs: 3, Instructions: 64fileCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F4759F
                                  • Part of subcall function 00F4764C: CloseHandle.KERNELBASE(00000000,?,00F475AF,?,?,00000003,02000000), ref: 00F47657
                                • CreateFileW.KERNELBASE(?,?,?,00000000,?,00000000,00000000,?,?,?,?,00000003,02000000), ref: 00F475E5
                                • CreateFileW.KERNEL32(000000FF,?,00000001,00000000,?,00000000,00000000,00000000,?,?,?,?,00000003,02000000), ref: 00F47626
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: CreateFile$CloseH_prologHandle
                                • String ID:
                                • API String ID: 449569272-0
                                • Opcode ID: 950fb315efaf2726e1bff2a004b02731b043849af88cbebd5a7cae8b6e177ef8
                                • Instruction ID: 191618b359198bf537ae98c79c8f89c2f092942adf1dbfd7f7db51c32c5cfb74
                                • Opcode Fuzzy Hash: 950fb315efaf2726e1bff2a004b02731b043849af88cbebd5a7cae8b6e177ef8
                                • Instruction Fuzzy Hash: CA11A27280020AEFCF11AFA4CC408EEBF7AFF44364B048529FD60561A1C7759DA1EB50
                                Function 00F783BF Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                                Download Yara Rule
                                APIs
                                • fputs.MSVCRT ref: 00F78437
                                • fputs.MSVCRT ref: 00F78401
                                  • Part of subcall function 00F41FB3: __EH_prolog.LIBCMT ref: 00F41FB8
                                • __EH_prolog.LIBCMT ref: 00F783C4
                                  • Part of subcall function 00F41FA0: fputc.MSVCRT ref: 00F41FA7
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prologfputs$fputc
                                • String ID:
                                • API String ID: 678540050-0
                                • Opcode ID: be440021b76b7f7add8b76bc63a08e19bc09526a41eb433b4563f4994088d911
                                • Instruction ID: 6866dfd2cef63590a3f87a7d467f05b54a2d77a050e9daac3dc49fe942acb7ce
                                • Opcode Fuzzy Hash: be440021b76b7f7add8b76bc63a08e19bc09526a41eb433b4563f4994088d911
                                • Instruction Fuzzy Hash: AB118631A041059BCB09BBA5DC179AEBF66EF847A0F40002AFD0292291DF6D598AA6D5
                                Function 00F47731 Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                                Download Yara Rule
                                APIs
                                • SetFilePointer.KERNELBASE(?,?,?,?), ref: 00F47773
                                • GetLastError.KERNEL32(?,?,?,?), ref: 00F47780
                                • SetLastError.KERNEL32(00000000,?,?,?,?), ref: 00F47797
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: ErrorLast$FilePointer
                                • String ID:
                                • API String ID: 1156039329-0
                                • Opcode ID: 0822684ba2f001f1b7a52d4ae53cd2298a627c6b19b269e69982e9d6b5fdba01
                                • Instruction ID: 6378a34ee0d781750d9b40baf762bd625ebf60cc9f8f5d60bdeb7719e860bcab
                                • Opcode Fuzzy Hash: 0822684ba2f001f1b7a52d4ae53cd2298a627c6b19b269e69982e9d6b5fdba01
                                • Instruction Fuzzy Hash: EB110131A04309AFEF11DF68DC85BAE3BE6AF04360F148429FD1287291D7B49D04EB50
                                Function 00F45A8C Relevance: 4.6, APIs: 3, Instructions: 54COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F45A91
                                • SetFileAttributesW.KERNELBASE(?,?,?,?,00000000), ref: 00F45AB7
                                • SetFileAttributesW.KERNEL32(?,?,00000000,?,?,00000000), ref: 00F45AEC
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: AttributesFile$H_prolog
                                • String ID:
                                • API String ID: 3790360811-0
                                • Opcode ID: 47b39d22b73c273cf9556979f3bc32b16f8852be24a24d575f7b8a4aa1ec3ec7
                                • Instruction ID: 1f790f36a4319d0451fd9c3420faee3d8a2476f41091be5065d9f083df6c69b5
                                • Opcode Fuzzy Hash: 47b39d22b73c273cf9556979f3bc32b16f8852be24a24d575f7b8a4aa1ec3ec7
                                • Instruction Fuzzy Hash: C6019232D00616ABCF15BBA49C85ABEBF76EF80B60F144426ED1163253CB394D56F650
                                Function 00F75883 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 22COMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32(01002938), ref: 00F7588B
                                • LeaveCriticalSection.KERNEL32(01002938), ref: 00F758BC
                                  • Part of subcall function 00F7C911: GetTickCount.KERNEL32 ref: 00F7C926
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: CriticalSection$CountEnterLeaveTick
                                • String ID: v
                                • API String ID: 1056156058-3261393531
                                • Opcode ID: 9757bbe5c10c20b85e73804faf66a8e35e4592d5b6cc2a8ea52624c85d3f0822
                                • Instruction ID: 3bebd2f924229fde6af2ad6c4ef5b8c4e5101451b04577b4c5f06c7bb23a4621
                                • Opcode Fuzzy Hash: 9757bbe5c10c20b85e73804faf66a8e35e4592d5b6cc2a8ea52624c85d3f0822
                                • Instruction Fuzzy Hash: D9E06576A05210DFC304DF18E848E8A3BA5AF98321F05446EF509CB362CB308849CAA2
                                Function 00F55BEA Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 481COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F55BEF
                                  • Part of subcall function 00F554C0: __EH_prolog.LIBCMT ref: 00F554C5
                                  • Part of subcall function 00F55630: __EH_prolog.LIBCMT ref: 00F55635
                                  • Part of subcall function 00F636EA: __EH_prolog.LIBCMT ref: 00F636EF
                                  • Part of subcall function 00F557C1: __EH_prolog.LIBCMT ref: 00F557C6
                                  • Part of subcall function 00F558BE: __EH_prolog.LIBCMT ref: 00F558C3
                                Strings
                                • Cannot seek to begin of file, xrefs: 00F5610F
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: Cannot seek to begin of file
                                • API String ID: 3519838083-2298593816
                                • Opcode ID: 16f3402894bd1538d9a049a62a87e36f62501aba32d1c6ba19e720177aa3d248
                                • Instruction ID: b5a49ef9d77d97050a97abde24089b7d02647b64fd1cdee9b6382496238fdf03
                                • Opcode Fuzzy Hash: 16f3402894bd1538d9a049a62a87e36f62501aba32d1c6ba19e720177aa3d248
                                • Instruction Fuzzy Hash: C01212319047459FDF21DFA4C894BEEBBF5AF04325F04002DEA5697292CB74AA8CEB51
                                Function 00F84E8A Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 468COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F84E8F
                                  • Part of subcall function 00F4965D: VariantClear.OLEAUT32(?), ref: 00F4967F
                                  • Part of subcall function 00F41E40: free.MSVCRT ref: 00F41E44
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: ClearH_prologVariantfree
                                • String ID: file
                                • API String ID: 904627215-2359244304
                                • Opcode ID: 2e0656491ca28aae9508c6addbaaa278c39e0848888b97af86ae6321be249589
                                • Instruction ID: abf4e1615af277d96952184423d249256ffa38b4ddb32a2e39b4c8b24ebf5591
                                • Opcode Fuzzy Hash: 2e0656491ca28aae9508c6addbaaa278c39e0848888b97af86ae6321be249589
                                • Instruction Fuzzy Hash: A7127F34D00209DFCF15EFA4CD95AEDBBB6BF44354F204068E805AB262DB75AE95EB10
                                Function 00F62CDB Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 388COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F62CE0
                                  • Part of subcall function 00F45E10: __EH_prolog.LIBCMT ref: 00F45E15
                                  • Part of subcall function 00F541EC: _CxxThrowException.MSVCRT(?,00FF4A58), ref: 00F5421A
                                  • Part of subcall function 00F4965D: VariantClear.OLEAUT32(?), ref: 00F4967F
                                Strings
                                • Cannot create output directory, xrefs: 00F63070
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$ClearExceptionThrowVariant
                                • String ID: Cannot create output directory
                                • API String ID: 814188403-1181934277
                                • Opcode ID: 5b656673eb9ae0c9b9cdcaa8b2138e4c466e7259acf32de700e8a8ec57e7305a
                                • Instruction ID: be920aebbf348e79654bcbe2e60c46bea6376d8480245faa163edfec155dd066
                                • Opcode Fuzzy Hash: 5b656673eb9ae0c9b9cdcaa8b2138e4c466e7259acf32de700e8a8ec57e7305a
                                • Instruction Fuzzy Hash: BDF1B130D01289EFCF21EFA4C890AEDBFB5BF19314F1440A9E84567252DB35AE49EB51
                                Function 00F7C7D7 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • fputs.MSVCRT ref: 00F7C840
                                  • Part of subcall function 00F425CB: _CxxThrowException.MSVCRT(?,00FF4A58), ref: 00F425ED
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: ExceptionThrowfputs
                                • String ID:
                                • API String ID: 1334390793-399585960
                                • Opcode ID: 574f5503a321a0029466b52935c976c1e014a708bd0e550015f4ba64da15c63e
                                • Instruction ID: f98ae8239d845ab4ff6d9a740be8dec299994d19f4a32ab4c93df09494379c14
                                • Opcode Fuzzy Hash: 574f5503a321a0029466b52935c976c1e014a708bd0e550015f4ba64da15c63e
                                • Instruction Fuzzy Hash: 3811E271A047449FDB15CF58C8C1BAABBE6EF45314F04846EE14A8B240C7B5B804D7A1
                                Function 00F76086 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: fputs
                                • String ID: Open
                                • API String ID: 1795875747-71445658
                                • Opcode ID: 192ff7747700f1895a33ed4d7ab79ef798a37ff90ba62eac05258f249e42b4dc
                                • Instruction ID: 8c092540dc6ea6f8086c06afe9515ba8fb98a87aab9088eeff8c01996abbe531
                                • Opcode Fuzzy Hash: 192ff7747700f1895a33ed4d7ab79ef798a37ff90ba62eac05258f249e42b4dc
                                • Instruction Fuzzy Hash: B3119E32505B449FC760EF34DC91ADABBA1EF54320B40852FE59A87212DB75A844DF51
                                Function 00F558BE Relevance: 3.3, APIs: 2, Instructions: 253COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F558C3
                                  • Part of subcall function 00F46C72: __EH_prolog.LIBCMT ref: 00F46C77
                                  • Part of subcall function 00F41E40: free.MSVCRT ref: 00F41E44
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$free
                                • String ID:
                                • API String ID: 2654054672-0
                                • Opcode ID: 433a5bee14932a5c7b8ee58d98535b5e02ec2552e4f2996113039721f59e86ee
                                • Instruction ID: fa2dbfd6bc263bfd5fc1a96495bd85e665e72d84d3507c6403f1724cf0f0c8c3
                                • Opcode Fuzzy Hash: 433a5bee14932a5c7b8ee58d98535b5e02ec2552e4f2996113039721f59e86ee
                                • Instruction Fuzzy Hash: 8A910631900509AFCF25DBA4CCA1AEEBBB2AF84751F144069EE02A7252DB395D4CF751
                                Function 00F906AE Relevance: 3.2, APIs: 2, Instructions: 206COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F906B3
                                • _CxxThrowException.MSVCRT(?,00FFD480), ref: 00F908F2
                                  • Part of subcall function 00F41E0C: malloc.MSVCRT ref: 00F41E1F
                                  • Part of subcall function 00F41E0C: _CxxThrowException.MSVCRT(00FF4B28,00FF4B28), ref: 00F41E39
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: ExceptionThrow$H_prologmalloc
                                • String ID:
                                • API String ID: 3044594480-0
                                • Opcode ID: 3e6af3c61e869616f3fbb58781b49a63c660ed16b608d82448f4b66f173d1f20
                                • Instruction ID: ae6971658058e4709f61cf81f52f55449b44d79a261e2ab29eb4ab52be01cced
                                • Opcode Fuzzy Hash: 3e6af3c61e869616f3fbb58781b49a63c660ed16b608d82448f4b66f173d1f20
                                • Instruction Fuzzy Hash: E3917175D00249DFDF21DFA8C881AEEBBB5BF08314F144099E945A7252CB34AE85EF61
                                Function 00F57190 Relevance: 3.1, APIs: 2, Instructions: 138COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 2d4025e671f2ad5e7f3895b76c9a9dfe65b28b12e3a8ac49e5a2a8bcccbce211
                                • Instruction ID: 1eae84c5bbf1c76ed9cc3443609b1e7a5d17071ce1200322885058c45e1fdaf8
                                • Opcode Fuzzy Hash: 2d4025e671f2ad5e7f3895b76c9a9dfe65b28b12e3a8ac49e5a2a8bcccbce211
                                • Instruction Fuzzy Hash: 0F51E871908B409FDB25DF74D490AE6BBF2BF45315F14885DE9DA4B202C730B948EB50
                                Function 00F67B48 Relevance: 3.1, APIs: 2, Instructions: 122COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F67B4D
                                • memcpy.MSVCRT(00000000,010027DC,?,?,?,?), ref: 00F67C65
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prologmemcpy
                                • String ID:
                                • API String ID: 2991061955-0
                                • Opcode ID: 8a8500ee95330602ec72640516749982e9fb0386a8b7ef7a948fa3671e766510
                                • Instruction ID: 6f2e3c5a7f05300a02569a37e93a21b8ce55a9e973bc7ed7d777787ebf277541
                                • Opcode Fuzzy Hash: 8a8500ee95330602ec72640516749982e9fb0386a8b7ef7a948fa3671e766510
                                • Instruction Fuzzy Hash: EF418031904319DFCF21EFA4C951AEEBBF4BF04318F104529E846A7292DB35AE09EB50
                                Function 00F91511 Relevance: 3.0, APIs: 2, Instructions: 39COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F91516
                                  • Part of subcall function 00F910D3: __EH_prolog.LIBCMT ref: 00F910D8
                                • _CxxThrowException.MSVCRT(?,00FFD480), ref: 00F91561
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$ExceptionThrow
                                • String ID:
                                • API String ID: 2366012087-0
                                • Opcode ID: b4281219152e548746c43610a677dbdf54ad79e0a05347a8535e60eb1de713aa
                                • Instruction ID: 77162164589c038e78f9680b6694fb77a244a1c18eaf85a83b6a30408ca99ed0
                                • Opcode Fuzzy Hash: b4281219152e548746c43610a677dbdf54ad79e0a05347a8535e60eb1de713aa
                                • Instruction Fuzzy Hash: 1C01F732500289AFEF118F54C815BEE7FB5FF81354F08406AF4455B252C3B6D955A7A1
                                Function 00F757FB Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F75800
                                • fputs.MSVCRT ref: 00F75830
                                  • Part of subcall function 00F41FA0: fputc.MSVCRT ref: 00F41FA7
                                  • Part of subcall function 00F41E40: free.MSVCRT ref: 00F41E44
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prologfputcfputsfree
                                • String ID:
                                • API String ID: 195749403-0
                                • Opcode ID: b7abb3589429eb681df8bd0e66862db1f23b18cc4f1adfd86a2f8cc6b433a992
                                • Instruction ID: 826784c6731b76682c83cf5e66e6f63fed8d7382157f840d6bb4c9954fe4cde4
                                • Opcode Fuzzy Hash: b7abb3589429eb681df8bd0e66862db1f23b18cc4f1adfd86a2f8cc6b433a992
                                • Instruction Fuzzy Hash: 91F05E32900504DFCB15BB94EC127DEBBB1FF04750F00842AF906A6192CB786995EB85
                                Function 00F7B5B1 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: fputs$fputc
                                • String ID:
                                • API String ID: 1185151155-0
                                • Opcode ID: 83202bcb10cd7e36532bdb26db38b0d07b6585032947aee5b9b9dc3b70d44b8e
                                • Instruction ID: 0bd9f0e1a71d38cd487d90c30e5471f160eecbc76810223bad35ff69d970ae21
                                • Opcode Fuzzy Hash: 83202bcb10cd7e36532bdb26db38b0d07b6585032947aee5b9b9dc3b70d44b8e
                                • Instruction Fuzzy Hash: A7E0C2376091146F96166B48BC0196437D9DFCA771329002FFA40D7264AF273C1ABAA4
                                Function 00F4950D Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON
                                Download Yara Rule
                                APIs
                                • SysAllocStringLen.OLEAUT32(?,?), ref: 00F4952C
                                • _CxxThrowException.MSVCRT(?,00FF55B8), ref: 00F4954A
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: AllocExceptionStringThrow
                                • String ID:
                                • API String ID: 3773818493-0
                                • Opcode ID: 7154b9e6162be55bcfc50dc0fba8b2bd4f17451cc627ae5daeb4579a6011314d
                                • Instruction ID: 21449ad868f34443bc9aafcaf59406b4923c8effc8bd6d1b52af5d95cf9d9647
                                • Opcode Fuzzy Hash: 7154b9e6162be55bcfc50dc0fba8b2bd4f17451cc627ae5daeb4579a6011314d
                                • Instruction Fuzzy Hash: 58F03972650308ABC710EFA8D885E977BECAF44790744842AFA49CF210E6B4E84097D0
                                Function 00FD7E00 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: ErrorLast_beginthreadex
                                • String ID:
                                • API String ID: 4034172046-0
                                • Opcode ID: ecb60311486acce6f02fe46276d4bac2c873cc85dba7710daf579104baac2dcd
                                • Instruction ID: 621332b3e8857772c99566176eec916ef57f13ff924029609135af4d20f69527
                                • Opcode Fuzzy Hash: ecb60311486acce6f02fe46276d4bac2c873cc85dba7710daf579104baac2dcd
                                • Instruction Fuzzy Hash: 6DE08CB26083126AE310AB608C02F677298ABA0B51F48846EFA45CA280F6608D00D3A1
                                Function 00F49C4D Relevance: 3.0, APIs: 2, Instructions: 7COMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(?,?,00F49C6E), ref: 00F49C52
                                • GetProcessAffinityMask.KERNEL32(00000000), ref: 00F49C59
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: Process$AffinityCurrentMask
                                • String ID:
                                • API String ID: 1231390398-0
                                • Opcode ID: 9aeceefd5a00f46b86e9c85d6b66ebc818fd968d1c0266edc27d37f9692675ac
                                • Instruction ID: d0241e2bfdcf63039cdf0a9a0fee9f76d40aa98ccc0068a994eeaf909b6d3390
                                • Opcode Fuzzy Hash: 9aeceefd5a00f46b86e9c85d6b66ebc818fd968d1c0266edc27d37f9692675ac
                                • Instruction Fuzzy Hash: 8BB092B2400288EBCE00DBA09D8CC163B2CAA442013004644F309CA010C636C0469BA0
                                Function 00F4B668 Relevance: 2.7, APIs: 2, Instructions: 222COMMON
                                Download Yara Rule
                                APIs
                                • memcpy.MSVCRT(?,00000000,00000000,00000000,00040000,?), ref: 00F4B843
                                • GetLastError.KERNEL32 ref: 00F4B8AA
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: ErrorLastmemcpy
                                • String ID:
                                • API String ID: 2523627151-0
                                • Opcode ID: d89859aec1eca0583d462578e5a6d0718e785acfe610aa3cc920fee1a9d42c5a
                                • Instruction ID: f09e3b4e190e305c2bb3381473c1f54eb02dbdb8ebd05610be8300bf9e35faf0
                                • Opcode Fuzzy Hash: d89859aec1eca0583d462578e5a6d0718e785acfe610aa3cc920fee1a9d42c5a
                                • Instruction Fuzzy Hash: D4813B31A007059FDB64CF25C980B6ABBF6BF84324F15892EEC4687A52D734F946EB50
                                Function 00F41E0C Relevance: 2.5, APIs: 2, Instructions: 18COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • malloc.MSVCRT ref: 00F41E1F
                                • _CxxThrowException.MSVCRT(00FF4B28,00FF4B28), ref: 00F41E39
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: ExceptionThrowmalloc
                                • String ID:
                                • API String ID: 2436765578-0
                                • Opcode ID: f0b49915e733bc8c6e2c592dea81003c2e5022394fb71aaad9be20cb84e3b0c0
                                • Instruction ID: 7cd99c43d9b7d484a2ea7591e1311da2b38ce17d358e06c810c1fda68f3187d0
                                • Opcode Fuzzy Hash: f0b49915e733bc8c6e2c592dea81003c2e5022394fb71aaad9be20cb84e3b0c0
                                • Instruction Fuzzy Hash: 56E0C23410028CAADF106FA0D844B993FA86F00365F04D026FD0C8E212C274D7D5A740
                                Function 00F8B05D Relevance: 2.2, APIs: 1, Instructions: 653COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 06b26737a53e75ef76968f6db0705b2fd8e366b5fbf79f6caa50eb10a6d63ca4
                                • Instruction ID: 5d5b300eccd9a40f0f31264580fb29592f263e0af995a0137dd5df63e9f07b35
                                • Opcode Fuzzy Hash: 06b26737a53e75ef76968f6db0705b2fd8e366b5fbf79f6caa50eb10a6d63ca4
                                • Instruction Fuzzy Hash: B352C030D00249DFDF11DFA8C898BEDBBB5AF49314F284099E805AB292DB74DE45DB20
                                Function 00F56305 Relevance: 1.9, APIs: 1, Instructions: 377COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 726b0538760bb2312cc6c039b5446fea31d8394562d881fa2d85273fd32260ba
                                • Instruction ID: b2d1b969907b3f3f54d037c3efa4bcdc778cf640756dbb0fbcef372143615d1f
                                • Opcode Fuzzy Hash: 726b0538760bb2312cc6c039b5446fea31d8394562d881fa2d85273fd32260ba
                                • Instruction Fuzzy Hash: 91F1D471904785CFCF21CF24C4906AABBF1BF18315F98446EEAAACB211D730AD48EB51
                                Function 00F910D3 Relevance: 1.8, APIs: 1, Instructions: 336COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: d57f53a69869ece9a75635bcfb8228b36ed645cb3a9c16ff4b34acfec7dd7496
                                • Instruction ID: 041f003be8aae5801bfcb462f97f310eaa18a2abba38ec4a88cdfcaa07d0c15b
                                • Opcode Fuzzy Hash: d57f53a69869ece9a75635bcfb8228b36ed645cb3a9c16ff4b34acfec7dd7496
                                • Instruction Fuzzy Hash: C3D18770E00646AFEF28DFA8C880BEEBBB1BF49310F10453DE955A7651D775A884DB90
                                Function 00F8CF91 Relevance: 1.6, APIs: 1, Instructions: 139COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F8CF96
                                  • Part of subcall function 00F91511: __EH_prolog.LIBCMT ref: 00F91516
                                  • Part of subcall function 00F91511: _CxxThrowException.MSVCRT(?,00FFD480), ref: 00F91561
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$ExceptionThrow
                                • String ID:
                                • API String ID: 2366012087-0
                                • Opcode ID: 8216a67331371effb223b7e09a0c4ae7c499c8b8c33c1c5cdab1321b23a95eab
                                • Instruction ID: 9c0aeebcc959cd16c5b7673709bf2af44608d4468f1895dec9c4ace43e0da195
                                • Opcode Fuzzy Hash: 8216a67331371effb223b7e09a0c4ae7c499c8b8c33c1c5cdab1321b23a95eab
                                • Instruction Fuzzy Hash: 18514F71900289DFDB11DFA8C8C8BEEBBB4AF49304F1444AEE45AD7242C7759E45EB21
                                Function 00F7F784 Relevance: 1.6, APIs: 1, Instructions: 129COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: b01b55a9389acdfb79f239fe61206f0e1b61227edc3bfda922447d22307b11ac
                                • Instruction ID: 259fffdaaef8a3a3145c3fe451aa173a6519d0cc1eca8ee523c5e0031fd44c75
                                • Opcode Fuzzy Hash: b01b55a9389acdfb79f239fe61206f0e1b61227edc3bfda922447d22307b11ac
                                • Instruction Fuzzy Hash: C2515C74E00606DFCB14CFA4C4809BAFBB2FF49314B14896ED5969B751D331A90AEF91
                                Function 00F8AD3A Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 30c8baaa13acc5a33cd33c768bebd3fd8eab1bc3892bae3de270f32f6099409f
                                • Instruction ID: 0b15f6983c300008c3e4e90ae0faf5711a150c4e7c9d7e2487d8f5327cf0fcd7
                                • Opcode Fuzzy Hash: 30c8baaa13acc5a33cd33c768bebd3fd8eab1bc3892bae3de270f32f6099409f
                                • Instruction Fuzzy Hash: 9F41A071A00746EFEB24DF55C484BAABBA0FF44320F188A6ED49687691D370ED81DB81
                                Function 00F54250 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F54255
                                  • Part of subcall function 00F5440B: __EH_prolog.LIBCMT ref: 00F54410
                                  • Part of subcall function 00F41E0C: malloc.MSVCRT ref: 00F41E1F
                                  • Part of subcall function 00F41E0C: _CxxThrowException.MSVCRT(00FF4B28,00FF4B28), ref: 00F41E39
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$ExceptionThrowmalloc
                                • String ID:
                                • API String ID: 3744649731-0
                                • Opcode ID: b26b4ea190b7fe82cc4783f52d748831b2588b0d9332c1307720efb67c514f2b
                                • Instruction ID: f4ecf04f2ab24d4a8342d44bf17fde0c261b3b3a2b8db93be30e372c09ea9f5e
                                • Opcode Fuzzy Hash: b26b4ea190b7fe82cc4783f52d748831b2588b0d9332c1307720efb67c514f2b
                                • Instruction Fuzzy Hash: B951F9B0801784CFC325DF6AC58468AFFF0BF19304F5488AED49A5B752D7B4A608EB61
                                Function 00F6D0E1 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F6D0E6
                                  • Part of subcall function 00F41E0C: malloc.MSVCRT ref: 00F41E1F
                                  • Part of subcall function 00F41E0C: _CxxThrowException.MSVCRT(00FF4B28,00FF4B28), ref: 00F41E39
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: ExceptionH_prologThrowmalloc
                                • String ID:
                                • API String ID: 3978722251-0
                                • Opcode ID: 696182bf42a54156265ce0321412f94ac6c55d31ad42c644dff986359c6a634d
                                • Instruction ID: 5360a0eb6f9f4c288e11a4cff1a49a78681a593d8250286eebe80b69995a2eae
                                • Opcode Fuzzy Hash: 696182bf42a54156265ce0321412f94ac6c55d31ad42c644dff986359c6a634d
                                • Instruction Fuzzy Hash: 2741B471F002559FDB10DFA8C944BAEBBB4BF56310F244459E842E7282CBB4DD44DB90
                                Function 00F57FC5 Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F57FCA
                                  • Part of subcall function 00F4950D: SysAllocStringLen.OLEAUT32(?,?), ref: 00F4952C
                                  • Part of subcall function 00F4950D: _CxxThrowException.MSVCRT(?,00FF55B8), ref: 00F4954A
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: AllocExceptionH_prologStringThrow
                                • String ID:
                                • API String ID: 1940201546-0
                                • Opcode ID: 8f3b932766b4a00f832425b292af54783f3b35fab555e3913aea12d3862ec344
                                • Instruction ID: ecf76e5c66247135512209783ca210a5e257cb3f77185d45c7cfd06082dd93f2
                                • Opcode Fuzzy Hash: 8f3b932766b4a00f832425b292af54783f3b35fab555e3913aea12d3862ec344
                                • Instruction Fuzzy Hash: D9319133D141498ACF14AB64CC519FE7B70FF14366F544019EA02B71A2DE359A0EF751
                                Function 00F7ADB7 Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F7ADBC
                                  • Part of subcall function 00F7AD29: __EH_prolog.LIBCMT ref: 00F7AD2E
                                  • Part of subcall function 00F7AF2D: __EH_prolog.LIBCMT ref: 00F7AF32
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 62a60cf7575e7ff892f1e1df39c214e3a64f46a846e421480bad7419f22ba37b
                                • Instruction ID: 9453cf93dd0183d789278cdfa24c239b9d8037a5a9739b7c66a3754bb1249a87
                                • Opcode Fuzzy Hash: 62a60cf7575e7ff892f1e1df39c214e3a64f46a846e421480bad7419f22ba37b
                                • Instruction Fuzzy Hash: AA41E97144ABC0CEC326DF7885646CAFFE06F25200F88C99ED4EA43752D674A60CD766
                                Function 00F6062E Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: cea7fc17ac0cb3283f6a14d02fe97000ba827c7fc65d2f1f9bce69a24e03dd92
                                • Instruction ID: 6a52b9af6164afb499577567d9ca35709d34a327c24be7de3ee5a2c1410c8f7b
                                • Opcode Fuzzy Hash: cea7fc17ac0cb3283f6a14d02fe97000ba827c7fc65d2f1f9bce69a24e03dd92
                                • Instruction Fuzzy Hash: 0E312DB1D00209DFCB14EF95C8918EFBBB5FF95364B20851EE42667251DB359E01DBA0
                                Function 00F698F2 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F698F7
                                  • Part of subcall function 00F69987: __EH_prolog.LIBCMT ref: 00F6998C
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 9adac4f160b4a85a0ea16db284abf6f300b5d3d4de2ce9f60630e086e9dd3962
                                • Instruction ID: 9bcc95cbcf93375691d9c9973d15a872da3363ecbbf7da27728ba38cde9bf7b0
                                • Opcode Fuzzy Hash: 9adac4f160b4a85a0ea16db284abf6f300b5d3d4de2ce9f60630e086e9dd3962
                                • Instruction Fuzzy Hash: 88117935B002059FDB10CF69C884EAAB3B9FF89360F14891CE852DB2A1CB71E801DB20
                                Function 00F6021A Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F6021F
                                  • Part of subcall function 00F53D66: __EH_prolog.LIBCMT ref: 00F53D6B
                                  • Part of subcall function 00F53D66: GetCurrentProcess.KERNEL32 ref: 00F53D7D
                                  • Part of subcall function 00F53D66: OpenProcessToken.ADVAPI32(00000000,00000028,?), ref: 00F53D94
                                  • Part of subcall function 00F53D66: LookupPrivilegeValueW.ADVAPI32(00000000,SeSecurityPrivilege,?), ref: 00F53DB6
                                  • Part of subcall function 00F53D66: AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000), ref: 00F53DCB
                                  • Part of subcall function 00F53D66: GetLastError.KERNEL32 ref: 00F53DD5
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prologProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                • String ID:
                                • API String ID: 1532160333-0
                                • Opcode ID: 84a8820b62657900cc6c67da88b751fe31305de65709e406379b2f0d99342df6
                                • Instruction ID: b50e932b05166aaf981cf7900848894d3709ae253dca92e0a13f05e8310f4546
                                • Opcode Fuzzy Hash: 84a8820b62657900cc6c67da88b751fe31305de65709e406379b2f0d99342df6
                                • Instruction Fuzzy Hash: C92139B1846B90CFC321CF6A86D0686FFF4BB19604B94996FC0DA83B12C774A508CF55
                                Function 00F61C6F Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F61C74
                                  • Part of subcall function 00F46C72: __EH_prolog.LIBCMT ref: 00F46C77
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 655cf38d761d0cd7f0e9460d70f12fec6a2733e538c4400d049cd11eac193b7a
                                • Instruction ID: 1cc92b34b152e66635b08040bbd3fde4979ebeed66da76ca8c4c03ba623ef0f1
                                • Opcode Fuzzy Hash: 655cf38d761d0cd7f0e9460d70f12fec6a2733e538c4400d049cd11eac193b7a
                                • Instruction Fuzzy Hash: 89118B31E002049BCF19EBE4CC52BEEBB75BF44365F084029EC4273292DB695D4AE690
                                Function 00F57E5A Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F57E5F
                                  • Part of subcall function 00F46C72: __EH_prolog.LIBCMT ref: 00F46C77
                                  • Part of subcall function 00F41E40: free.MSVCRT ref: 00F41E44
                                  • Part of subcall function 00F4757D: GetLastError.KERNEL32(00F4D14C), ref: 00F4757D
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$ErrorLastfree
                                • String ID:
                                • API String ID: 683690243-0
                                • Opcode ID: a2eb88ce232f85c925ad559fbc915c3a995a951df84af87ea65acc5370f7e91c
                                • Instruction ID: aef276fa587f943397f0eb16e7f5789e25885ea273b48115763492bc0d5ecd31
                                • Opcode Fuzzy Hash: a2eb88ce232f85c925ad559fbc915c3a995a951df84af87ea65acc5370f7e91c
                                • Instruction Fuzzy Hash: 3701E132A447009FC721EF74D8929DABBB1EF45310B04462EE88363692CA38690DEA50
                                Function 00F8BF8C Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F8BF91
                                  • Part of subcall function 00F8D144: __EH_prolog.LIBCMT ref: 00F8D149
                                  • Part of subcall function 00F41E40: free.MSVCRT ref: 00F41E44
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$free
                                • String ID:
                                • API String ID: 2654054672-0
                                • Opcode ID: d915792d6706a44d62d6fc4a23421598b5ed292528c7a45f2709574770f153ef
                                • Instruction ID: 5a2d26a2c95da323c50921dee850c402e96bc8bea530edadac258f5e87bf28a6
                                • Opcode Fuzzy Hash: d915792d6706a44d62d6fc4a23421598b5ed292528c7a45f2709574770f153ef
                                • Instruction Fuzzy Hash: 9B117071800715DFC724EF64DD05BDABBF5BF00344F104A1DE4A6936A2D7B5AA58EB80
                                Function 00F8BDB5 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F8BDBA
                                  • Part of subcall function 00F8BE69: __EH_prolog.LIBCMT ref: 00F8BE6E
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 6ee1d43ccdb7ecc3261016cf2940aa1748e1f087bb1e063f0fb275e684823149
                                • Instruction ID: 3509a63374f46d60e1fb5a24211b4ab9c7799ec942cac3332723d64c72369257
                                • Opcode Fuzzy Hash: 6ee1d43ccdb7ecc3261016cf2940aa1748e1f087bb1e063f0fb275e684823149
                                • Instruction Fuzzy Hash: 2911E6B1901785CFC320DF5AD588696FBE4BF18304F54C9AED0AA47752C7B4A548DB50
                                Function 00F47AB2 Relevance: 1.5, APIs: 1, Instructions: 40timeCOMMON
                                Download Yara Rule
                                APIs
                                • SetFileTime.KERNEL32(?,00000000,000000FF,00000000,?,80000000,?,?,?), ref: 00F47AFD
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: FileTime
                                • String ID:
                                • API String ID: 1425588814-0
                                • Opcode ID: 9d8001935372a678839ada0a4b42e63e675c685a59798d52a92eb2980419af6f
                                • Instruction ID: 2ec710096a6f04e6b4d838d83efeb94e590815912a86b3451f6c91089e7e01a8
                                • Opcode Fuzzy Hash: 9d8001935372a678839ada0a4b42e63e675c685a59798d52a92eb2980419af6f
                                • Instruction Fuzzy Hash: B0018F70504388BFDF269F54CC05BEE3FA5DB05360F148149BCA5562E1C7649E51E750
                                Function 00F7ACF8 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F7C0B8
                                  • Part of subcall function 00F67193: __EH_prolog.LIBCMT ref: 00F67198
                                  • Part of subcall function 00F41E40: free.MSVCRT ref: 00F41E44
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$free
                                • String ID:
                                • API String ID: 2654054672-0
                                • Opcode ID: 2c3361ce31abd01c8a5329ba158ea57e3ade7f20cc3f00699617e13b60d90a8c
                                • Instruction ID: 3edcb715548090ef2de3b7fe7192421dcd8109eac247bbebf4e1d65d53085812
                                • Opcode Fuzzy Hash: 2c3361ce31abd01c8a5329ba158ea57e3ade7f20cc3f00699617e13b60d90a8c
                                • Instruction Fuzzy Hash: C6F0F032900312DBC721AB59EC41BAEF3A9EF50720F10402FA406D7612CBB59C50A6C1
                                Function 00F8035F Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F80364
                                  • Part of subcall function 00F801C4: __EH_prolog.LIBCMT ref: 00F801C9
                                  • Part of subcall function 00F80143: __EH_prolog.LIBCMT ref: 00F80148
                                  • Part of subcall function 00F41E40: free.MSVCRT ref: 00F41E44
                                  • Part of subcall function 00F803D8: __EH_prolog.LIBCMT ref: 00F803DD
                                  • Part of subcall function 00F8004A: __EH_prolog.LIBCMT ref: 00F8004F
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$free
                                • String ID:
                                • API String ID: 2654054672-0
                                • Opcode ID: 845feb42c18139a2d7aeb70972a70fac6cd741f373baf12531e2bc5dacd9fb7e
                                • Instruction ID: fd92b18a7b9dff9862e45ae219f61d62afcb31f9cbed9a5877a0babce20841ff
                                • Opcode Fuzzy Hash: 845feb42c18139a2d7aeb70972a70fac6cd741f373baf12531e2bc5dacd9fb7e
                                • Instruction Fuzzy Hash: 21F0D131914B50DACB19FB68CC267DDBBE5AF00314F50465DE452622D2CFBC6A08A744
                                Function 00F78565 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 394827ade05473ee48b51541ba693a62644ac5ea7afb295abc6308196f133dff
                                • Instruction ID: 40c5548c2aeedd5f038ce3ce9822c71136b65643bee4a3221ff79d793b71bf29
                                • Opcode Fuzzy Hash: 394827ade05473ee48b51541ba693a62644ac5ea7afb295abc6308196f133dff
                                • Instruction Fuzzy Hash: F2F0AF32E0011AEBCB00EF98D844DAFBB75FF847A0B14805AF41AE7251CB348A06DB91
                                Function 00F85505 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F8550A
                                  • Part of subcall function 00F84E8A: __EH_prolog.LIBCMT ref: 00F84E8F
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: ed477a71a7525ae401983f165af678cfb6fca0eb6f225ef29cd48226e53275e1
                                • Instruction ID: 9ebf3a49cefbf6a8690478b50957d4cb7fe45e26ba8ad977f0651ac56ad3d32f
                                • Opcode Fuzzy Hash: ed477a71a7525ae401983f165af678cfb6fca0eb6f225ef29cd48226e53275e1
                                • Instruction Fuzzy Hash: 09F0E573A00505EBCB01AF48D810BDE7BBAFF84764F14441AF40157201DB75DD00ABA0
                                Function 00F69987 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: bfd69364ffe030489a09a0ec587d58d02c442596ced54c5d2f09bed4adea2ed4
                                • Instruction ID: ab0d8bf7488c1d3fa16888659ec781e88db42aa4910da02dd0c4ad9c2579c0eb
                                • Opcode Fuzzy Hash: bfd69364ffe030489a09a0ec587d58d02c442596ced54c5d2f09bed4adea2ed4
                                • Instruction Fuzzy Hash: 55E06D72A00208EFC700EF99D855F9AB7B8EB88354F14841AB00AD7201C7749900DA60
                                Function 00F85E2B Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F85E30
                                  • Part of subcall function 00F808B6: __aulldiv.LIBCMT ref: 00F8093F
                                  • Part of subcall function 00F5DFC9: __EH_prolog.LIBCMT ref: 00F5DFCE
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$__aulldiv
                                • String ID:
                                • API String ID: 604474441-0
                                • Opcode ID: 7a0e0ce5786130d52d7069df1d3a0e9f1d8dc9aed6ca174b1b5a73791d2958d5
                                • Instruction ID: f371c4363b29937881c1a8010120e650d04971ca8ddbdf158f3ab56249c8d52a
                                • Opcode Fuzzy Hash: 7a0e0ce5786130d52d7069df1d3a0e9f1d8dc9aed6ca174b1b5a73791d2958d5
                                • Instruction Fuzzy Hash: 45E03971E11750DFC795EBA8995168EB6E4BB08740F00486FA046D3B41DBB8A9049B80
                                Function 00F88ED1 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F88ED6
                                  • Part of subcall function 00F89267: __EH_prolog.LIBCMT ref: 00F8926C
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 5d224f0fb0073b525771471f11ec1004f08fc255c9f5d173008926f96c6ad304
                                • Instruction ID: 8c64ea3f50db81707389e855d5f703ac757a050effcd97c52db99c39d83442bd
                                • Opcode Fuzzy Hash: 5d224f0fb0073b525771471f11ec1004f08fc255c9f5d173008926f96c6ad304
                                • Instruction Fuzzy Hash: 10E0D872D14564DAC70DFB64D922BEDB7A8EF44704F04065EA44393682CFF86704D781
                                Function 00F47C68 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                Download Yara Rule
                                APIs
                                • WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00F47C8B
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: FileWrite
                                • String ID:
                                • API String ID: 3934441357-0
                                • Opcode ID: 476d50c56b9b12dfd6ba9d115107e6e93201518b89e432b2a846e6e520c9a167
                                • Instruction ID: cb36d209c13a4842e38447b2cb87a0ae0f4291fd831e43ef540c42710c3cc7a3
                                • Opcode Fuzzy Hash: 476d50c56b9b12dfd6ba9d115107e6e93201518b89e432b2a846e6e520c9a167
                                • Instruction Fuzzy Hash: 76E01A75600209FBCF11CFA5D841B8E7BB9EB09754F20C06AF9199A260D739DA50EF54
                                Function 00F8BE69 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F8BE6E
                                  • Part of subcall function 00F85E2B: __EH_prolog.LIBCMT ref: 00F85E30
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 70d650d0ec7b5e6f32b2502beca9068ef81ce59b8f92c9e044284041f5d857ca
                                • Instruction ID: 317102d70f6f37e6097203bd3dca5b3d82bd9dab872e8d14445856130734e452
                                • Opcode Fuzzy Hash: 70d650d0ec7b5e6f32b2502beca9068ef81ce59b8f92c9e044284041f5d857ca
                                • Instruction Fuzzy Hash: EEE09272A24A608BD315FB24C811BDDB7E8BB00704F04845FE496D3282CFB86A08D7A2
                                Function 00F42201 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: fputs
                                • String ID:
                                • API String ID: 1795875747-0
                                • Opcode ID: 7a0cf2f9a170188cf8176f6b21977c97595d7750656dd6d39994cb790a9a5e0c
                                • Instruction ID: a927ced5ae3a29a8064b22c4a6629d3803e261a7870bfde9329c2d66d8f1f325
                                • Opcode Fuzzy Hash: 7a0cf2f9a170188cf8176f6b21977c97595d7750656dd6d39994cb790a9a5e0c
                                • Instruction Fuzzy Hash: 8DD0123250411DABCF156B94DC45CDD7BBCFF08214700441AF941E2150EA75E515D794
                                Function 00F7F745 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F7F74A
                                  • Part of subcall function 00F7F784: __EH_prolog.LIBCMT ref: 00F7F789
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: a38e6f224de3846b247848af192ab1e4b1d091c6585d98dc95f7f913e8adb891
                                • Instruction ID: 791b797e447a2853e733aa3a7aef6148fa6351baccd4565875aa213dbbc3833b
                                • Opcode Fuzzy Hash: a38e6f224de3846b247848af192ab1e4b1d091c6585d98dc95f7f913e8adb891
                                • Instruction Fuzzy Hash: 20D01272A14244BFD7149B45DC13BAEBB78EB40758F10452FF00161241C3B9590496A5
                                Function 00F47B4F Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                                Download Yara Rule
                                APIs
                                • ReadFile.KERNELBASE(?,?,?,?,00000000,?,?,00F47BCD,?,?,00000000,?,?,?,00F41DD8), ref: 00F47B65
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: FileRead
                                • String ID:
                                • API String ID: 2738559852-0
                                • Opcode ID: 0b3ddc6c73de94d1ade44a9750f8a43d7e6d4332189f4b8005060ad05ad3a83e
                                • Instruction ID: 6bed45ab1e4a2a2ba4c7f2492ecd1d181dbce2457f29cefe6ea45456d6e669fd
                                • Opcode Fuzzy Hash: 0b3ddc6c73de94d1ade44a9750f8a43d7e6d4332189f4b8005060ad05ad3a83e
                                • Instruction Fuzzy Hash: 39E0EC75200308FBDF01CF90CC41F8E7BB9AB49754F208058F9059A160C375AA54EB50
                                Function 00F980AA Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F980AF
                                  • Part of subcall function 00F41E0C: malloc.MSVCRT ref: 00F41E1F
                                  • Part of subcall function 00F41E0C: _CxxThrowException.MSVCRT(00FF4B28,00FF4B28), ref: 00F41E39
                                  • Part of subcall function 00F8BDB5: __EH_prolog.LIBCMT ref: 00F8BDBA
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$ExceptionThrowmalloc
                                • String ID:
                                • API String ID: 3744649731-0
                                • Opcode ID: f50a342ed9b682e584d220901eaa6f62f29b5f7df1a1155b508e635dab461c19
                                • Instruction ID: 2a2663ea443d0c201c07b0d53c6c690c929aa259a24511088e75457707afc61e
                                • Opcode Fuzzy Hash: f50a342ed9b682e584d220901eaa6f62f29b5f7df1a1155b508e635dab461c19
                                • Instruction Fuzzy Hash: 4BD05E72F05201AFDF08FFB4982276E76A1AB84344F00457EA417E3781EF789904A621
                                Function 00F46848 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                Download Yara Rule
                                APIs
                                • FindClose.KERNELBASE(00000000,?,00F46880), ref: 00F46853
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: CloseFind
                                • String ID:
                                • API String ID: 1863332320-0
                                • Opcode ID: 9631e1f6805554467d4a3712b8f3e11c6fafecf095f3a9375baaa4481c7147a5
                                • Instruction ID: 2da22e681483ca66848c80c1537c4682f164d7bdf09e98cbc0f6fc573cebab88
                                • Opcode Fuzzy Hash: 9631e1f6805554467d4a3712b8f3e11c6fafecf095f3a9375baaa4481c7147a5
                                • Instruction Fuzzy Hash: AFD01231504261468A645E3D78449C537D86F073343210759F4B0C72E1D7608C836690
                                Function 00F42010 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: fputs
                                • String ID:
                                • API String ID: 1795875747-0
                                • Opcode ID: 583c892f6d7379fed8b8829e331c1de50cf1f11c176ec65a489bddb0ffbdeed3
                                • Instruction ID: 7fdf48e8863d18b68deae91ddd81012b3037e9b406c393ec136f4e030d1d8229
                                • Opcode Fuzzy Hash: 583c892f6d7379fed8b8829e331c1de50cf1f11c176ec65a489bddb0ffbdeed3
                                • Instruction Fuzzy Hash: A0D0C936008251AF96656F05EC49C8BFFA5FFD5320721082FF880921609B626825EAA0
                                Function 00F41FA0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: fputc
                                • String ID:
                                • API String ID: 1992160199-0
                                • Opcode ID: d96aded62a37f2bf4723640f91a3fb2aeb1c471ce6a482c06f9390e4293377fb
                                • Instruction ID: 858b399c18457d66a0bb13a2b934b40c1fa249b0b5174462bd1516a7858c3d4b
                                • Opcode Fuzzy Hash: d96aded62a37f2bf4723640f91a3fb2aeb1c471ce6a482c06f9390e4293377fb
                                • Instruction Fuzzy Hash: 14B092323082209FE6181A9CBC0AAC07794DB09732B21005BF544C61909A911C825AD5
                                Function 00F47C3B Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON
                                Download Yara Rule
                                APIs
                                • SetFileTime.KERNELBASE(?,?,?,?,00F47C65,00000000,00000000,?,00F4F238,?,?,?,?), ref: 00F47C49
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: FileTime
                                • String ID:
                                • API String ID: 1425588814-0
                                • Opcode ID: 2dd60a9e291b0c358ae283ca3be4c8c6cd74290cc0e32d92be4aeaa44e39dc6c
                                • Instruction ID: bc271cd8602f820711ee3c93998a94174a8f9f816058e21a2f0b4c3820171888
                                • Opcode Fuzzy Hash: 2dd60a9e291b0c358ae283ca3be4c8c6cd74290cc0e32d92be4aeaa44e39dc6c
                                • Instruction Fuzzy Hash: 7DC04C36158105FF8F020F70CC45C1ABBA2ABA5711F10C918F159C4070C7328424FB02
                                Function 00F47D3C Relevance: 1.5, APIs: 1, Instructions: 6fileCOMMON
                                Download Yara Rule
                                APIs
                                • SetEndOfFile.KERNELBASE(?,00F47D81,?,?,?), ref: 00F47D3E
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: File
                                • String ID:
                                • API String ID: 749574446-0
                                • Opcode ID: 7a0390875c08d2da2a5f1c598cf4c17e6d1deafa0514484a651d7d18c22c8593
                                • Instruction ID: b98aebce5f2fa67813416a496461ef518b3b228edbfc771d59e004f950b582ae
                                • Opcode Fuzzy Hash: 7a0390875c08d2da2a5f1c598cf4c17e6d1deafa0514484a651d7d18c22c8593
                                • Instruction Fuzzy Hash: 55A002702E615F8F8F111F35DC498243AA1BB5370776027A8B013CE4F6DF26441ABA41
                                Function 00F4C4D6 Relevance: 1.5, APIs: 1, Instructions: 205COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: memmove
                                • String ID:
                                • API String ID: 2162964266-0
                                • Opcode ID: 06b486832f18be4790ee4cf62aecba63ecddc687e703b0d67cea3941709f1da6
                                • Instruction ID: 0c5ade6e49a09f3bd8b8646c509f069d70a1fd572f0351620916395f1aabdbb1
                                • Opcode Fuzzy Hash: 06b486832f18be4790ee4cf62aecba63ecddc687e703b0d67cea3941709f1da6
                                • Instruction Fuzzy Hash: DA817D71E012499FCF54CFA8C4C0AEEBFB1AF48310F15A46AD915B7241D735AA80DFA4
                                Function 00F53E04 Relevance: 1.3, APIs: 1, Instructions: 17COMMON
                                Download Yara Rule
                                APIs
                                • CloseHandle.KERNELBASE(00000000,00000000,00F53D8D), ref: 00F53E12
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: CloseHandle
                                • String ID:
                                • API String ID: 2962429428-0
                                • Opcode ID: 5c358e33a0096621574c88a9c4b134fa353a3e994e7a77426611a87970c1238c
                                • Instruction ID: 870386a3a01c6ca82627991f18c8575391fed46bb124fee7ebdaca5170614963
                                • Opcode Fuzzy Hash: 5c358e33a0096621574c88a9c4b134fa353a3e994e7a77426611a87970c1238c
                                • Instruction Fuzzy Hash: B4D0C93191421147DB605E2CB8457D163DA6F10362B164459BD90CB140E764CC9B6A90
                                Function 00FC6BC6 Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: malloc
                                • String ID:
                                • API String ID: 2803490479-0
                                • Opcode ID: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                                • Instruction ID: b4f71e14432176ab199679cd7b528a4c9a90c33676f8eef63cce64d34de7bc95
                                • Opcode Fuzzy Hash: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                                • Instruction Fuzzy Hash: 92D0C76161650615DF4845304D4BF5A31951F90366B1C457DA813CA291E719CA19A154
                                Function 00F4764C Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                                Download Yara Rule
                                APIs
                                • CloseHandle.KERNELBASE(00000000,?,00F475AF,?,?,00000003,02000000), ref: 00F47657
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: CloseHandle
                                • String ID:
                                • API String ID: 2962429428-0
                                • Opcode ID: c2ade19f91ca230021316fce65c1d9496f12c07c64114895aeaf6ca733fd3755
                                • Instruction ID: 25ac324f66870c597e0fd3ca31df4ef05a0c26e310b8a8bb63067a0636661907
                                • Opcode Fuzzy Hash: c2ade19f91ca230021316fce65c1d9496f12c07c64114895aeaf6ca733fd3755
                                • Instruction Fuzzy Hash: B8D01231508762468A642E3C78459C337DB5B223343620759F4B4D73E1D3608C836A90
                                Function 00FC6B23 Relevance: 1.3, APIs: 1, Instructions: 9memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNELBASE(00000000), ref: 00FC6B31
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 008dd5d035ce1b1e8c6c2000cbc84013f298f4855df596a233010775c5ab1262
                                • Instruction ID: 616b65af1c2a3bd9702080d7a53dddc7aaa96f70ac554944693fad1478c7ca2b
                                • Opcode Fuzzy Hash: 008dd5d035ce1b1e8c6c2000cbc84013f298f4855df596a233010775c5ab1262
                                • Instruction Fuzzy Hash: 7EC08CE1A4D280DFDF0213108C807603B208B83300F0A00C1E9049B092C2041809C762
                                Function 00FC69D0 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: malloc
                                • String ID:
                                • API String ID: 2803490479-0
                                • Opcode ID: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                                • Instruction ID: 78118e0ef37a7c8b570645ad67279772951faed7d1f65739134e8a9c2e9269fc
                                • Opcode Fuzzy Hash: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                                • Instruction Fuzzy Hash: 3AA012C591108101DD1C11302C02D17200216502177C805BD7402C0201F629C1083005
                                Function 00FC6AF0 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: malloc
                                • String ID:
                                • API String ID: 2803490479-0
                                • Opcode ID: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                                • Instruction ID: 2e6c40e9e03047d239478bec110dce1abce5aee55760834a718dd3d314e04937
                                • Opcode Fuzzy Hash: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                                • Instruction Fuzzy Hash: 29A011CCE0008202AE0820383C02E2320232AE0A2ABECC8B8A8028020AFA2CC0083003
                                Function 00FC6BA3 Relevance: 1.3, APIs: 1, Instructions: 6COMMON
                                Download Yara Rule
                                APIs
                                • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00FC6BAC
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: FreeVirtual
                                • String ID:
                                • API String ID: 1263568516-0
                                • Opcode ID: da5e51a2602b0f0bfe0c02a1e555ef296c50e1f1bb33c772c29a316299aff8b2
                                • Instruction ID: e6fd7505a62ff9628099a119c5edb87d908674f9fb5efe17a37baf38e67322c9
                                • Opcode Fuzzy Hash: da5e51a2602b0f0bfe0c02a1e555ef296c50e1f1bb33c772c29a316299aff8b2
                                • Instruction Fuzzy Hash: 0CA00278680744B7ED7067306D8FF5937247780F05F308544B351AD0D05AE47145AA9C
                                Function 00FC69F0 Relevance: 1.3, APIs: 1, Instructions: 4COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                                • Instruction ID: f82af484cdc20331a1e926931ffb86ceb992180e70a82f71065a7ca8606cb47c
                                • Opcode Fuzzy Hash: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                                • Instruction Fuzzy Hash:
                                Function 00FC6B10 Relevance: 1.3, APIs: 1, Instructions: 4COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                                • Instruction ID: 08d34404af67a0a931324db975705c661643ac32ee03392e81d2c2fa9ddb5313
                                • Opcode Fuzzy Hash: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                                • Instruction Fuzzy Hash:
                                Function 00F41E40 Relevance: 1.3, APIs: 1, Instructions: 4COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: 95bbc49fca1d75fb2f2dbae2138b9c45faa22279b0f397191d9038549f7c5268
                                • Instruction ID: 228de6862e6e0e18c5d86e0daa3c3a0c24bac8d0e296bb171a129ee31a28aa6b
                                • Opcode Fuzzy Hash: 95bbc49fca1d75fb2f2dbae2138b9c45faa22279b0f397191d9038549f7c5268
                                • Instruction Fuzzy Hash: 85A00271405285DBDA051B10ED494897B61EF85627B214469F057544718B354861BA41

                                Non-executed Functions

                                Function 00FC57D0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 84libraryloaderthreadCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcessId.KERNEL32(?,010031C8,?,00000000), ref: 00FC57EA
                                  • Part of subcall function 00FDF050: memcpy.MSVCRT(?,?,?,00000000,?,?,?,00FD8202,?,?,?,00FD932B,?,?,00000000,00000000), ref: 00FDF07F
                                • GetCurrentThreadId.KERNEL32 ref: 00FC5803
                                  • Part of subcall function 00FDF050: memcpy.MSVCRT(?,?,00000040,00000000,?,?,?,00FD8202,?,?,?,00FD932B,?,?,00000000,00000000), ref: 00FDF09B
                                  • Part of subcall function 00FDF050: memcpy.MSVCRT(?,?,?,?,?,?), ref: 00FDF0D0
                                • LoadLibraryW.KERNEL32(advapi32.dll,00000004,?,00000000), ref: 00FC5821
                                • GetProcAddress.KERNEL32(00000000,SystemFunction036), ref: 00FC5833
                                • FreeLibrary.KERNEL32(00000000,?,00000000), ref: 00FC5865
                                • QueryPerformanceCounter.KERNEL32(?,?,00000000), ref: 00FC5876
                                • GetTickCount.KERNEL32 ref: 00FC588F
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: memcpy$CurrentLibrary$AddressCountCounterFreeLoadPerformanceProcProcessQueryThreadTick
                                • String ID: SystemFunction036$advapi32.dll
                                • API String ID: 3940253874-1354007664
                                • Opcode ID: bae21724cbeccd440c644043504dcd143404dfd244df44c57d262cd035bdb5e1
                                • Instruction ID: f03c468b517f578c9c52c6991444b8a7478e63e0c4251b6ca9b689ff0d8d5cc8
                                • Opcode Fuzzy Hash: bae21724cbeccd440c644043504dcd143404dfd244df44c57d262cd035bdb5e1
                                • Instruction Fuzzy Hash: 0F31A4306043468BD710EB20DC85F6E73A5BB84B04F04492DF682572D5EA78EA0DE793
                                Function 00F49252 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(kernel32.dll,GetDiskFreeSpaceExW,74DEF5D0,?,00000000,?,?,00074004,00000000,00000000,?,00000020,?,00000000), ref: 00F4926E
                                • GetProcAddress.KERNEL32(00000000), ref: 00F49275
                                • GetDiskFreeSpaceW.KERNEL32(?,?,00000000,00000020,?,?,00000000,?,?,00074004,00000000,00000000,?,00000020,?,00000000), ref: 00F492C5
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: AddressDiskFreeHandleModuleProcSpace
                                • String ID: GetDiskFreeSpaceExW$kernel32.dll
                                • API String ID: 1197914913-1127948838
                                • Opcode ID: 7f1c6495ced623f868d83ea16658f3af4c109a0a5d1304e108dfc9f1ffefe1e7
                                • Instruction ID: e47b730cdf877ba8eece5537e329eb434e873eb8a9ab2d48651b28be1aa8926b
                                • Opcode Fuzzy Hash: 7f1c6495ced623f868d83ea16658f3af4c109a0a5d1304e108dfc9f1ffefe1e7
                                • Instruction Fuzzy Hash: 102117B2900209AFDB11CF94C885EEEBFF8FF48300F14846AE955A7251E774A955DBA0
                                Function 00F482FB Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F48300
                                • GetFileInformationByHandle.KERNEL32(000000FF,?,?,00000000,00000001,00000003,02200000), ref: 00F4834F
                                • DeviceIoControl.KERNEL32(000000FF,000900A8,00000000,00000000,00000000,00004000,?,00000000), ref: 00F4837C
                                • memcpy.MSVCRT(?,?,?,?,?,00000000,00000001,00000003,02200000), ref: 00F4839B
                                  • Part of subcall function 00F41E40: free.MSVCRT ref: 00F41E44
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: ControlDeviceFileH_prologHandleInformationfreememcpy
                                • String ID:
                                • API String ID: 1689166341-0
                                • Opcode ID: 6bd5eacbeaada2060e4fe7f989670b8e8f6fdb72e1bd30ecf98dc42385b84e85
                                • Instruction ID: 8d02d6c87245a593070f4510bb85a42cd752b0647986178f755086238369a09e
                                • Opcode Fuzzy Hash: 6bd5eacbeaada2060e4fe7f989670b8e8f6fdb72e1bd30ecf98dc42385b84e85
                                • Instruction Fuzzy Hash: F721D372900208AFDF20AF94DC81EEE7FB9EF84790F14002EFD45A6251CB355E44E660
                                Function 00F8D496 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 333COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F8D49B
                                  • Part of subcall function 00F8EBC9: __EH_prolog.LIBCMT ref: 00F8EBCE
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: Copy$LZMA2
                                • API String ID: 3519838083-1006940721
                                • Opcode ID: 4c92da8682d94ca24744aee20e701e3d0f032e02e0e715b84460db7db6980f3b
                                • Instruction ID: 84c64409bcc93fd6ba9fe417896e77487462f2db4a5fe2c0ae8bdb5fad184f51
                                • Opcode Fuzzy Hash: 4c92da8682d94ca24744aee20e701e3d0f032e02e0e715b84460db7db6980f3b
                                • Instruction Fuzzy Hash: D6D19171D002089BDF25EFA4C885BEDBBB2BF84324F18802AE415AB2D5DB749845EB54
                                Function 00F47496 Relevance: 4.6, APIs: 3, Instructions: 88COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F4749B
                                • GetLogicalDriveStringsW.KERNEL32(00000000,00000000), ref: 00F474B8
                                • GetLogicalDriveStringsW.KERNEL32(00000000,00000000), ref: 00F474E6
                                  • Part of subcall function 00F41E40: free.MSVCRT ref: 00F41E44
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: DriveLogicalStrings$H_prologfree
                                • String ID:
                                • API String ID: 396970233-0
                                • Opcode ID: 8dd5248699cd02453c9b2e74483013f03d44e92a8bc081b6667ef561e35097f5
                                • Instruction ID: 2fb9c72df3401adcc3ca898d5b42e30e3a11c5d66eecbbf493285da962412613
                                • Opcode Fuzzy Hash: 8dd5248699cd02453c9b2e74483013f03d44e92a8bc081b6667ef561e35097f5
                                • Instruction Fuzzy Hash: D3218572E043199BDB10EFF5DCC16EEBBB5FF44360F14402AE911A7242D778A9459790
                                Function 00FE0090 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: Version
                                • String ID:
                                • API String ID: 1889659487-0
                                • Opcode ID: eaacb382dd7d7af89ccd58bc22f71460da47c417f134573d3320254eb20956d0
                                • Instruction ID: 1155c25fb1bdd6128a174cc398b012003120ff234dd1c1f3b81d8708dc866b0e
                                • Opcode Fuzzy Hash: eaacb382dd7d7af89ccd58bc22f71460da47c417f134573d3320254eb20956d0
                                • Instruction Fuzzy Hash: E8D012729114454BD700766DCC462597762FB60300FC80954E965C1153FDADC6D692D3
                                Function 00F49C60 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00F49C4D: GetCurrentProcess.KERNEL32(?,?,00F49C6E), ref: 00F49C52
                                  • Part of subcall function 00F49C4D: GetProcessAffinityMask.KERNEL32(00000000), ref: 00F49C59
                                • GetSystemInfo.KERNEL32(?), ref: 00F49C84
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: Process$AffinityCurrentInfoMaskSystem
                                • String ID:
                                • API String ID: 3251479945-0
                                • Opcode ID: fd3323c788ab75e8d6e30b1ccd24da26fa234cc181b1e0be97258880c689bc07
                                • Instruction ID: e9f91accd932acf5d5634f9da224375f7f90b2ff814905ae7045b071dd995f4b
                                • Opcode Fuzzy Hash: fd3323c788ab75e8d6e30b1ccd24da26fa234cc181b1e0be97258880c689bc07
                                • Instruction Fuzzy Hash: D8D01730B0410E97CF08EBE5D8C6DEF7BF86E84219F040058EF02E2190EAA0E945E6A1
                                Function 00F4AB2A Relevance: 1.5, APIs: 1, Instructions: 3timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetSystemTimeAsFileTime.KERNEL32(?,00F7B9BE), ref: 00F4AB2B
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: Time$FileSystem
                                • String ID:
                                • API String ID: 2086374402-0
                                • Opcode ID: 89a3a05cb78f24ef7473bef4a2a69bcb7ba61a3e82e5b70ef0cf4a1f82611f0c
                                • Instruction ID: c6b633f188778e7e2b43426d70a0b2be9ba2908b9a91a13295edbd8cf9741b33
                                • Opcode Fuzzy Hash: 89a3a05cb78f24ef7473bef4a2a69bcb7ba61a3e82e5b70ef0cf4a1f82611f0c
                                • Instruction Fuzzy Hash:
                                Function 00F7B988 Relevance: 56.2, APIs: 17, Strings: 15, Instructions: 209libraryloadertimeCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(?,?,?,?), ref: 00F7B99E
                                • GetProcessTimes.KERNEL32(00000000), ref: 00F7B9A5
                                  • Part of subcall function 00F4AB2A: GetSystemTimeAsFileTime.KERNEL32(?,00F7B9BE), ref: 00F4AB2B
                                • memset.MSVCRT ref: 00F7B9C7
                                • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00F7B9E0
                                • GetProcAddress.KERNEL32(00000000,K32GetProcessMemoryInfo), ref: 00F7B9F5
                                • LoadLibraryW.KERNEL32(Psapi.dll), ref: 00F7BA02
                                • GetProcAddress.KERNEL32(00000000,GetProcessMemoryInfo), ref: 00F7BA12
                                • GetCurrentProcess.KERNEL32(?,00000028), ref: 00F7BA20
                                • GetProcAddress.KERNEL32(?,QueryProcessCycleTime), ref: 00F7BA34
                                • GetCurrentProcess.KERNEL32(?), ref: 00F7BA40
                                • fputs.MSVCRT ref: 00F7BAC3
                                • __aulldiv.LIBCMT ref: 00F7BAD8
                                • fputs.MSVCRT ref: 00F7BAF5
                                • fputs.MSVCRT ref: 00F7BB21
                                • __aulldiv.LIBCMT ref: 00F7BB31
                                • __aulldiv.LIBCMT ref: 00F7BB49
                                • fputs.MSVCRT ref: 00F7BB66
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: Processfputs$AddressCurrentProc__aulldiv$Time$FileHandleLibraryLoadModuleSystemTimesmemset
                                • String ID: Cnt:$ Freq (cnt/ptime):$ MCycles$ MHz$GetProcessMemoryInfo$Global $K32GetProcessMemoryInfo$Kernel $Physical$Process$Psapi.dll$QueryProcessCycleTime$User $Virtual $kernel32.dll
                                • API String ID: 4173168154-4201791934
                                • Opcode ID: 7e2401679f1967b466db96d9d093023291a9586e312b8b5d43e4bcb020541a15
                                • Instruction ID: 0104d89990eaec16c1aa1661ffc2b431618d609356e8b8158badbdd961f87997
                                • Opcode Fuzzy Hash: 7e2401679f1967b466db96d9d093023291a9586e312b8b5d43e4bcb020541a15
                                • Instruction Fuzzy Hash: 46617F71E00218EFDB149FE4DC85EAEBBB9FF88310F10802AF605E7191DB755945AB61
                                Function 00F9C7ED Relevance: 37.1, APIs: 1, Strings: 20, Instructions: 373COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: ERROR$GNU$LongLink$LongName$PAX$PAX_error$PAX_overflow$PAX_unsupported_line$POSIX$SignedChecksum$WARNING$atime$bin_mtime$bin_psize$bin_size$ctime$mtime$pax_linkpath$pax_path$pax_size
                                • API String ID: 3519838083-1011227609
                                • Opcode ID: c3315059ab42a64ae1c84bc2697d9d3f34285852c658f76506da4b7102d8060d
                                • Instruction ID: e1246a011a94040145860a18ec6f7620f166f1ff3b3cada5476c7f885fcfe9c1
                                • Opcode Fuzzy Hash: c3315059ab42a64ae1c84bc2697d9d3f34285852c658f76506da4b7102d8060d
                                • Instruction Fuzzy Hash: 52D1F632D0468A9AEF35DBA0CC51AFEBFB0AF11310F54452AF19A631A1D7386D46F781
                                Function 00F9F6D7 Relevance: 37.1, APIs: 11, Strings: 10, Instructions: 305stringCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: strcmp$H_prolog
                                • String ID: atime$ctime$gid$gname$linkpath$mtime$path$size$uid$uname
                                • API String ID: 2964315577-3165903417
                                • Opcode ID: 22c7ace58451d7ebc032e23d3ea0e9432b7c9f957cfcb40783d08886b4f556b8
                                • Instruction ID: 997cb2eb64ffe6a0801d4ff21bb0d0014b3db6a77977cbf8240bb8b95e3fc004
                                • Opcode Fuzzy Hash: 22c7ace58451d7ebc032e23d3ea0e9432b7c9f957cfcb40783d08886b4f556b8
                                • Instruction Fuzzy Hash: 61C11631C087469EEF65DBA4C980BAEBFE1AF11314F54143DE482D2992D7B8B98DE701
                                Function 00FA07B3 Relevance: 31.9, APIs: 1, Strings: 17, Instructions: 406COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00FA07B8
                                  • Part of subcall function 00F41E40: free.MSVCRT ref: 00F41E44
                                  • Part of subcall function 00F4297F: memcpy.MSVCRT(?,?,?,?,?,00F650A5,?,?), ref: 00F429B2
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prologfreememcpy
                                • String ID: @PathCut/_pc_$L$PaxHeader/@PaxHeader$atime$crc32/$ctime$devmajor$devminor$gid$gname$linkpath$mtime$path$root$size$uid$uname
                                • API String ID: 2037215848-4204487407
                                • Opcode ID: ecabbb8b601e6f7aac7802b1aee246de7050a77d3f864d568b284a207776b687
                                • Instruction ID: b53a0bcf9a7c2df2c92bcb969b1fa25b9da52e72a013afe12785ea80ec459065
                                • Opcode Fuzzy Hash: ecabbb8b601e6f7aac7802b1aee246de7050a77d3f864d568b284a207776b687
                                • Instruction Fuzzy Hash: BB02C1B1D01249DFDB20DF54D890AEEFBB5BF16310F5441AED045A3252DB34AE88EB61
                                Function 00F8FA3F Relevance: 28.5, APIs: 13, Strings: 3, Instructions: 452COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F8FA44
                                  • Part of subcall function 00F8F13E: _CxxThrowException.MSVCRT(?,00FFD480), ref: 00F8F161
                                • memcpy.MSVCRT(?,?,?,?,?,?,?,?,0000000B,00000000,?,?), ref: 00F8FE36
                                • _CxxThrowException.MSVCRT(?,00FFD480), ref: 00F8FED2
                                • _CxxThrowException.MSVCRT(?,00FFD480), ref: 00F8FEE6
                                • _CxxThrowException.MSVCRT(?,00FFD480), ref: 00F8FEFA
                                • _CxxThrowException.MSVCRT(?,00FFD480), ref: 00F8FF0E
                                • _CxxThrowException.MSVCRT(?,00FFD480), ref: 00F8FF22
                                • _CxxThrowException.MSVCRT(?,00FFD480), ref: 00F8FF36
                                • _CxxThrowException.MSVCRT(?,00FFD480), ref: 00F8FF4A
                                • _CxxThrowException.MSVCRT(?,00FFD480), ref: 00F8FF5E
                                • _CxxThrowException.MSVCRT(?,00FFD480), ref: 00F8FF72
                                • _CxxThrowException.MSVCRT(?,00FFD480), ref: 00F8FF86
                                • _CxxThrowException.MSVCRT(?,00FFD480), ref: 00F8FF9A
                                  • Part of subcall function 00F8EF67: _CxxThrowException.MSVCRT(?,00FFD440), ref: 00F8EF7A
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: ExceptionThrow$H_prologmemcpy
                                • String ID: $!$@
                                • API String ID: 3273695820-2517134481
                                • Opcode ID: c93686f664158850fe40c694243e670923cad880a06921857c445f8ee53b1b07
                                • Instruction ID: 462f102faee352fcc25fbaaa4d8d40a13f1c347a0765c5f2bbe88b06aa15e86e
                                • Opcode Fuzzy Hash: c93686f664158850fe40c694243e670923cad880a06921857c445f8ee53b1b07
                                • Instruction Fuzzy Hash: 98129F74E01249DFCF14EFA4C8D1AEDBBB1BF49314F148069E945AB352C734AA49EB60
                                Function 00F7B6AB Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 179COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F7B6B0
                                • fputs.MSVCRT ref: 00F7B71A
                                  • Part of subcall function 00F421D8: fputs.MSVCRT ref: 00F421F2
                                • fputs.MSVCRT ref: 00F7B6EB
                                  • Part of subcall function 00F7B8DD: __EH_prolog.LIBCMT ref: 00F7B8E2
                                  • Part of subcall function 00F7B8DD: fputs.MSVCRT ref: 00F7B90B
                                  • Part of subcall function 00F7B8DD: fputs.MSVCRT ref: 00F7B94F
                                • fputs.MSVCRT ref: 00F7B79D
                                • fputs.MSVCRT ref: 00F7B7BC
                                • fputs.MSVCRT ref: 00F7B7E5
                                • fputs.MSVCRT ref: 00F7B7F8
                                • fputc.MSVCRT ref: 00F7B805
                                  • Part of subcall function 00F41FA0: fputc.MSVCRT ref: 00F41FA7
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: fputs$H_prologfputc
                                • String ID: Error:$ file$Scan WARNINGS for files and folders:$Scan WARNINGS: $WARNING: Cannot open $WARNINGS for files:
                                • API String ID: 3294964263-2840245699
                                • Opcode ID: 19797adedc61f78735a488997e10f9a94cd9a9f0f3871d811c032f2949710c10
                                • Instruction ID: 687844d47fca73ceb339aef2c0e37ebec15a9ab7dc1c090384b62a6aa1b4f02e
                                • Opcode Fuzzy Hash: 19797adedc61f78735a488997e10f9a94cd9a9f0f3871d811c032f2949710c10
                                • Instruction Fuzzy Hash: AC519131E041058BCF19AB94DC92BAD77A1BF85310F24406EF805A6192DF795E86EBA3
                                Function 00F4C085 Relevance: 21.5, APIs: 17, Instructions: 290COMMON
                                Download Yara Rule
                                APIs
                                • memcmp.MSVCRT(?,00FF48A0,00000010), ref: 00F4C09E
                                • memcmp.MSVCRT(?,00FF0258,00000010), ref: 00F4C0BB
                                • memcmp.MSVCRT(?,00FF0348,00000010), ref: 00F4C0CE
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: memcmp
                                • String ID:
                                • API String ID: 1475443563-0
                                • Opcode ID: bceb56bf9299ac14e7e2c05175f42880fe1e12a39c2748f628c76205fca820ae
                                • Instruction ID: 369430738c89004c58c0e8b67b1a88fa6dafa88e677023bb5b85470d8b1995a7
                                • Opcode Fuzzy Hash: bceb56bf9299ac14e7e2c05175f42880fe1e12a39c2748f628c76205fca820ae
                                • Instruction Fuzzy Hash: 03917272A41614ABD7A09E25DC41FBB3BA8AF65720F048029FD4BD7201FB24EE04E7D1
                                Function 00F53052 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 165COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F53057
                                • OpenFileMappingW.KERNEL32(00000004,00000000,00000002,?,?,?,00000000,?), ref: 00F5311B
                                • GetLastError.KERNEL32(?,?,00000000,?), ref: 00F53128
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: ErrorFileH_prologLastMappingOpen
                                • String ID: Cannot open mapping$Map data error$MapViewOfFile error$Unsupported Map data$Unsupported Map data size
                                • API String ID: 2221086200-2628113885
                                • Opcode ID: 9e12d731c3fa8a21925a4dd63a9f0bbf086a076330cf3436af3f937643cc5a9c
                                • Instruction ID: 70662aeab3f050f553eb7fa2dfbe7ec6f4da6ea66db58221c8cbef4536be752a
                                • Opcode Fuzzy Hash: 9e12d731c3fa8a21925a4dd63a9f0bbf086a076330cf3436af3f937643cc5a9c
                                • Instruction Fuzzy Hash: 3F51BE31C0065ADECB01EBE8C885AEDBB71BF14395F140069EE01B7251CB755F89EBA2
                                Function 00F75A74 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 78COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: fputs$H_prolog$fputcfree
                                • String ID: Modified: $Path: $Size:
                                • API String ID: 2632947726-3207571042
                                • Opcode ID: 96d040788ba8d016a08c4d3bf673ee98e9301153cbbce34e1b1ce3396138e741
                                • Instruction ID: 2ab5970aaa3c33e25d00e8b91ee1d63dcd24009f0c1d9e2eb6ae51254256dddd
                                • Opcode Fuzzy Hash: 96d040788ba8d016a08c4d3bf673ee98e9301153cbbce34e1b1ce3396138e741
                                • Instruction Fuzzy Hash: 1F21B631A00109ABCF01ABA5CCD1DAEBF32EF84350F14412AF9055A1A1EB754965FF91
                                Function 00FA447A Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 291COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: $16-bit overflow for number of files in headers$32-bit overflow in headers$Central$Local$Minor_Extra_ERROR$Missing volume : $Unsorted_CD$Zip64$apk
                                • API String ID: 3519838083-1909666238
                                • Opcode ID: b08cfc798f5b1f5c44d9cf9eceba6a9202c719a0ffc7a99c1dff1cbbbb1b8bb3
                                • Instruction ID: 76f8dd1fef105ef5b20c258389aa5aa0577d4f9a5cbeb18a9cdf2fc974467199
                                • Opcode Fuzzy Hash: b08cfc798f5b1f5c44d9cf9eceba6a9202c719a0ffc7a99c1dff1cbbbb1b8bb3
                                • Instruction Fuzzy Hash: 87C1F1B1D042899FCB14DF64D851ABD7BB1AF83310F1980A9E4499B262D7B8BE45FB40
                                Function 00F77750 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 341COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: fputs$H_prolog
                                • String ID: @$data:
                                • API String ID: 2614055831-1130426132
                                • Opcode ID: d907cb07ec76b95dfec9b2858913a8c1b8966e84f69e5d519bc4f6b099973556
                                • Instruction ID: 94ebd94542d08f93effdd1f2e807256df7e94a697f78ba37f777de7d7f03af3b
                                • Opcode Fuzzy Hash: d907cb07ec76b95dfec9b2858913a8c1b8966e84f69e5d519bc4f6b099973556
                                • Instruction Fuzzy Hash: 7AD1F331D1830A9FDF15EFA4D884AEEB7B5FF48314F20841AE44AA3251D734AD45EB62
                                Function 00FA49BF Relevance: 16.2, APIs: 1, Strings: 8, Instructions: 437COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: -Cert$:eos$AES$Central$Descriptor_ERROR$Local$StrongCrypto$ZipCrypto
                                • API String ID: 3519838083-2591855172
                                • Opcode ID: 34bec906331a90910eaf7aadbd8449b20a2aa53ed419351f9ea30846d42848f9
                                • Instruction ID: c5bb2c0c1a92f875c1f957e1e32d423556f1cb7846c053cb1c180284cf818041
                                • Opcode Fuzzy Hash: 34bec906331a90910eaf7aadbd8449b20a2aa53ed419351f9ea30846d42848f9
                                • Instruction Fuzzy Hash: ABF1F6B19002099ACF15DBA4CD91BFEBBB5AF86320F540419F942731D2DBB8BA45F760
                                Function 00F8C8B2 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 347COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: $ $.$:mem$Delta$LZMA$LZMA2$o
                                • API String ID: 3519838083-3806607069
                                • Opcode ID: c2063a09197ef166a12f3d872ad0607a4ce35f4b81e80982b9300efe7740f98d
                                • Instruction ID: 66cefb17f225a7e17b3d6df97825bf43f9362b6ee319e1b0553f71743969f0da
                                • Opcode Fuzzy Hash: c2063a09197ef166a12f3d872ad0607a4ce35f4b81e80982b9300efe7740f98d
                                • Instruction Fuzzy Hash: 64D10231D0029D8BCF15EFA8C8946EEBBB2BF4A310F244169D895AB242C7755D05EBB0
                                Function 00F464F3 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 116threadCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F464F8
                                • GetCurrentThreadId.KERNEL32 ref: 00F46508
                                • GetTickCount.KERNEL32 ref: 00F46513
                                • GetCurrentProcessId.KERNEL32(?,?,00000000), ref: 00F4651E
                                • GetTickCount.KERNEL32 ref: 00F46578
                                • SetLastError.KERNEL32(000000B7,?,?,?,00000000), ref: 00F465C5
                                • GetLastError.KERNEL32(?,?,?,00000000), ref: 00F465EC
                                  • Part of subcall function 00F45D7A: __EH_prolog.LIBCMT ref: 00F45D7F
                                  • Part of subcall function 00F45D7A: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,00000001,?,?,00000000), ref: 00F45DA1
                                  • Part of subcall function 00F41E40: free.MSVCRT ref: 00F41E44
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: CountCurrentErrorH_prologLastTick$CreateDirectoryProcessThreadfree
                                • String ID: .tmp$d
                                • API String ID: 1989517917-2797371523
                                • Opcode ID: 796c9549bc5eb3c9b2712f3156716ffa5f92301e02a84602d097ab634ce5fdfb
                                • Instruction ID: 9a5595c47b613a925b58ea041dcfb694ca8fee4356582c5fea7c6d58657b8b7d
                                • Opcode Fuzzy Hash: 796c9549bc5eb3c9b2712f3156716ffa5f92301e02a84602d097ab634ce5fdfb
                                • Instruction Fuzzy Hash: A941CE329102549BDF15ABA4DC557ED7FB1BF56324F18012AFC02EA2A2CB388951FB52
                                Function 00F7BC14 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 114COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: fputs$fputc$__aulldiv
                                • String ID: Time =$Kernel
                                • API String ID: 3602660170-1750218609
                                • Opcode ID: 38e3b5a5e60d2fd8958a9dab3b057c0f367d19032efce6b7e2a14790a5002e3b
                                • Instruction ID: 7ea47053be677c7c21d940ee45cc4194281dc2c2efc5bde43c9777320c65c303
                                • Opcode Fuzzy Hash: 38e3b5a5e60d2fd8958a9dab3b057c0f367d19032efce6b7e2a14790a5002e3b
                                • Instruction Fuzzy Hash: 3731E532A00218BFDB15DF94DC46F9A37A6EF89760F148027F9089F290C7B69D509B95
                                Function 00F7BD38 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 63COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: fputs$H_prolog
                                • String ID: $ MB$ Memory =
                                • API String ID: 2614055831-2616823926
                                • Opcode ID: b1030b00d1525dda56d383ce89ee16817cdd11395452535c67dcee8206033498
                                • Instruction ID: 62347ba4006e21cc7676358bd7331ae4a3ac2dfe1fd3164bf136ee2ea077028c
                                • Opcode Fuzzy Hash: b1030b00d1525dda56d383ce89ee16817cdd11395452535c67dcee8206033498
                                • Instruction Fuzzy Hash: 7B110A32A00105AFDB16ABD5DC42E7DBF75EF84360F104027F50097291DB7A6955EB91
                                Function 00F785C6 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 37COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: fputs
                                • String ID: : Cannot open the file as [$ERROR$Open $WARNING$] archive
                                • API String ID: 1795875747-657955069
                                • Opcode ID: 9491b487aaa2ce97254f307f6e0d9c1284460e2ed1d22ee6b6e0cf96ca4009e4
                                • Instruction ID: bebfba6e09686e8b73ce96a3d5df709e29f41e43fc4776d3291c29a2888cc0a0
                                • Opcode Fuzzy Hash: 9491b487aaa2ce97254f307f6e0d9c1284460e2ed1d22ee6b6e0cf96ca4009e4
                                • Instruction Fuzzy Hash: DAF0A732A441987FCA2027966C85D2EFF5ADFC53B1B240137FD0443292EF655869BEA2
                                Function 00F6ED7E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 168COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F6ED83
                                  • Part of subcall function 00F55459: __EH_prolog.LIBCMT ref: 00F5545E
                                  • Part of subcall function 00F4823D: __EH_prolog.LIBCMT ref: 00F48242
                                  • Part of subcall function 00F41E40: free.MSVCRT ref: 00F41E44
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$free
                                • String ID: : $ : MINOR_ERROR$...$Junction: $Link: $REPARSE:$WSL:
                                • API String ID: 2654054672-3981964144
                                • Opcode ID: 833e351e0d3a1c329d55bf0cbbbafdf9af167423fb3dddedb231dc8115e836f2
                                • Instruction ID: c6e2fc3fe6ca0a99b7733abeab2ea62e29911ac8bfcc9217c251c3c223bd2fba
                                • Opcode Fuzzy Hash: 833e351e0d3a1c329d55bf0cbbbafdf9af167423fb3dddedb231dc8115e836f2
                                • Instruction Fuzzy Hash: 2B51E376E001599BCF10EBD4DC51AFEBB76AF94310F140019E802BB282CB79AB45F751
                                Function 00F56B5E Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 214COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F56B63
                                  • Part of subcall function 00F54D92: __EH_prolog.LIBCMT ref: 00F54D97
                                  • Part of subcall function 00F47DF8: __EH_prolog.LIBCMT ref: 00F47DFD
                                Strings
                                • Cannot fill link data, xrefs: 00F56D1E
                                • Incorrect path, xrefs: 00F56C46
                                • Internal error for symbolic link file, xrefs: 00F56D53
                                • Empty link, xrefs: 00F56C21
                                • Dangerous symbolic link path was ignored, xrefs: 00F56CCB
                                • Dangerous link path was ignored, xrefs: 00F56BE5
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: Cannot fill link data$Dangerous link path was ignored$Dangerous symbolic link path was ignored$Empty link$Incorrect path$Internal error for symbolic link file
                                • API String ID: 3519838083-3151419218
                                • Opcode ID: 3dcacce90541ba17d0615afdd3267b195914ba6fb47f1c62e020f15d319331e1
                                • Instruction ID: 83abae48b5726c9484ecabcfd50c98c522720c3fab2b2267177c443135bd2ade
                                • Opcode Fuzzy Hash: 3dcacce90541ba17d0615afdd3267b195914ba6fb47f1c62e020f15d319331e1
                                • Instruction Fuzzy Hash: FE71E171A0028AAECF15EBA0CC519EEBF75AF08315F508429FD65A3252DB35694CFB60
                                Function 00F75914 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 83COMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32(01002938), ref: 00F7591F
                                • fputs.MSVCRT ref: 00F7595E
                                • fputs.MSVCRT ref: 00F75983
                                • LeaveCriticalSection.KERNEL32(01002938), ref: 00F75A1F
                                Strings
                                • Would you like to replace the existing file:, xrefs: 00F75959
                                • with the file from archive:, xrefs: 00F7597E
                                • v, xrefs: 00F75A1F
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: CriticalSectionfputs$EnterLeave
                                • String ID: v$Would you like to replace the existing file:$with the file from archive:
                                • API String ID: 3346953513-622108208
                                • Opcode ID: 65e6d9e1e6f2f9881c538c1866e8016839791ab1fb9e117a027bd512e6528918
                                • Instruction ID: 2e4fe5675527707059fb9113389de9ce3e80b2fc093ec6da4eed419d4138a798
                                • Opcode Fuzzy Hash: 65e6d9e1e6f2f9881c538c1866e8016839791ab1fb9e117a027bd512e6528918
                                • Instruction Fuzzy Hash: 0A31B436200A44DFEB119F64DC81BA937B1EF48760F15821AFA4E9B251CB78AC41FB56
                                Function 00F731A2 Relevance: 11.4, APIs: 9, Instructions: 116COMMON
                                Download Yara Rule
                                APIs
                                • memcmp.MSVCRT(?,00FF48A0,00000010), ref: 00F731BB
                                • memcmp.MSVCRT(?,00FF01B8,00000010), ref: 00F731D8
                                • memcmp.MSVCRT(?,00FF01C8,00000010), ref: 00F731EB
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: memcmp
                                • String ID:
                                • API String ID: 1475443563-0
                                • Opcode ID: 1bff131fad022d4fc9fe7ca95f31eea93561e87ece06fb0ca8e4e93d2638590b
                                • Instruction ID: 2613e51441e117d681ca569af711690ffabd790ed7bce45c05062b7c93f93dfa
                                • Opcode Fuzzy Hash: 1bff131fad022d4fc9fe7ca95f31eea93561e87ece06fb0ca8e4e93d2638590b
                                • Instruction Fuzzy Hash: DE316572B402087BE7049A10DC81F7E33A99F64764F048526FE0A9B257FA65DF18F693
                                Function 00FD2700 Relevance: 10.8, APIs: 6, Strings: 1, Instructions: 301COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00FD7D80: WaitForSingleObject.KERNEL32(?,000000FF,00F5AFD6,?), ref: 00FD7D83
                                  • Part of subcall function 00FD7D80: GetLastError.KERNEL32(?,000000FF,00F5AFD6,?), ref: 00FD7D8E
                                  • Part of subcall function 00FD2FB0: EnterCriticalSection.KERNEL32(?,?,?,00FD2749), ref: 00FD2FB8
                                  • Part of subcall function 00FD2FB0: LeaveCriticalSection.KERNEL32(?,?,?,00FD2749), ref: 00FD2FC2
                                • EnterCriticalSection.KERNEL32(?), ref: 00FD290E
                                • LeaveCriticalSection.KERNEL32(?), ref: 00FD2928
                                • EnterCriticalSection.KERNEL32(?), ref: 00FD2992
                                • LeaveCriticalSection.KERNEL32(?), ref: 00FD29B8
                                • EnterCriticalSection.KERNEL32(?), ref: 00FD2A1E
                                • LeaveCriticalSection.KERNEL32(?), ref: 00FD2A56
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterLeave$ErrorLastObjectSingleWait
                                • String ID: v
                                • API String ID: 2116739831-3261393531
                                • Opcode ID: a403f01c6f9569ec7c0ddf26b2e9a47c3f7740b7df9b261f8b995638037bda96
                                • Instruction ID: 8402299d23d559b8e3a55629e4e2897dfa834c1a2fb38c4bc3d9fde4913e36ac
                                • Opcode Fuzzy Hash: a403f01c6f9569ec7c0ddf26b2e9a47c3f7740b7df9b261f8b995638037bda96
                                • Instruction Fuzzy Hash: 76C15E756047058FC3A0DF24C580B67B7E2FFA8324F18492EE5AA87351EB34E945EB91
                                Function 00F64B5C Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 278COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F64B61
                                  • Part of subcall function 00F41E40: free.MSVCRT ref: 00F41E44
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prologfree
                                • String ID: -----$-----BEGIN PGP SIGNED MESSAGE$Hash: $cksum
                                • API String ID: 1978129608-4104380264
                                • Opcode ID: da4f4f5f98c116866fdf61c0bb52d649ea4c2540bbd85bf4f90f10a1cf36ce59
                                • Instruction ID: 2bb0f54c49bf58fd15a740ac11123668c1d7e64634a9ab2c1df44c4202a0c7f0
                                • Opcode Fuzzy Hash: da4f4f5f98c116866fdf61c0bb52d649ea4c2540bbd85bf4f90f10a1cf36ce59
                                • Instruction Fuzzy Hash: 0AB1B231C04249DECF11EFA4C881BEDBFB1BF15314F144499E84667282CB76AA89EB61
                                Function 00F532EC Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 183COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F532F1
                                  • Part of subcall function 00F61D73: __EH_prolog.LIBCMT ref: 00F61D78
                                • _CxxThrowException.MSVCRT(?,00FF6010), ref: 00F534D2
                                • _CxxThrowException.MSVCRT(?,00FF6010), ref: 00F534EF
                                • __EH_prolog.LIBCMT ref: 00F534F9
                                Strings
                                • zero size last volume is not allowed, xrefs: 00F534D9
                                • Incorrect volume size:, xrefs: 00F534BF
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$ExceptionThrow
                                • String ID: Incorrect volume size:$zero size last volume is not allowed
                                • API String ID: 2366012087-998621408
                                • Opcode ID: a9a182c07e36dbaab1c6df83071969ae196295cef97196de24d24f89c9ce4313
                                • Instruction ID: 999f1be9586c8126f5ee350e905f91829cf3f537a5ff14d9307fd78679cc516b
                                • Opcode Fuzzy Hash: a9a182c07e36dbaab1c6df83071969ae196295cef97196de24d24f89c9ce4313
                                • Instruction Fuzzy Hash: 6E71B031900255DFCB18EF68C845FEDBBB1BF04344F4444A9ED45AB292CB78AE49EB91
                                Function 00F75B55 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: fputs$CriticalSection$EnterLeave
                                • String ID: v
                                • API String ID: 1081906680-3261393531
                                • Opcode ID: e20bd37f621a323890defbb7a12a386a3e1cc73714ddf64059457cbc9732cd25
                                • Instruction ID: 2aa1c536b6b94f9f900f17347b44b5c8064b93d813217dd8a68f6a9267b37ba8
                                • Opcode Fuzzy Hash: e20bd37f621a323890defbb7a12a386a3e1cc73714ddf64059457cbc9732cd25
                                • Instruction Fuzzy Hash: 9C51033160474ADFDB21DF24D880BA9BBA1FF44710F40C42EF80A5B290CBB0A945EB52
                                Function 00F4126A Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 136COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: Incorrect switch postfix:$Multiple instances for switch:$Too long switch:$Too short switch:$Unknown switch:
                                • API String ID: 3519838083-2104980125
                                • Opcode ID: d775e179fd71de9fa51d13f3169adac24bae86194a8ed57697097c9943bac5f4
                                • Instruction ID: bf9a48f32d77722f1d9dabfdfefe6564290c13a83dad974b964b913cece8a8ee
                                • Opcode Fuzzy Hash: d775e179fd71de9fa51d13f3169adac24bae86194a8ed57697097c9943bac5f4
                                • Instruction Fuzzy Hash: F3519E31A0024ADBCF24DF58C880ABDBFB1FF51324F14815AEC559B692D774EA81EB91
                                Function 00F7725A Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 96COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F7725F
                                  • Part of subcall function 00F7C7D7: fputs.MSVCRT ref: 00F7C840
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prologfputs
                                • String ID: Alternate streams$Alternate streams size$Files$Folders$Size
                                • API String ID: 1798449854-232602582
                                • Opcode ID: 941042f87131a10c329d976806ebfbe040deb9b2161977c2735da2a3b29f9f68
                                • Instruction ID: 63d9b9093c5bd4535be816a35d2dee8892a4bba5e212a79824e67ce9dd41dd35
                                • Opcode Fuzzy Hash: 941042f87131a10c329d976806ebfbe040deb9b2161977c2735da2a3b29f9f68
                                • Instruction Fuzzy Hash: 3B31A831710740AFD725BB65CC41F6AB7A6BF84310F00861EF45A52692CB74B855EB62
                                Function 00F75EC9 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32(01002938), ref: 00F75ED6
                                • fputs.MSVCRT ref: 00F75F6A
                                • fputs.MSVCRT ref: 00F75F83
                                • LeaveCriticalSection.KERNEL32(01002938), ref: 00F75FC5
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: CriticalSectionfputs$EnterLeave
                                • String ID: : $ v
                                • API String ID: 3346953513-2653416290
                                • Opcode ID: 3335f7897a3127eb1bb9c4ab720ff41bdfe2273f2392327bcf530d9f482f50f3
                                • Instruction ID: d426450e4049d31ef74b31232814ad30e9a6dfa0532290ebe1d5cc817bccae9e
                                • Opcode Fuzzy Hash: 3335f7897a3127eb1bb9c4ab720ff41bdfe2273f2392327bcf530d9f482f50f3
                                • Instruction Fuzzy Hash: BE318532901704DFD710EFA5DC84ECABBA0FF84324F50816EE95A8B222CB34A845EF50
                                Function 00F76244 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 71COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prologfputs
                                • String ID: Cannot open the file$The archive is open with offset$The file is open$WARNING:
                                • API String ID: 1798449854-1259944392
                                • Opcode ID: 9183aa4a9ca581a51226fed1505694f10d9ed25a0f8c18a55304be984a29a94f
                                • Instruction ID: c05af80e8f6aaa0bcee9671054335dd1f88299f66bc71854e75c8b70a8c27c62
                                • Opcode Fuzzy Hash: 9183aa4a9ca581a51226fed1505694f10d9ed25a0f8c18a55304be984a29a94f
                                • Instruction Fuzzy Hash: 4E21B331A009459FCF44EB95DC42AAEB7A4FF54310B00403AF906D77A3CB78AD46EB81
                                Function 00F7DE7B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                Download Yara Rule
                                APIs
                                • fputs.MSVCRT ref: 00F7DE96
                                  • Part of subcall function 00F41F91: fflush.MSVCRT ref: 00F41F93
                                • GetStdHandle.KERNEL32(000000F6), ref: 00F7DEA8
                                • GetConsoleMode.KERNEL32(00000000,00000000), ref: 00F7DECA
                                • SetConsoleMode.KERNEL32(00000000,00000000), ref: 00F7DEDB
                                • SetConsoleMode.KERNEL32(00000000,00000000), ref: 00F7DEFB
                                Strings
                                • Enter password (will not be echoed):, xrefs: 00F7DE91
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: ConsoleMode$Handlefflushfputs
                                • String ID: Enter password (will not be echoed):
                                • API String ID: 108775803-3720017889
                                • Opcode ID: baa9c9b1811e7a050dac60d895f7df270adb79ff2b29e04377b3bd12ae9aeeb2
                                • Instruction ID: 910f61cb6032dc4b2c1cecaa3ec415ca749e48c37bde9f0bc9c4cba02ff46ce6
                                • Opcode Fuzzy Hash: baa9c9b1811e7a050dac60d895f7df270adb79ff2b29e04377b3bd12ae9aeeb2
                                • Instruction Fuzzy Hash: 35110632D0421DABDB02ABA4DC41AFEBFB8AF80730F14815AFC50A7190CB354946AB91
                                Function 00F65DA2 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 60COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: crc32$crc64$md5$sha1$sha256
                                • API String ID: 3519838083-3826973078
                                • Opcode ID: 92510a07cb6d9298f0fedcecca6bc7bb1ea1ed36a7c2c312ac98a249e44050a7
                                • Instruction ID: 6b5b0ac9dd63154717d0a426bd0a12e1239e72d14ec37aaa432026cee57beaab
                                • Opcode Fuzzy Hash: 92510a07cb6d9298f0fedcecca6bc7bb1ea1ed36a7c2c312ac98a249e44050a7
                                • Instruction Fuzzy Hash: 70112533E0446587CF20B6A5DC447ED7626AFC5B34F24407AE802776C6CA380E44B791
                                Function 00FC8AC0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: exit$CriticalSection$EnterLeave
                                • String ID: v
                                • API String ID: 43521-3261393531
                                • Opcode ID: a5bf0be138c7e6210da0c7530de945f3f20b4822811d1fbdd3ff1debfdce1510
                                • Instruction ID: ebaecdd081e36ffa78d5d69523f4672ad6b64af65b15aa44d87f2473bfdba1cb
                                • Opcode Fuzzy Hash: a5bf0be138c7e6210da0c7530de945f3f20b4822811d1fbdd3ff1debfdce1510
                                • Instruction Fuzzy Hash: C511E5715007019FC730EF61C981A96F7F2BF44350B444A2FE18786A41DB78B94AEF51
                                Function 00F469AF Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 24libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00F469C8
                                • GetProcAddress.KERNEL32(00000000,FindFirstStreamW), ref: 00F469DC
                                • GetProcAddress.KERNEL32(00000000,FindNextStreamW), ref: 00F469E9
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: AddressProc$HandleModule
                                • String ID: FindFirstStreamW$FindNextStreamW$kernel32.dll
                                • API String ID: 667068680-4044117955
                                • Opcode ID: 03e87dc8a211aa5365c01843be2b9d9c25e72a19dcbac15791ef53b2a0bd2598
                                • Instruction ID: e3b1a7b6309ad96b5c4220c099803266ebf041767db7240e49ae0920932f401d
                                • Opcode Fuzzy Hash: 03e87dc8a211aa5365c01843be2b9d9c25e72a19dcbac15791ef53b2a0bd2598
                                • Instruction Fuzzy Hash: 25E0CD717003596F5204476A9C8D836FEEDE6C9F90315012BBC00D3350D9F56C027BE2
                                Function 00F828D1 Relevance: 10.1, APIs: 8, Instructions: 105COMMON
                                Download Yara Rule
                                APIs
                                • memcmp.MSVCRT(?,00FF48A0,00000010), ref: 00F828EA
                                • memcmp.MSVCRT(?,00FF0258,00000010), ref: 00F82907
                                • memcmp.MSVCRT(?,00FF02D8,00000010), ref: 00F8291A
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: memcmp
                                • String ID:
                                • API String ID: 1475443563-0
                                • Opcode ID: 949371783c3764ff1a031f2a20d8df2a48d72294b44769ea95d931acfac252c9
                                • Instruction ID: ca988de8585cbc5499f7ebc59cdd62bc6fe6fb66d7d9df59aba91d375b6114d5
                                • Opcode Fuzzy Hash: 949371783c3764ff1a031f2a20d8df2a48d72294b44769ea95d931acfac252c9
                                • Instruction Fuzzy Hash: 97317872B403096BD7446A14CC82FBF33AD9F60764F044125FE469B352FA64EE14B7A1
                                Function 00F5F398 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 461COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: __aulldiv$H_prolog
                                • String ID: x$x
                                • API String ID: 2300968129-177600594
                                • Opcode ID: 1804307489cd0efc8f3bf7bbe8423825950dc0531ad76e52d0c3001ea4defabf
                                • Instruction ID: 44a07a0d1c5a4a99d26462b0779b249dcbe7ef1440635796e99ffbac5f564939
                                • Opcode Fuzzy Hash: 1804307489cd0efc8f3bf7bbe8423825950dc0531ad76e52d0c3001ea4defabf
                                • Instruction Fuzzy Hash: 66125A71D00209EFCF10DFA4C881AEDBBB5BF48325F2481A9EA15AB261D7359D49EF50
                                Function 00F45F51 Relevance: 9.1, APIs: 6, Instructions: 104COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F45F56
                                • CreateDirectoryW.KERNEL32(?,00000000,00000000,?,00000000), ref: 00F45F78
                                • GetLastError.KERNEL32(?,00000000,00000000,?,00000000), ref: 00F45F89
                                • CreateDirectoryW.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 00F45FC4
                                • GetLastError.KERNEL32 ref: 00F45FD2
                                • GetLastError.KERNEL32(00000000,?,00000000), ref: 00F4602C
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: ErrorLast$CreateDirectory$H_prolog
                                • String ID:
                                • API String ID: 798237638-0
                                • Opcode ID: 5ff3670c8f6586b04d8a980bca6e09bc2f212ed19755e6b6e5ddac052429d77a
                                • Instruction ID: adcf77e01b8f46715bff4c6bd8f392a729d56751e0e73576e0955f553c184c53
                                • Opcode Fuzzy Hash: 5ff3670c8f6586b04d8a980bca6e09bc2f212ed19755e6b6e5ddac052429d77a
                                • Instruction Fuzzy Hash: 2931F532900214DADF14ABB4CC96BED7F35AF02364F140025ED02A7193DF6A4E8AF692
                                Function 00F4DBA6 Relevance: 9.1, APIs: 6, Instructions: 95COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: __aulldiv$__aullrem
                                • String ID:
                                • API String ID: 2022606265-0
                                • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                • Instruction ID: 74a49771d38d64d63a7a39acba4b5eb2ab7978817d25bdb9c27a1f9448a2b374
                                • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                • Instruction Fuzzy Hash: AB21A57190021DBEDF119F958C81D9F7E6AFF417B4F288226BA1565290D2B18D60F7A0
                                Function 00F46A78 Relevance: 9.1, APIs: 6, Instructions: 74COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F46A7D
                                  • Part of subcall function 00F46848: FindClose.KERNELBASE(00000000,?,00F46880), ref: 00F46853
                                • SetLastError.KERNEL32(00000078,00000000,?,?), ref: 00F46AA6
                                • SetLastError.KERNEL32(00000000,00000000,?,?), ref: 00F46AB2
                                • FindFirstStreamW.KERNELBASE(?,00000000,?,00000000), ref: 00F46AD3
                                • GetLastError.KERNEL32(?,?), ref: 00F46AE0
                                • FindFirstStreamW.KERNELBASE(?,00000000,?,00000000), ref: 00F46B1C
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: ErrorFindLast$FirstStream$CloseH_prolog
                                • String ID:
                                • API String ID: 1050961465-0
                                • Opcode ID: b258e0e9d03f54e4d3335a540dcf05c009d9da3b6c03ba962bef7756e01f428b
                                • Instruction ID: 6a9672c353c5afd51787daa16cc0258e3fac58729392bf4a024156e50315b244
                                • Opcode Fuzzy Hash: b258e0e9d03f54e4d3335a540dcf05c009d9da3b6c03ba962bef7756e01f428b
                                • Instruction Fuzzy Hash: 4621BA31900105EACB25AF60CC899AEBF79FBC6364F10422AFCA1D6191DB394986FB51
                                Function 00F7CC07 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 191COMMON
                                Download Yara Rule
                                APIs
                                • fputs.MSVCRT ref: 00F7CCC2
                                  • Part of subcall function 00F7C7D7: fputs.MSVCRT ref: 00F7C840
                                • fputs.MSVCRT ref: 00F7CE43
                                  • Part of subcall function 00F41F91: fflush.MSVCRT ref: 00F41F93
                                • fputs.MSVCRT ref: 00F7CD75
                                  • Part of subcall function 00F41FA0: fputc.MSVCRT ref: 00F41FA7
                                  • Part of subcall function 00F41FB3: __EH_prolog.LIBCMT ref: 00F41FB8
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: fputs$H_prologfflushfputc
                                • String ID: ERRORS:$WARNINGS:
                                • API String ID: 1876658717-3472301450
                                • Opcode ID: 60c4d6d58238ec50ba7a921f3cab0ec8eb7a7964ff3488f54b4159f3c152f5a4
                                • Instruction ID: 7c876b8ce6a7f8f123968fee985559fcab1b2de913d16f7bbb4dfedb89c283d3
                                • Opcode Fuzzy Hash: 60c4d6d58238ec50ba7a921f3cab0ec8eb7a7964ff3488f54b4159f3c152f5a4
                                • Instruction Fuzzy Hash: AA717734A00701DFDB25EF61D895BA97BA2BF44360F04C52EEC5E47251CB34AC85EB92
                                Function 00F47919 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 157COMMON
                                Download Yara Rule
                                APIs
                                • DeviceIoControl.KERNEL32(?,00074004,00000000,00000000,?,00000020,?,00000000), ref: 00F47963
                                • DeviceIoControl.KERNEL32(?,000700A0,00000000,00000000,?,00000028,?,00000000), ref: 00F47A06
                                • DeviceIoControl.KERNEL32(?,00070000,00000000,00000000,?,00000018,?,00000000), ref: 00F47A36
                                • DeviceIoControl.KERNEL32(?,0002404C,00000000,00000000,?,00000018,?,00000000), ref: 00F47A58
                                  • Part of subcall function 00F49252: GetModuleHandleW.KERNEL32(kernel32.dll,GetDiskFreeSpaceExW,74DEF5D0,?,00000000,?,?,00074004,00000000,00000000,?,00000020,?,00000000), ref: 00F4926E
                                  • Part of subcall function 00F49252: GetProcAddress.KERNEL32(00000000), ref: 00F49275
                                  • Part of subcall function 00F49252: GetDiskFreeSpaceW.KERNEL32(?,?,00000000,00000020,?,?,00000000,?,?,00074004,00000000,00000000,?,00000020,?,00000000), ref: 00F492C5
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: ControlDevice$AddressDiskFreeHandleModuleProcSpace
                                • String ID: :
                                • API String ID: 4250411929-336475711
                                • Opcode ID: ffe5a8705d8c0c5cfd61d47be0c0a2400f30fcab833d0a797baec4073aa705bd
                                • Instruction ID: 46b7baa561fe9a71677cdac59767a8c0640da243a69503d3df3f07471d8aac9f
                                • Opcode Fuzzy Hash: ffe5a8705d8c0c5cfd61d47be0c0a2400f30fcab833d0a797baec4073aa705bd
                                • Instruction Fuzzy Hash: 9351B271D08348AEDB21EBA4C881EEEBFFCEF04314F04C45AE59997291D375A948DB60
                                Function 00F4A08C Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 143COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F4A091
                                  • Part of subcall function 00F49BAA: RegCloseKey.ADVAPI32(?,?,00F49BA0), ref: 00F49BB6
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: CloseH_prolog
                                • String ID: HARDWARE\DESCRIPTION\System\CentralProcessor\0$Previous Update Revision$Update Revision$x86
                                • API String ID: 1579395594-270022386
                                • Opcode ID: 2b23fc5c6afea9334dc82b6f3ce1708e84b62b67ca4c03ae2cc7951f42d61211
                                • Instruction ID: 1112e3d445764d7ac4fd67586309371e5cdb277eb6932eecd97ac3e0132c2622
                                • Opcode Fuzzy Hash: 2b23fc5c6afea9334dc82b6f3ce1708e84b62b67ca4c03ae2cc7951f42d61211
                                • Instruction Fuzzy Hash: EB51B371E412459FCF10EF99CC929AEBBB5FF98300F40442EE912A7241DB749E05EB92
                                Function 00F49E75 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 138COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F49E7A
                                  • Part of subcall function 00F41E40: free.MSVCRT ref: 00F41E44
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prologfree
                                • String ID: act:$ cpus:$ gran:$ page:
                                • API String ID: 1978129608-454015223
                                • Opcode ID: fee9567c4543fb84a2dd73e01ce783880f63ff21873327db8643343165d55d73
                                • Instruction ID: fc81cce43e7423a8355f7a8b7db1b0f5b261ee3dee771e8b80b6708f0b2fc9e8
                                • Opcode Fuzzy Hash: fee9567c4543fb84a2dd73e01ce783880f63ff21873327db8643343165d55d73
                                • Instruction Fuzzy Hash: 7941A571B047009BDF24AE258C51B7F7AA2AB84724F04093EBC57976D2CEBC9C48B651
                                Function 00F52CB4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F52CB9
                                  • Part of subcall function 00F41AA1: __EH_prolog.LIBCMT ref: 00F41AA6
                                  • Part of subcall function 00F41AA1: GetLastError.KERNEL32(?,00000000,00000000), ref: 00F41AD5
                                • _CxxThrowException.MSVCRT(00000001,00FF6010), ref: 00F52D73
                                  • Part of subcall function 00F458A9: __EH_prolog.LIBCMT ref: 00F458AE
                                  • Part of subcall function 00F41E40: free.MSVCRT ref: 00F41E44
                                  • Part of subcall function 00F61DBF: __EH_prolog.LIBCMT ref: 00F61DC4
                                • _CxxThrowException.MSVCRT(00000001,00FF6010), ref: 00F52D56
                                • _CxxThrowException.MSVCRT(00000001,00FF6010), ref: 00F52D9A
                                Strings
                                • The file operation error for listfile, xrefs: 00F52D03
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$ExceptionThrow$ErrorLastfree
                                • String ID: The file operation error for listfile
                                • API String ID: 362913088-4247703111
                                • Opcode ID: 0319525aab7a89276851b0a92236cd1fc5d04053b42ba0c40bafe67fc527ad3f
                                • Instruction ID: cbce56be81e2067734e2bbdb9613a05168896bbf60fb3a89ab9e3bd7ef320832
                                • Opcode Fuzzy Hash: 0319525aab7a89276851b0a92236cd1fc5d04053b42ba0c40bafe67fc527ad3f
                                • Instruction Fuzzy Hash: C2417E31D00119ABCF10EFE4DC519EEBBB5BF49700F14811AF95273252CB78AA49EBA0
                                Function 00F7D824 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F7D829
                                • EnterCriticalSection.KERNEL32(01002960,?,00000001,?,?,00F7DBB0,?,0000006F,0000006F), ref: 00F7D83D
                                • fputs.MSVCRT ref: 00F7D88E
                                • LeaveCriticalSection.KERNEL32(01002960,?,00000001,?,?,00F7DBB0,?,0000006F,0000006F), ref: 00F7D95F
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterH_prologLeavefputs
                                • String ID: v
                                • API String ID: 2174113412-3261393531
                                • Opcode ID: e2f5973826b6fd96e964f5505d0cef18264c0bd0055b865f86a45ce7a789ce5d
                                • Instruction ID: 9390916c3266c685eb250c3b8e61cd8e87b0bca36ef8649087dce638231d01e7
                                • Opcode Fuzzy Hash: e2f5973826b6fd96e964f5505d0cef18264c0bd0055b865f86a45ce7a789ce5d
                                • Instruction Fuzzy Hash: B041A231A00785DFCB21AF64C8907AEBBB2FF45350F44842EF59E97251C735A845EB92
                                Function 00F45C7E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F45C83
                                • GetModuleHandleW.KERNEL32(kernel32.dll,CreateHardLinkW), ref: 00F45C9D
                                • GetProcAddress.KERNEL32(00000000), ref: 00F45CA4
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: AddressH_prologHandleModuleProc
                                • String ID: CreateHardLinkW$kernel32.dll
                                • API String ID: 786088110-294928789
                                • Opcode ID: 4048fe0c78e14a210dcd72b12f4e099ad4e38e9d585c0fdf1863251a361dff9c
                                • Instruction ID: 4884b977e56e69db7554d1712f284354535b0a623ea808c2b95f6bb3d1025e7c
                                • Opcode Fuzzy Hash: 4048fe0c78e14a210dcd72b12f4e099ad4e38e9d585c0fdf1863251a361dff9c
                                • Instruction Fuzzy Hash: C6218032D00616ABCF25EBA4CD4ABEEBF75AF04B50F140026FD01B2292CA359D41F7A1
                                Function 00F7D2DD Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 63COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: fputs$H_prolog
                                • String ID: Archive size: $Files read from disk$Volumes:
                                • API String ID: 2614055831-73833580
                                • Opcode ID: b76bc4973a0e3f2f5ec2c07380f7725e3eb3953066a9bdce88e2a5a8a445c61c
                                • Instruction ID: bf25a14606a4a6a6dbfcbaf366fc783d4134cad64c8e55887033da38f5d77cf2
                                • Opcode Fuzzy Hash: b76bc4973a0e3f2f5ec2c07380f7725e3eb3953066a9bdce88e2a5a8a445c61c
                                • Instruction Fuzzy Hash: D121837180060ADFCB54EB60CC52FEEBB71BF54300F44813AB906520A1DF786999EF92
                                Function 00F746CF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59timeCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F746D4
                                • EnterCriticalSection.KERNEL32(01002918), ref: 00F746E8
                                • CompareFileTime.KERNEL32(?,?), ref: 00F74712
                                • LeaveCriticalSection.KERNEL32(01002918), ref: 00F7476A
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: CriticalSection$CompareEnterFileH_prologLeaveTime
                                • String ID: v
                                • API String ID: 3800395459-3261393531
                                • Opcode ID: b2f804ee740c21c58ceaaed4351df1b252ef14526e86c561293899169149f5d6
                                • Instruction ID: 3c7650ad2e855c7226be0eec8ae0e10d35364e934054c564bd0d82736a3ea9eb
                                • Opcode Fuzzy Hash: b2f804ee740c21c58ceaaed4351df1b252ef14526e86c561293899169149f5d6
                                • Instruction Fuzzy Hash: A721DC72900245AFDB24CF28C884B9ABBB5FF41314F10801EE89A87611D734FA4AEB91
                                Function 00F7463D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F74642
                                • EnterCriticalSection.KERNEL32(01002918), ref: 00F74656
                                • LeaveCriticalSection.KERNEL32(01002918), ref: 00F74685
                                • LeaveCriticalSection.KERNEL32(01002918), ref: 00F746C5
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: CriticalSection$Leave$EnterH_prolog
                                • String ID: v
                                • API String ID: 2532973370-3261393531
                                • Opcode ID: 7a882a198b1c38362c2697dcb87386567dff5db23bdafbca866d615a01216c25
                                • Instruction ID: 083aafcf0f4147c3ba0d1faf9c280691863091441ca987730c997e508fe3d327
                                • Opcode Fuzzy Hash: 7a882a198b1c38362c2697dcb87386567dff5db23bdafbca866d615a01216c25
                                • Instruction Fuzzy Hash: 07115E76B00205AFC710DF15C8C496EF7A9FF8A720B14822EE91ADB700C774ED05AB91
                                Function 00F7B8DD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F7B8E2
                                • fputs.MSVCRT ref: 00F7B90B
                                  • Part of subcall function 00F458A9: __EH_prolog.LIBCMT ref: 00F458AE
                                  • Part of subcall function 00F41FB3: __EH_prolog.LIBCMT ref: 00F41FB8
                                  • Part of subcall function 00F41FA0: fputc.MSVCRT ref: 00F41FA7
                                  • Part of subcall function 00F41E40: free.MSVCRT ref: 00F41E44
                                • fputs.MSVCRT ref: 00F7B94F
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$fputs$fputcfree
                                • String ID: : $----------------
                                • API String ID: 1877784702-4071417161
                                • Opcode ID: 285d1ddfe99807dd5a25f85fb5495ef1b35cdf5882baebf30da7c86477e055af
                                • Instruction ID: ccadc1617ab799a18b165456638463e117aa052bc9349101110c94a677a6d1c9
                                • Opcode Fuzzy Hash: 285d1ddfe99807dd5a25f85fb5495ef1b35cdf5882baebf30da7c86477e055af
                                • Instruction Fuzzy Hash: 78019631A04201DFCB15BFA4EC86A5DBBB2FF84360B10413EF556972A2CF399905AA41
                                Function 00F7D406 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F7D40B
                                • fputs.MSVCRT ref: 00F7D42E
                                  • Part of subcall function 00F41FB3: __EH_prolog.LIBCMT ref: 00F41FB8
                                • fputs.MSVCRT ref: 00F7D46A
                                  • Part of subcall function 00F41FA0: fputc.MSVCRT ref: 00F41FA7
                                  • Part of subcall function 00F41E40: free.MSVCRT ref: 00F41E44
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prologfputs$fputcfree
                                • String ID: : $Write SFX:
                                • API String ID: 1941438168-2530961540
                                • Opcode ID: bcd63cc6b77e6dd729712d2eb1210e33b095e4d480db67a42f293954d4db2b30
                                • Instruction ID: 93de2f58cc0801321c730f43786735571b9f15a008626a18fa498ea5630d27e7
                                • Opcode Fuzzy Hash: bcd63cc6b77e6dd729712d2eb1210e33b095e4d480db67a42f293954d4db2b30
                                • Instruction Fuzzy Hash: 2C0184326042059FCB15AFA4EC02ADDBBB6FF44320F14442AF905A21A1DF756955EB45
                                Function 00F49E14 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetSystemInfo.KERNEL32(?), ref: 00F49E36
                                  • Part of subcall function 00F49E75: __EH_prolog.LIBCMT ref: 00F49E7A
                                • GetModuleHandleA.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 00F49E50
                                • GetProcAddress.KERNEL32(00000000), ref: 00F49E57
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: AddressH_prologHandleInfoModuleProcSystem
                                • String ID: GetNativeSystemInfo$kernel32.dll
                                • API String ID: 2024292667-192647395
                                • Opcode ID: 3147196a524266c4a2ec185edecaa2e990b4ed70ed510769fc4ec6fc5ca9ccdc
                                • Instruction ID: 83b52544cc141eed88fd52549b402dc221faaa1aec0261f66051b128c1851146
                                • Opcode Fuzzy Hash: 3147196a524266c4a2ec185edecaa2e990b4ed70ed510769fc4ec6fc5ca9ccdc
                                • Instruction Fuzzy Hash: E4F0C2726003449FC701DBA4CC49B9EBBF8AF84711F044544F80697181DBF8E902D7E2
                                Function 00FDD290 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetVersion.KERNEL32(00F7C2E1), ref: 00FDD290
                                • GetModuleHandleW.KERNEL32(kernel32.dll,SetDefaultDllDirectories), ref: 00FDD2A6
                                • GetProcAddress.KERNEL32(00000000), ref: 00FDD2AD
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: AddressHandleModuleProcVersion
                                • String ID: SetDefaultDllDirectories$kernel32.dll
                                • API String ID: 3310240892-2102062458
                                • Opcode ID: 5056dd092c9f79594e602aff68612dea20cf764f1bc783db48bb3f1e57f841fb
                                • Instruction ID: 546c6746dabf99bcbc6a10d4c2564fc35121cdd14029bdeab86fbb2fb46d82ae
                                • Opcode Fuzzy Hash: 5056dd092c9f79594e602aff68612dea20cf764f1bc783db48bb3f1e57f841fb
                                • Instruction Fuzzy Hash: A0C0123064224997E61027F45D4EF2635175B00F53F4E4042FE01D80E4CA9CC443B5A3
                                Function 00F59194 Relevance: 8.0, APIs: 5, Instructions: 477COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F59199
                                • memcpy.MSVCRT(?,?,?,?,00000000,?,?), ref: 00F5921D
                                • memcpy.MSVCRT(?,?,?,?,?,?,00000000,?,?), ref: 00F5933B
                                • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00F5934F
                                • memset.MSVCRT ref: 00F5955C
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: memcpy$H_prologmemset
                                • String ID:
                                • API String ID: 2371260246-0
                                • Opcode ID: f0ff2bd67cc6c71186e55cb0443d4d8ebd655e61f07e7e508d7510992b3f30d1
                                • Instruction ID: 839f7bd9b27f3d57380060ce0ee6bce0e241113845da7a1975dbee9a1ee15af7
                                • Opcode Fuzzy Hash: f0ff2bd67cc6c71186e55cb0443d4d8ebd655e61f07e7e508d7510992b3f30d1
                                • Instruction Fuzzy Hash: 2312C271A04305DFCB24CFA4C884AAEB7F5BF44311F18886DEA5ADB251D7B4AC49EB10
                                Function 00F44B36 Relevance: 7.7, APIs: 5, Instructions: 234COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: wcscmp$ExceptionH_prologThrow
                                • String ID:
                                • API String ID: 2750596395-0
                                • Opcode ID: f46b9ce8764284dd6895fb613107fd7cfd39e7b0f0cf21f9eb181d932330abad
                                • Instruction ID: 95a79dd79d27868deb0bf692832fbf90afe57bc90b3fd71e7b5bffa1c724e446
                                • Opcode Fuzzy Hash: f46b9ce8764284dd6895fb613107fd7cfd39e7b0f0cf21f9eb181d932330abad
                                • Instruction Fuzzy Hash: BD917831D012499FCF25DFA8C885BEDBFB1BF54324F188059E811B7292DB34AA45EB91
                                Function 00FA03D6 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 212COMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 00FA03F5
                                • memcpy.MSVCRT(?,?,00000008,00000064,?,?,?,?,00000064), ref: 00FA0490
                                • memset.MSVCRT ref: 00FA0618
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: memset$memcpy
                                • String ID: $@
                                • API String ID: 368790112-1077428164
                                • Opcode ID: 4aeeaeb0a55c5d6ec5e461398f05d962cc386f3a1e831836224bec00f4204b26
                                • Instruction ID: aab5f754a6b97e989a0d2aa967ae411541d060e41b4512be30c69e2c17136e23
                                • Opcode Fuzzy Hash: 4aeeaeb0a55c5d6ec5e461398f05d962cc386f3a1e831836224bec00f4204b26
                                • Instruction Fuzzy Hash: 5F91E2B0900309AFEB20DF24DC41BDAB7B1BF56314F048469E59A57292DF74BA98DF80
                                Function 00FD272C Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 156COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00FD2FB0: EnterCriticalSection.KERNEL32(?,?,?,00FD2749), ref: 00FD2FB8
                                  • Part of subcall function 00FD2FB0: LeaveCriticalSection.KERNEL32(?,?,?,00FD2749), ref: 00FD2FC2
                                • EnterCriticalSection.KERNEL32(?), ref: 00FD290E
                                • LeaveCriticalSection.KERNEL32(?), ref: 00FD2928
                                • EnterCriticalSection.KERNEL32(?), ref: 00FD2992
                                • LeaveCriticalSection.KERNEL32(?), ref: 00FD29B8
                                • EnterCriticalSection.KERNEL32(?), ref: 00FD2A1E
                                • LeaveCriticalSection.KERNEL32(?), ref: 00FD2A56
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterLeave
                                • String ID: v
                                • API String ID: 3168844106-3261393531
                                • Opcode ID: a5e48ee80cac1786c7b31ec3e69907de7a7c5cc8351745ad57a18dd603fbac51
                                • Instruction ID: fd767eecb94b93a216986d051290ea3593e89c13bfd49ebfc82516557a5f4ab9
                                • Opcode Fuzzy Hash: a5e48ee80cac1786c7b31ec3e69907de7a7c5cc8351745ad57a18dd603fbac51
                                • Instruction Fuzzy Hash: B3610B759047018FC7A1DF24C480B6BB3E2FFA4364F58491EE9AA87351EB34E845EB91
                                Function 00F4613C Relevance: 7.6, APIs: 5, Instructions: 150COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F46141
                                  • Part of subcall function 00F46C72: __EH_prolog.LIBCMT ref: 00F46C77
                                • SetLastError.KERNEL32(0000010B,00000000,00000000), ref: 00F46197
                                • GetLastError.KERNEL32(?,?,?,0000005C,?,00000000,00000000), ref: 00F4626E
                                • SetLastError.KERNEL32(?,?,?,?,?,0000005C,?,00000000,00000000), ref: 00F462A9
                                  • Part of subcall function 00F46096: __EH_prolog.LIBCMT ref: 00F4609B
                                  • Part of subcall function 00F46096: DeleteFileW.KERNEL32(?,?,?,00000000), ref: 00F460DF
                                • GetLastError.KERNEL32(?,?,?,0000005C,?,00000000,00000000), ref: 00F46285
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: ErrorLast$H_prolog$DeleteFile
                                • String ID:
                                • API String ID: 3586524497-0
                                • Opcode ID: 9e0a5b8f91214275e0a6b942cee520d792919bb3bbce752df7c8b669e0ff3f15
                                • Instruction ID: fd373e7187e5aaa78eeedc62490a305962119f409939be648baa6933ffbedc34
                                • Opcode Fuzzy Hash: 9e0a5b8f91214275e0a6b942cee520d792919bb3bbce752df7c8b669e0ff3f15
                                • Instruction Fuzzy Hash: 55519A31C04269AADF15EBE4DC81BEDBF74AF12354F104169EC41B3193DB782A4AEB52
                                Function 00FC9220 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 115COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00FD7D80: WaitForSingleObject.KERNEL32(?,000000FF,00F5AFD6,?), ref: 00FD7D83
                                  • Part of subcall function 00FD7D80: GetLastError.KERNEL32(?,000000FF,00F5AFD6,?), ref: 00FD7D8E
                                • EnterCriticalSection.KERNEL32(?), ref: 00FC926B
                                • EnterCriticalSection.KERNEL32(?), ref: 00FC9274
                                • LeaveCriticalSection.KERNEL32(?), ref: 00FC9296
                                • LeaveCriticalSection.KERNEL32(?), ref: 00FC9299
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterLeave$ErrorLastObjectSingleWait
                                • String ID: v
                                • API String ID: 2116739831-3261393531
                                • Opcode ID: 80422f6221def228440bf453eb115fc82f49d2acb44f5aca7c16221832837f26
                                • Instruction ID: 8f4028e1aeb806f211d38c4a17f73aa45aa8ac315a2250b80fa9597c7604cee2
                                • Opcode Fuzzy Hash: 80422f6221def228440bf453eb115fc82f49d2acb44f5aca7c16221832837f26
                                • Instruction Fuzzy Hash: C1415C31604B069FC718EF74CD85B9AF3A9BF48310F00862DE4AA47641DB75B945DB90
                                Function 00F43814 Relevance: 7.6, APIs: 5, Instructions: 98COMMON
                                Download Yara Rule
                                APIs
                                • WideCharToMultiByte.KERNEL32(?,00000000,?,?,00000000,00000000,00000000,00000000,?), ref: 00F4384C
                                • GetLastError.KERNEL32 ref: 00F43855
                                • _CxxThrowException.MSVCRT(?,00FF4A58), ref: 00F43873
                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,?,00000001,00000001), ref: 00F438DA
                                • _CxxThrowException.MSVCRT(0000FDE9,00FF4A58), ref: 00F43902
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: ByteCharExceptionMultiThrowWide$ErrorLast
                                • String ID:
                                • API String ID: 2296236218-0
                                • Opcode ID: 0916f23968fece4d105e48ec38b8896b7a9b5faf2021323de0a24b51994b3eea
                                • Instruction ID: 7f74c7062880b6f89cebd97296e63a75a2fab46b44c3f500a1abf5c9235d593f
                                • Opcode Fuzzy Hash: 0916f23968fece4d105e48ec38b8896b7a9b5faf2021323de0a24b51994b3eea
                                • Instruction Fuzzy Hash: FA310172904209BFDB00CF64CC84BAEBFF9EF05304F148059E854D7240D774AA45DBA0
                                Function 00F544C2 Relevance: 7.6, APIs: 6, Instructions: 84COMMON
                                Download Yara Rule
                                APIs
                                • memcmp.MSVCRT(?,00FF48A0,00000010), ref: 00F544DB
                                • memcmp.MSVCRT(?,00FF0128,00000010), ref: 00F544EE
                                • memcmp.MSVCRT(?,00FF0228,00000010), ref: 00F5450B
                                • memcmp.MSVCRT(?,00FF0248,00000010), ref: 00F54528
                                • memcmp.MSVCRT(?,00FF01C8,00000010), ref: 00F54545
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: memcmp
                                • String ID:
                                • API String ID: 1475443563-0
                                • Opcode ID: 6b80a0d6b401df3488ed2ce42a6c03042a58e28991729c6f39ac80872ed75846
                                • Instruction ID: 83cf41aae5f7e832275b9eb14c55859e5bc170d8621cecf5bb201e4f2035318d
                                • Opcode Fuzzy Hash: 6b80a0d6b401df3488ed2ce42a6c03042a58e28991729c6f39ac80872ed75846
                                • Instruction Fuzzy Hash: 22219572B502086BE7048E10DC81F7E33AD9F507A9F088135FF069B256FA64EE48B691
                                Function 00FA6711 Relevance: 7.6, APIs: 6, Instructions: 83COMMON
                                Download Yara Rule
                                APIs
                                • memcmp.MSVCRT(?,00FF48A0,00000010), ref: 00FA672A
                                • memcmp.MSVCRT(?,00FF0258,00000010), ref: 00FA6747
                                • memcmp.MSVCRT(?,00FF02D8,00000010), ref: 00FA675A
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: memcmp
                                • String ID:
                                • API String ID: 1475443563-0
                                • Opcode ID: 37e7d69abe79fe156370a1714528766a7fc329275f1ca67b2590c9bb4ff88e89
                                • Instruction ID: 916a486ddafc441a90f0fb8c3fbcbe8a4f7a8a308b705f0143ccd5cd9a38d913
                                • Opcode Fuzzy Hash: 37e7d69abe79fe156370a1714528766a7fc329275f1ca67b2590c9bb4ff88e89
                                • Instruction Fuzzy Hash: 7A21C9B27602086BE7048E10CC85F7E33AD9F517A9F084529FE06DB251FA64DE14B7A1
                                Function 00F689BC Relevance: 7.6, APIs: 6, Instructions: 83COMMON
                                Download Yara Rule
                                APIs
                                • memcmp.MSVCRT(?,00FF48A0,00000010), ref: 00F689D5
                                • memcmp.MSVCRT(?,00FF0258,00000010), ref: 00F689F2
                                • memcmp.MSVCRT(?,00FF0328,00000010), ref: 00F68A05
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: memcmp
                                • String ID:
                                • API String ID: 1475443563-0
                                • Opcode ID: a5dda00719474dd99e8825ee8673078517298780073210d5547aee25dfa4993f
                                • Instruction ID: ee0606a988f8162e95a4fc3200ec28a66bf44f27a7727b7bfaf7ca138106feac
                                • Opcode Fuzzy Hash: a5dda00719474dd99e8825ee8673078517298780073210d5547aee25dfa4993f
                                • Instruction Fuzzy Hash: 3D2195727402087BE7048E108C82F7E33A99F517E4F04422EFE469B251FA68DE45B7A1
                                Function 00F4B50A Relevance: 7.6, APIs: 6, Instructions: 83COMMON
                                Download Yara Rule
                                APIs
                                • memcmp.MSVCRT(?,00FF48A0,00000010), ref: 00F4B523
                                • memcmp.MSVCRT(?,00FF0088,00000010), ref: 00F4B540
                                • memcmp.MSVCRT(?,00FF00A8,00000010), ref: 00F4B553
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: memcmp
                                • String ID:
                                • API String ID: 1475443563-0
                                • Opcode ID: 689abefd8adea55d3d042a8b1155220b71213502dc3a733df604f1809220b92c
                                • Instruction ID: c0517241cefbd46a311225faf93099e33dd6338fbe0fba5ee12338a457f792b6
                                • Opcode Fuzzy Hash: 689abefd8adea55d3d042a8b1155220b71213502dc3a733df604f1809220b92c
                                • Instruction Fuzzy Hash: A021C2727002086BE7144E10DC82F7EB7A99F607A4F084429FE069B246FB64DE14B791
                                Function 00F85E71 Relevance: 7.6, APIs: 6, Instructions: 83COMMON
                                Download Yara Rule
                                APIs
                                • memcmp.MSVCRT(?,00FF48A0,00000010), ref: 00F85E8A
                                • memcmp.MSVCRT(?,00FF0168,00000010), ref: 00F85EA7
                                • memcmp.MSVCRT(?,00FF0198,00000010), ref: 00F85EBA
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: memcmp
                                • String ID:
                                • API String ID: 1475443563-0
                                • Opcode ID: b92cd9c238018884a6fdffea580804c79b8f005876ec6100476f35fe7dbcc15e
                                • Instruction ID: 77f291fb3f2133dff6e53ccb1ab7b914c6d54f6e8bc803b0d27c0ceb1e4ece82
                                • Opcode Fuzzy Hash: b92cd9c238018884a6fdffea580804c79b8f005876ec6100476f35fe7dbcc15e
                                • Instruction Fuzzy Hash: CE21A1B27502096BE704AF10CC82FBF33A99F64BA5F044029FE468B252F664DE04B791
                                Function 00F459BF Relevance: 7.6, APIs: 5, Instructions: 72filetimeCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F459C4
                                • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000000,?,?,?,?,?), ref: 00F45A03
                                • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,00000000,?,?,00000000,?,?,?,?,?), ref: 00F45A43
                                • SetFileTime.KERNEL32(000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,?), ref: 00F45A65
                                • CloseHandle.KERNEL32(000000FF,?,00000000,?,?,?,?,?,?,?), ref: 00F45A73
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: File$Create$CloseH_prologHandleTime
                                • String ID:
                                • API String ID: 213185242-0
                                • Opcode ID: 672df1ed1cb17a27cdea2b6cb7510aab48b9524c9541e74c1baf6d62f9382a3b
                                • Instruction ID: ade1d2f831d123afcf05b28d2feb851cdab7894a381642be6788e29ecd722a6f
                                • Opcode Fuzzy Hash: 672df1ed1cb17a27cdea2b6cb7510aab48b9524c9541e74c1baf6d62f9382a3b
                                • Instruction Fuzzy Hash: 22216D31D4020AABDF11AFA4DC46BEEBF76EB04724F100225F920761E2C7794A85EB90
                                Function 00F77172 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: fputs$H_prologfputcfreestrlen
                                • String ID:
                                • API String ID: 154898386-0
                                • Opcode ID: 1c897d5abc38e17350d3a7caf7cfec0bf9e06014bd6174a6eee6e54292f1d393
                                • Instruction ID: 4364d2bfd52d3e54925042f9748aca362effde0fafdd2352bccc59ca468b778c
                                • Opcode Fuzzy Hash: 1c897d5abc38e17350d3a7caf7cfec0bf9e06014bd6174a6eee6e54292f1d393
                                • Instruction Fuzzy Hash: 1D117332A00109EFCF05AFA4DC42AADBF76EF44360F104076F51597191DB355A59EB90
                                Function 00FAA8B4 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 186COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00FAA8B9
                                  • Part of subcall function 00F4965D: VariantClear.OLEAUT32(?), ref: 00F4967F
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: ClearH_prologVariant
                                • String ID: ZIP$exe$zip
                                • API String ID: 1166855276-1635144978
                                • Opcode ID: 522f6870db7f26baaa6be0d7d8bb2fef32e1505c5709a2d820e1d3d22e83e65c
                                • Instruction ID: c88ac5533eb2465303e8a0bb78207da60b58929536fa705e8170aebfbe30e831
                                • Opcode Fuzzy Hash: 522f6870db7f26baaa6be0d7d8bb2fef32e1505c5709a2d820e1d3d22e83e65c
                                • Instruction Fuzzy Hash: 8B61C671D00246DFCF21DFE4C841AEEBBF1AF19314F504529E442A7252D7786A8DE752
                                Function 00F8C414 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 181COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: !$LZMA2:$LZMA:
                                • API String ID: 3519838083-3332058968
                                • Opcode ID: bdc7fbbb2d6e2746018c6c82d09cb0ab7aa783c0303d96eaf1950bc2b610ddac
                                • Instruction ID: c7ecb0a327b0703f54820518904f41909331dbfa6eec6bc88a9b2dca91e9c24e
                                • Opcode Fuzzy Hash: bdc7fbbb2d6e2746018c6c82d09cb0ab7aa783c0303d96eaf1950bc2b610ddac
                                • Instruction Fuzzy Hash: 6261F231D0414ADEDF15EB64C959FFD7BE1AF15350F2840B9E80A6B162DB70AE80E7A0
                                Function 00F8E76F Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 151COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F8E774
                                  • Part of subcall function 00F43563: memmove.MSVCRT(?,00000000,00000022,00000000,?,00F41DAE,00000000,00000000,00000000,00F41D37,?,00000000,00000000), ref: 00F43588
                                  • Part of subcall function 00F8E6C2: __EH_prolog.LIBCMT ref: 00F8E6C7
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$memmove
                                • String ID: hcf$mtf$rsfx
                                • API String ID: 593149739-3699647704
                                • Opcode ID: 001dad57a0e2fa103d7ab9292f4bb18c253f1b2efd5d483ed7fa774a42eacd02
                                • Instruction ID: ffcad5908a81986cc8363450444869c93c25a24fa8f231c789ef129f4f5c46c8
                                • Opcode Fuzzy Hash: 001dad57a0e2fa103d7ab9292f4bb18c253f1b2efd5d483ed7fa774a42eacd02
                                • Instruction Fuzzy Hash: 1D51A531E0014A9BCF64FFA0C891AFEB772AF80324F148529ED655B292DB789D09F751
                                Function 00F76C74 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 118COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F76C79
                                  • Part of subcall function 00F76AFA: __EH_prolog.LIBCMT ref: 00F76AFF
                                • fputs.MSVCRT ref: 00F76DAE
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$fputs
                                • String ID: Name$Size
                                • API String ID: 3822167597-481755742
                                • Opcode ID: 8b15fc286f247290986139ba2ae2935a37dc62a134687f68c37d4bd82a67ad24
                                • Instruction ID: 242d937ccce0b99f7b132f3cc342fbbf2e046c0f8b23af39f4cb0c3956c92d24
                                • Opcode Fuzzy Hash: 8b15fc286f247290986139ba2ae2935a37dc62a134687f68c37d4bd82a67ad24
                                • Instruction Fuzzy Hash: 36418235B006049FCF15EFA4C895AEDBBB1FF84350F14802AE849A7252DB38AD45EB52
                                Function 00F52AA9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F52AAE
                                • _CxxThrowException.MSVCRT(?,00FF6010), ref: 00F52BC1
                                • _CxxThrowException.MSVCRT(?,00FF6010), ref: 00F52BDF
                                  • Part of subcall function 00F52BF5: __EH_prolog.LIBCMT ref: 00F52BFA
                                  • Part of subcall function 00F52BF5: _CxxThrowException.MSVCRT(?,00FF6010), ref: 00F52C9E
                                Strings
                                • There is no second file name for rename pair:, xrefs: 00F52BAE
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: ExceptionThrow$H_prolog
                                • String ID: There is no second file name for rename pair:
                                • API String ID: 206451386-3412818124
                                • Opcode ID: f8fac8e4c7d349deef128aebda2f072d5fd9fe260835146f5670fb2e979f73f7
                                • Instruction ID: 731def67ab7020a8b40818469ff8a128f38bd5e9dfe9422e480d70bea8de406b
                                • Opcode Fuzzy Hash: f8fac8e4c7d349deef128aebda2f072d5fd9fe260835146f5670fb2e979f73f7
                                • Instruction Fuzzy Hash: 1741E131900209EBCF05DF94C881BAE7BB1BF86325F148219FD116B2D1C734A959EB91
                                Function 00F66B83 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 103COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F66B88
                                  • Part of subcall function 00F804D2: _CxxThrowException.MSVCRT(00000000,00FF4A58), ref: 00F804F8
                                  • Part of subcall function 00F41524: __EH_prolog.LIBCMT ref: 00F41529
                                  • Part of subcall function 00F41E40: free.MSVCRT ref: 00F41E44
                                  • Part of subcall function 00F43599: memmove.MSVCRT(00000000,?,?,?,00000000,?,00F43528,00000000,?,00000000,00000000), ref: 00F435D5
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$ExceptionThrowfreememmove
                                • String ID: crc$flags$memuse
                                • API String ID: 2665131394-339511674
                                • Opcode ID: f328ed61715a6ebee15bd1de2d4b26a6ae0bd73ee8e484358610765c541dbc41
                                • Instruction ID: c07a067bcc72b10c36255322d403f443a769d177209efe341b9c55dedd6a6271
                                • Opcode Fuzzy Hash: f328ed61715a6ebee15bd1de2d4b26a6ae0bd73ee8e484358610765c541dbc41
                                • Instruction Fuzzy Hash: 2531E33190014ADBCF01EB90CD12BEDBBB5EF54314F144064F941B7192CB799E89EBA1
                                Function 00F4A384 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 88COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F4A389
                                  • Part of subcall function 00F4A4C5: GetModuleHandleW.KERNEL32(ntdll.dll,?,00F4A3C1,00000001), ref: 00F4A4CD
                                  • Part of subcall function 00F4A4C5: GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00F4A4DD
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: AddressH_prologHandleModuleProc
                                • String ID: : $ SP:$Windows
                                • API String ID: 786088110-3655538264
                                • Opcode ID: fede42d03b9a7cba02f045ac3239f3675529247e27857aa40922f2b81d9abaf0
                                • Instruction ID: fab828f55f7dcd0f8e8ee01f8bf9c66a2843ad0582b02015fb53a133f9c6b6ed
                                • Opcode Fuzzy Hash: fede42d03b9a7cba02f045ac3239f3675529247e27857aa40922f2b81d9abaf0
                                • Instruction Fuzzy Hash: E1312D31D001199ADF15EBA1CC529EEBFB4BF18310F80047AF902731A1EF795A85EAA1
                                Function 00F7D490 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 83COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: fputs$fputc
                                • String ID: : Removing files after including to archive$Removing
                                • API String ID: 1185151155-1218467041
                                • Opcode ID: 6174a75ed66b9e6d663fe5fe85855f7c9e5e4afd2aef27c3cf0aee0e9492d889
                                • Instruction ID: 897ff0f7fcfbb092507d0c5a40d907641b514d5cf127754c6ed03d71d4b3d1c4
                                • Opcode Fuzzy Hash: 6174a75ed66b9e6d663fe5fe85855f7c9e5e4afd2aef27c3cf0aee0e9492d889
                                • Instruction Fuzzy Hash: 8D3181325007059FC7A5AF70DC91AAAB7B6AF84320F44892FF59F02152DF257889EB52
                                Function 00FAD8EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00FAD8F0
                                • EnterCriticalSection.KERNEL32(?), ref: 00FAD904
                                • LeaveCriticalSection.KERNEL32(?), ref: 00FAD994
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterH_prologLeave
                                • String ID: v
                                • API String ID: 367238759-3261393531
                                • Opcode ID: c9e852abe1af23734ac7325b521f89a821c03c50b46e3ed698a41d8921ab1e99
                                • Instruction ID: e08737a12d2cd85a9f45293473e92b18c143cea32c093f27581212785fdc4c93
                                • Opcode Fuzzy Hash: c9e852abe1af23734ac7325b521f89a821c03c50b46e3ed698a41d8921ab1e99
                                • Instruction Fuzzy Hash: 9931CEB9A00705DFCB24DF68C984A6BBBF4FF49360B04496DE99A97B11D730E904DB50
                                Function 00F5EFD8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 68COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F5EFDD
                                  • Part of subcall function 00F5B49A: memset.MSVCRT ref: 00F5B4B5
                                  • Part of subcall function 00F5B49A: strlen.MSVCRT ref: 00F5B4D3
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prologmemsetstrlen
                                • String ID: ?$ MB$RAM
                                • API String ID: 2475707007-294454972
                                • Opcode ID: c181377860ae3875ac197cdcdbc1b496989268b37c80de3ed91fac117f2f480b
                                • Instruction ID: baf694f4e205c0ff5f810517a1f87dd12bbf1d1f760c90eb3c57e9b914eb7ddb
                                • Opcode Fuzzy Hash: c181377860ae3875ac197cdcdbc1b496989268b37c80de3ed91fac117f2f480b
                                • Instruction Fuzzy Hash: EE2190317002059FCB24EF58C85AAAE7FB1EF99711F104469F6828B3E1CB749C45EB90
                                Function 00F507DB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F507E0
                                • EnterCriticalSection.KERNEL32(?), ref: 00F507F2
                                • LeaveCriticalSection.KERNEL32(?), ref: 00F5086B
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterH_prologLeave
                                • String ID: v
                                • API String ID: 367238759-3261393531
                                • Opcode ID: 39fc70ae8116da43bcb9193aa4a29de7ecf54e7d0fd6ee427e287220d25e1a90
                                • Instruction ID: d856bc334c631c84d5ef576eb77411f0e928ddc2841fa786ac9e2a6d02e2f3d3
                                • Opcode Fuzzy Hash: 39fc70ae8116da43bcb9193aa4a29de7ecf54e7d0fd6ee427e287220d25e1a90
                                • Instruction Fuzzy Hash: 84212835A00615DFD724CF29C584D5ABBF5FF88725B15866EE94A8B321C730ED05CB90
                                Function 00F9BD9A Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: ASCII$UTF8$UTF8-ERROR
                                • API String ID: 3519838083-1783863097
                                • Opcode ID: b061e52d5960bca99911e34db9678d93416cc0da705f0c72f73c8e7ffde8164c
                                • Instruction ID: 298e6df200fca855f62a07e6271c2745752ae4b2a39bbe5f8c1f48682cb2bf73
                                • Opcode Fuzzy Hash: b061e52d5960bca99911e34db9678d93416cc0da705f0c72f73c8e7ffde8164c
                                • Instruction Fuzzy Hash: 1921C272C0524ADBEF14FFA4E9518EEBF74AF14310B44803BF84263152DB385988E710
                                Function 00F67018 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 64COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F6701D
                                  • Part of subcall function 00F67A40: __EH_prolog.LIBCMT ref: 00F67A45
                                  • Part of subcall function 00F67A40: wcscmp.MSVCRT ref: 00F67AD2
                                  • Part of subcall function 00F41E40: free.MSVCRT ref: 00F41E44
                                  • Part of subcall function 00F804D2: _CxxThrowException.MSVCRT(00000000,00FF4A58), ref: 00F804F8
                                  • Part of subcall function 00F674EB: __EH_prolog.LIBCMT ref: 00F674F0
                                  • Part of subcall function 00F67193: __EH_prolog.LIBCMT ref: 00F67198
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$ExceptionThrowfreewcscmp
                                • String ID: A0$Hash$sha256 sha512 sha224 sha384 sha1 sha md5 crc32 crc64 asc cksum
                                • API String ID: 4250029832-3656212537
                                • Opcode ID: 2d6902fa6e3795f1f261ee388988f2cfc4e5ee5bf17f5672f5e56da94055a2ef
                                • Instruction ID: a564a2ab68d5f15dd7e0d03754539ec360d34345e6bec3491f525a1b7eb73944
                                • Opcode Fuzzy Hash: 2d6902fa6e3795f1f261ee388988f2cfc4e5ee5bf17f5672f5e56da94055a2ef
                                • Instruction Fuzzy Hash: 96218B71D05388AACB05EBE4DD969DDBFB5AF15314F10016DE80677282DB781E48EB21
                                Function 00F52BF5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F52BFA
                                  • Part of subcall function 00F53AF1: __EH_prolog.LIBCMT ref: 00F53AF6
                                • _CxxThrowException.MSVCRT(?,00FF6010), ref: 00F52C9E
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$ExceptionThrow
                                • String ID: -r0$Unsupported rename command:
                                • API String ID: 2366012087-1002762148
                                • Opcode ID: 85ad274b91f96dc5f34d2e89eae7838a116d14b3884bc10331d97f84aa82117c
                                • Instruction ID: f95dc656698e01f8bb1477b61635474494ec28c69e85252cbab6aff175ebe742
                                • Opcode Fuzzy Hash: 85ad274b91f96dc5f34d2e89eae7838a116d14b3884bc10331d97f84aa82117c
                                • Instruction Fuzzy Hash: 651196319002055ACB14FB91CD92DFDBB74AF95350F440029FE4262543DB79AB0EFA90
                                Function 00F7DA49 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: fputs$H_prolog
                                • String ID: :
                                • API String ID: 2614055831-3653984579
                                • Opcode ID: 0acaef25d9deba220bfa23477ccd2d849a4c80bb50e73a322385a405d9de1d6f
                                • Instruction ID: 5af4ccab466c6afe115613b0d7fbb544534daabf0c1564e248b6b80e945cc295
                                • Opcode Fuzzy Hash: 0acaef25d9deba220bfa23477ccd2d849a4c80bb50e73a322385a405d9de1d6f
                                • Instruction Fuzzy Hash: A111A231900205DFCB15BB64CC92EAEBB72FF84320F50842FEC1A57251DB396886EB52
                                Function 00F506F6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F506FB
                                • EnterCriticalSection.KERNEL32(?), ref: 00F5070B
                                • LeaveCriticalSection.KERNEL32(?,?), ref: 00F50786
                                  • Part of subcall function 00F5089E: _CxxThrowException.MSVCRT(?,00FF4A58), ref: 00F508C4
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterExceptionH_prologLeaveThrow
                                • String ID: v
                                • API String ID: 4150843469-3261393531
                                • Opcode ID: 871fdf7e0861dae7c56512edbafa2635b10b9c189e8cd69bd30b73182570394c
                                • Instruction ID: 4757c1fb38b4810b48c306584c10d157072698fc5a413ba078b404c16c3c163d
                                • Opcode Fuzzy Hash: 871fdf7e0861dae7c56512edbafa2635b10b9c189e8cd69bd30b73182570394c
                                • Instruction Fuzzy Hash: FE214DB1A10605DFCB24DF28D984A69BBF1FF48315F10892EE44ACB641DB35A915DF40
                                Function 00F75D59 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44COMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32(01002938), ref: 00F75D61
                                • fputs.MSVCRT ref: 00F75DB4
                                • LeaveCriticalSection.KERNEL32(01002938), ref: 00F75DE2
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterLeavefputs
                                • String ID: v
                                • API String ID: 4171338575-3261393531
                                • Opcode ID: 7b9041d3222171f8c1eb77e5340f439f54b071f1626f08fafa341372beedfcd0
                                • Instruction ID: 31abd7802438229b91f76d37b919a68fa4fd768ae613236795088ca472ce92ec
                                • Opcode Fuzzy Hash: 7b9041d3222171f8c1eb77e5340f439f54b071f1626f08fafa341372beedfcd0
                                • Instruction Fuzzy Hash: 7401B532104B00DFD720AB70DC8CA9AB7E5FF84365F04851AF95ACB212DB35AC04EB91
                                Function 00F49399 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(ntdll.dll), ref: 00F493A7
                                • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00F493B7
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: AddressHandleModuleProc
                                • String ID: RtlGetVersion$ntdll.dll
                                • API String ID: 1646373207-1489217083
                                • Opcode ID: 736afc58a831698eb34c102c84baa89e560b1989e869c2be4f33b09dd7b94a0e
                                • Instruction ID: e5c322b0a721dad1f36aabffb06b436ed86fbfd942a3b3d88b0f697ab014937f
                                • Opcode Fuzzy Hash: 736afc58a831698eb34c102c84baa89e560b1989e869c2be4f33b09dd7b94a0e
                                • Instruction Fuzzy Hash: 6DF06231F0431886DF34EB61DC467D73BA45B40715F048494EA05D1091DBF8DA83A9D2
                                Function 00F7D082 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F7D087
                                • EnterCriticalSection.KERNEL32(01002960), ref: 00F7D09A
                                  • Part of subcall function 00F7CF20: __EH_prolog.LIBCMT ref: 00F7CF25
                                  • Part of subcall function 00F7CF20: fputs.MSVCRT ref: 00F7CF92
                                • LeaveCriticalSection.KERNEL32(01002960,?,?,00000001), ref: 00F7D0D6
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: CriticalH_prologSection$EnterLeavefputs
                                • String ID: v
                                • API String ID: 347903205-3261393531
                                • Opcode ID: a90c6f62f0d885d92422df990693b3eb04cead902458975e1661abdaa09ec1fb
                                • Instruction ID: 3adac51c4f479d0e75a0cbf93929b2abb85ebac311a6f76d1fc4d24188c1aefc
                                • Opcode Fuzzy Hash: a90c6f62f0d885d92422df990693b3eb04cead902458975e1661abdaa09ec1fb
                                • Instruction Fuzzy Hash: F8F06D32A00208FFDB0A9F54DC19FDDBB79FF84314F04811AF6299A151C7B9AA55DBA0
                                Function 00F7D7B8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F7D7BD
                                • EnterCriticalSection.KERNEL32(01002960), ref: 00F7D7D0
                                • LeaveCriticalSection.KERNEL32(01002960), ref: 00F7D804
                                  • Part of subcall function 00F7C911: GetTickCount.KERNEL32 ref: 00F7C926
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: CriticalSection$CountEnterH_prologLeaveTick
                                • String ID: v
                                • API String ID: 2547919631-3261393531
                                • Opcode ID: 8ae6d2d1604a65e3db57cbefe19b18b0f458ea38c21e4c2e6ed13cf215ae8b1e
                                • Instruction ID: 7763016ab53df81743d06941746c4e1be8c0ed7b3f2f6febd570a858f35641bf
                                • Opcode Fuzzy Hash: 8ae6d2d1604a65e3db57cbefe19b18b0f458ea38c21e4c2e6ed13cf215ae8b1e
                                • Instruction Fuzzy Hash: 2EF0CD36A00200EFC704DB28C848B89B7F8EF85310F08842BF908D7311C7B4E902DBA1
                                Function 00F7D0EF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F7D0F4
                                • EnterCriticalSection.KERNEL32(01002960), ref: 00F7D108
                                  • Part of subcall function 00F7CF20: __EH_prolog.LIBCMT ref: 00F7CF25
                                  • Part of subcall function 00F7CF20: fputs.MSVCRT ref: 00F7CF92
                                • LeaveCriticalSection.KERNEL32(01002960,?,?,00000000), ref: 00F7D133
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: CriticalH_prologSection$EnterLeavefputs
                                • String ID: v
                                • API String ID: 347903205-3261393531
                                • Opcode ID: 180ad4a748e28ef3ecf2c4d27643d153546045b665087397a836c3569da14236
                                • Instruction ID: c6ada1ed36b28dbc7e609a2412bf6033cc4af2d9a119824165de53f5a2965d57
                                • Opcode Fuzzy Hash: 180ad4a748e28ef3ecf2c4d27643d153546045b665087397a836c3569da14236
                                • Instruction Fuzzy Hash: 4BF0E237B00204ABD3016B08CC45BAEB66AEFC4320F20403AF905E7241C3B89D0596A4
                                Function 00F7B55F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32COMMON
                                Download Yara Rule
                                APIs
                                • _CxxThrowException.MSVCRT(?,00FFAC78), ref: 00F7B5AA
                                  • Part of subcall function 00F41FA0: fputc.MSVCRT ref: 00F41FA7
                                • fputs.MSVCRT ref: 00F7B589
                                • fputs.MSVCRT ref: 00F7B58E
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: fputs$ExceptionThrowfputc
                                • String ID: ERROR:
                                • API String ID: 2339886702-977468659
                                • Opcode ID: b1812ecfbbb6102e3d0607821bbb574ffe3c92f286ddea2c32a4b9c24b07c345
                                • Instruction ID: b86b9dd1445e815b5ca83390e88cc2bfae7854310e7e8eb7e88a42281bdb8f08
                                • Opcode Fuzzy Hash: b1812ecfbbb6102e3d0607821bbb574ffe3c92f286ddea2c32a4b9c24b07c345
                                • Instruction Fuzzy Hash: C7F0A072E01219BB8B01AB98DC51C9EB7ACAF887A0714001BF940A3211C779AE416BD1
                                Function 00F76025 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F7602A
                                • EnterCriticalSection.KERNEL32(01002938), ref: 00F76044
                                • LeaveCriticalSection.KERNEL32(01002938), ref: 00F76060
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterH_prologLeave
                                • String ID: v
                                • API String ID: 367238759-3261393531
                                • Opcode ID: 8baa7bc27b4d0e932e636af154c5a914f638eb737039f69742fa4a1f271a554d
                                • Instruction ID: ee3f119244b7beb41be03a52c4bf8003213f1471cc92f0acd17eb847f2baa4c5
                                • Opcode Fuzzy Hash: 8baa7bc27b4d0e932e636af154c5a914f638eb737039f69742fa4a1f271a554d
                                • Instruction Fuzzy Hash: 84F09A36900204EFC701DF88C849EDEBBB8FF49360F14805AF405EB211C7B49A00DBA0
                                Function 00F7CFF4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F7CFF9
                                • EnterCriticalSection.KERNEL32(01002960,?,?,?,00F76A2C,?,?), ref: 00F7D00C
                                  • Part of subcall function 00F7CF20: __EH_prolog.LIBCMT ref: 00F7CF25
                                  • Part of subcall function 00F7CF20: fputs.MSVCRT ref: 00F7CF92
                                • LeaveCriticalSection.KERNEL32(01002960,?,?,00000001,?,?,?,?,?,00F76A2C,?,?), ref: 00F7D037
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: CriticalH_prologSection$EnterLeavefputs
                                • String ID: v
                                • API String ID: 347903205-3261393531
                                • Opcode ID: 29709296586ba650eb406e515550c6d9ff7552eaa65ebe320b6f07519f3631fd
                                • Instruction ID: 6878e10f65e2d1d5ccf374955c97c611aee8d503ad81a6cc19a55354c71072ea
                                • Opcode Fuzzy Hash: 29709296586ba650eb406e515550c6d9ff7552eaa65ebe320b6f07519f3631fd
                                • Instruction Fuzzy Hash: 99F08232610114FFCB05AF54DC05FDD7B79FF84310F00802AF51596151CBB55A11EB90
                                Function 00F7720F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: fputs$fputc
                                • String ID: $:
                                • API String ID: 1185151155-4041779174
                                • Opcode ID: 9512cd1e0729644718d649bd38e94a655be592c72f16ddb5be104bb52c0c30bd
                                • Instruction ID: 25019ce881626f90d47ce3443bb3ccb4c9094b10ba1c6c5f953bbde27ead0811
                                • Opcode Fuzzy Hash: 9512cd1e0729644718d649bd38e94a655be592c72f16ddb5be104bb52c0c30bd
                                • Instruction Fuzzy Hash: FDF08C32900258ABCF226BA4CC05DDEBF79EF98314F04040AEC9127251D738A665DBA5
                                Function 00F7D760 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F7D765
                                • EnterCriticalSection.KERNEL32(01002960), ref: 00F7D778
                                • LeaveCriticalSection.KERNEL32(01002960), ref: 00F7D7A0
                                  • Part of subcall function 00F7C911: GetTickCount.KERNEL32 ref: 00F7C926
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: CriticalSection$CountEnterH_prologLeaveTick
                                • String ID: v
                                • API String ID: 2547919631-3261393531
                                • Opcode ID: 1b4cb37914c50fd044ec36bd00023cd6610e4fa2fb20dad372af9a5e5233b5d7
                                • Instruction ID: 8be80c786c4cbffa151e650e56a79f6759afe46e0e88874a7396abe16056653d
                                • Opcode Fuzzy Hash: 1b4cb37914c50fd044ec36bd00023cd6610e4fa2fb20dad372af9a5e5233b5d7
                                • Instruction Fuzzy Hash: F7F05836A00615EFD705EF68D849B99B7B8FF44324F00852BF41AD7240C7B8AA55DBD1
                                Function 00F4A4C5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(ntdll.dll,?,00F4A3C1,00000001), ref: 00F4A4CD
                                • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00F4A4DD
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: AddressHandleModuleProc
                                • String ID: RtlGetVersion$ntdll.dll
                                • API String ID: 1646373207-1489217083
                                • Opcode ID: 14898a30149fa04ba18f2a5cb2ecef84d56f867618133af2e7e909bfed64b2b6
                                • Instruction ID: 958b53cb82c29c2e2e1d1257081498754fec8f5fe77ae2a70cfcbee51e1d947a
                                • Opcode Fuzzy Hash: 14898a30149fa04ba18f2a5cb2ecef84d56f867618133af2e7e909bfed64b2b6
                                • Instruction Fuzzy Hash: D4D0C7727543501AF670A6B57C4EFEB264C8B50F617054457FC10D5060E6D8DD8371E3
                                Function 00FC6A60 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(kernel32.dll,GetLargePageMinimum,00F51D26), ref: 00FC6A6A
                                • GetProcAddress.KERNEL32(00000000), ref: 00FC6A71
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: AddressHandleModuleProc
                                • String ID: GetLargePageMinimum$kernel32.dll
                                • API String ID: 1646373207-2515562745
                                • Opcode ID: ec8190881e36106db52c1a5020a5a20a321b1bcf4e83cb953865b9ee0803d311
                                • Instruction ID: a2f0bf0a5e67279aa3622a9a21365437c964700cffa31b74695e93bfd50d6df7
                                • Opcode Fuzzy Hash: ec8190881e36106db52c1a5020a5a20a321b1bcf4e83cb953865b9ee0803d311
                                • Instruction Fuzzy Hash: 98D0C7707443079ADB25EFB55D4EB6636A85E04B51300805DF901D5091DF2DD505FB61
                                Function 00F66EF9 Relevance: 6.3, APIs: 5, Instructions: 68COMMON
                                Download Yara Rule
                                APIs
                                • memcmp.MSVCRT(?,00FF48A0,00000010), ref: 00F66F0F
                                • memcmp.MSVCRT(?,00FF0168,00000010), ref: 00F66F2A
                                • memcmp.MSVCRT(?,00FF0178,00000010), ref: 00F66F3E
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: memcmp
                                • String ID:
                                • API String ID: 1475443563-0
                                • Opcode ID: 372ac86672ff5297c0c26fe59cbfc0a748f5a5a18ac0716902ccd9f0196ee479
                                • Instruction ID: a5eea107997a6a8b2aa2584ea9c28088bbf1a3f4861da8e590cf09157523bcca
                                • Opcode Fuzzy Hash: 372ac86672ff5297c0c26fe59cbfc0a748f5a5a18ac0716902ccd9f0196ee479
                                • Instruction Fuzzy Hash: E811E2327403086BD7104F10EC02FBE33A55F54760F044529FE46DB282F6A5EA24B681
                                Function 00F6DB96 Relevance: 6.3, APIs: 5, Instructions: 68COMMON
                                Download Yara Rule
                                APIs
                                • memcmp.MSVCRT(?,00FF48A0,00000010), ref: 00F6DBAC
                                • memcmp.MSVCRT(?,00FF0108,00000010), ref: 00F6DBC7
                                • memcmp.MSVCRT(?,00FF0138,00000010), ref: 00F6DBDB
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: memcmp
                                • String ID:
                                • API String ID: 1475443563-0
                                • Opcode ID: 1e764dbd36186b47d5f0de4520509e3f9a092d1a572a99350385ca3382cfaae5
                                • Instruction ID: 6d06543321e5ac56d24a4c2cf70a5f1c3fcb113f62af21eab7f812add23ef06d
                                • Opcode Fuzzy Hash: 1e764dbd36186b47d5f0de4520509e3f9a092d1a572a99350385ca3382cfaae5
                                • Instruction Fuzzy Hash: BB11E632B4030D6BD7105B10CC02FBD73A59FA5760F054429FE45DB382F7A5E654B295
                                Function 00F81D80 Relevance: 6.3, APIs: 5, Instructions: 68COMMON
                                Download Yara Rule
                                APIs
                                • memcmp.MSVCRT(?,00FF48A0,00000010), ref: 00F81D96
                                • memcmp.MSVCRT(?,00FF0168,00000010), ref: 00F81DB1
                                • memcmp.MSVCRT(?,00FF0198,00000010), ref: 00F81DC5
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: memcmp
                                • String ID:
                                • API String ID: 1475443563-0
                                • Opcode ID: 523061d54d45ef1a69fce151ebc83052e25d7ff9576eaff6a6704ece6841c8d7
                                • Instruction ID: 8375cd71cbdebedec6cca14b2602c9891757ae6f68f97968d937d59f8bd70012
                                • Opcode Fuzzy Hash: 523061d54d45ef1a69fce151ebc83052e25d7ff9576eaff6a6704ece6841c8d7
                                • Instruction Fuzzy Hash: 6511E632740308A7D7149B11DC02FFE33AC6F54721F044529FE469B282F6A4EA25B741
                                Function 00F8BEB8 Relevance: 6.3, APIs: 5, Instructions: 68COMMON
                                Download Yara Rule
                                APIs
                                • memcmp.MSVCRT(?,00FF48A0,00000010), ref: 00F8BECE
                                • memcmp.MSVCRT(?,00FF0168,00000010), ref: 00F8BEE9
                                • memcmp.MSVCRT(?,00FF0178,00000010), ref: 00F8BEFD
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: memcmp
                                • String ID:
                                • API String ID: 1475443563-0
                                • Opcode ID: ab21fd21c6f6df667130806479d8382909048e2dedb6dfbce221586eb2d24413
                                • Instruction ID: 80758bd3ef73484de2e643f65bc0fba6910ddd266a5f8cd48f4db15dc89400ec
                                • Opcode Fuzzy Hash: ab21fd21c6f6df667130806479d8382909048e2dedb6dfbce221586eb2d24413
                                • Instruction Fuzzy Hash: F411B2327803096BD7106B14CC02FFE33A89F54760F044429FF469B292F7A4EA54BB91
                                Function 00F436C2 Relevance: 6.3, APIs: 5, Instructions: 66COMMON
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000), ref: 00F436EE
                                • GetLastError.KERNEL32(?,?,00000000,00000000), ref: 00F436F7
                                • _CxxThrowException.MSVCRT(?,00FF4A58), ref: 00F43711
                                • MultiByteToWideChar.KERNEL32(?,00000000,?,?,?,?,?,?,00000000,00000000), ref: 00F43736
                                • _CxxThrowException.MSVCRT(?,00FF4A58), ref: 00F4374C
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: ByteCharExceptionMultiThrowWide$ErrorLast
                                • String ID:
                                • API String ID: 2296236218-0
                                • Opcode ID: 3f28cd65287aeb91a646baf03f3b52262817c2d48c46417307e4b01fb94f763f
                                • Instruction ID: 88d1b49d64269f04a62d9fd46b93bc152107b9b4ccf72b825babb2e30964af61
                                • Opcode Fuzzy Hash: 3f28cd65287aeb91a646baf03f3b52262817c2d48c46417307e4b01fb94f763f
                                • Instruction Fuzzy Hash: 76113AB1640205AFEB14DF55CC91E7ABBE9EF88394710802AF959C7250E774EE419BA0
                                Function 00F76E7E Relevance: 6.1, APIs: 4, Instructions: 124stringCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F76E83
                                  • Part of subcall function 00F76AFA: __EH_prolog.LIBCMT ref: 00F76AFF
                                • strlen.MSVCRT ref: 00F76F1E
                                  • Part of subcall function 00F6447D: strlen.MSVCRT ref: 00F644C7
                                • strlen.MSVCRT ref: 00F76F92
                                • fputs.MSVCRT ref: 00F76FDF
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: strlen$H_prolog$fputs
                                • String ID:
                                • API String ID: 3404455912-0
                                • Opcode ID: e1d3598c001bdaea8061d6e25947484bf275d8dd5e4b71d80c0473efd25ab935
                                • Instruction ID: 2789559ad14a0ad19b19276d78c84fe390448f8ed134b8be3f103c855204e842
                                • Opcode Fuzzy Hash: e1d3598c001bdaea8061d6e25947484bf275d8dd5e4b71d80c0473efd25ab935
                                • Instruction Fuzzy Hash: F0418131E001198FCF15EFA4DC91AED7BB5AF48300F04806AF905E7252DB78AD55EB91
                                Function 00FB5C40 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 105COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00FD7D80: WaitForSingleObject.KERNEL32(?,000000FF,00F5AFD6,?), ref: 00FD7D83
                                  • Part of subcall function 00FD7D80: GetLastError.KERNEL32(?,000000FF,00F5AFD6,?), ref: 00FD7D8E
                                • EnterCriticalSection.KERNEL32(?), ref: 00FB5C84
                                • LeaveCriticalSection.KERNEL32(?), ref: 00FB5CA0
                                • LeaveCriticalSection.KERNEL32(?,?), ref: 00FB5D7A
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: CriticalSection$Leave$EnterErrorLastObjectSingleWait
                                • String ID: v
                                • API String ID: 4273280806-3261393531
                                • Opcode ID: bd4b7bac832c41fbdf58d5106b4a7d79a3490898edba04694c0320db1a005a79
                                • Instruction ID: 0346efbca20a9bc35c0598ec6cd6192f43cad13d9c2941ec2f8777fc85704775
                                • Opcode Fuzzy Hash: bd4b7bac832c41fbdf58d5106b4a7d79a3490898edba04694c0320db1a005a79
                                • Instruction Fuzzy Hash: FB419D71A05B048FD710DF29C884BEABBF6FF89710F188269E49987352CB386901DB91
                                Function 00F60306 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                Download Yara Rule
                                APIs
                                • GetFileSecurityW.ADVAPI32(?,00000007,?,?,?), ref: 00F60359
                                • GetLastError.KERNEL32 ref: 00F60382
                                • GetFileSecurityW.ADVAPI32(?,00000007,?,?,?,?), ref: 00F603DA
                                • GetLastError.KERNEL32(?,?,?,?), ref: 00F603F0
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: ErrorFileLastSecurity
                                • String ID:
                                • API String ID: 555121230-0
                                • Opcode ID: 707d9e561b3647faebcfa270195d42ed393c12681848d7713489c3e0e5d04929
                                • Instruction ID: 21ac9116705003bae2e2347c4e9036e2fd8c5afa69893cb041e8bf836ddbdde0
                                • Opcode Fuzzy Hash: 707d9e561b3647faebcfa270195d42ed393c12681848d7713489c3e0e5d04929
                                • Instruction Fuzzy Hash: 48315671900209EFDB10DFA4C881BAFBBB5FB44315F208959E566E7350DB70AE45EBA0
                                Function 00F5EF31 Relevance: 6.1, APIs: 4, Instructions: 76COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: __aulldiv
                                • String ID:
                                • API String ID: 3732870572-0
                                • Opcode ID: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                • Instruction ID: 556750be2bbcad16ab977c163b23157934cdb7dbfb084070ff4d701cfeaf3503
                                • Opcode Fuzzy Hash: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                • Instruction Fuzzy Hash: 7411D5726042487FEB245EA0CC41E7B7BBEEBC5701F04842EFA4252291CA71AD18E760
                                Function 00F45D7A Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F45D7F
                                • CreateDirectoryW.KERNEL32(?,00000000,?,00000000,00000001,?,?,00000000), ref: 00F45DA1
                                • GetLastError.KERNEL32(?,00000000,?,00000000,00000001,?,?,00000000), ref: 00F45DAB
                                • CreateDirectoryW.KERNEL32(?,00000000,00000000,?,00000000,00000001,?,?,00000000), ref: 00F45DE2
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: CreateDirectory$ErrorH_prologLast
                                • String ID:
                                • API String ID: 1817354178-0
                                • Opcode ID: 6c0f425e679fca631f02d866c738f4e522b08be9c98937b8bf93afbe629a086e
                                • Instruction ID: 52d70dc988a4214e11592723f1db9d613dd8750abee7110ac52c80a812621e84
                                • Opcode Fuzzy Hash: 6c0f425e679fca631f02d866c738f4e522b08be9c98937b8bf93afbe629a086e
                                • Instruction Fuzzy Hash: 1701B933D0451597CB147B609C8A7BE7F36EF40BA0F140036ED02A7193DB698D86B690
                                Function 00FD7E40 Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON
                                Download Yara Rule
                                APIs
                                • _beginthreadex.MSVCRT ref: 00FD7E55
                                • SetThreadAffinityMask.KERNEL32(00000000,?), ref: 00FD7E6D
                                • ResumeThread.KERNEL32(00000000), ref: 00FD7E74
                                • GetLastError.KERNEL32 ref: 00FD7E86
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: Thread$AffinityErrorLastMaskResume_beginthreadex
                                • String ID:
                                • API String ID: 3268521904-0
                                • Opcode ID: 2a9512d5ec2181bc8a32aaca63b9448f49e85e309b6b27854afbd239f28b19f4
                                • Instruction ID: ece49f1ca7073e01cf419152761822f2fcd64b17e8f4b7452346873425170980
                                • Opcode Fuzzy Hash: 2a9512d5ec2181bc8a32aaca63b9448f49e85e309b6b27854afbd239f28b19f4
                                • Instruction Fuzzy Hash: 13F0E272605210ABD210AB58AC44FABB79AABD1B30F08421AF614CF280E6708C0797F1
                                Function 00F7D6F7 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: fputs$H_prologfputcfree
                                • String ID:
                                • API String ID: 3247574066-0
                                • Opcode ID: ffe03b43052987667e10d2c85fdfcc9e1f06306b547523d06aa0bcd58a270ad9
                                • Instruction ID: 5758aeeb29f255bd86b33050cae45c2d4db7570ec9685c29610503e2db5827d7
                                • Opcode Fuzzy Hash: ffe03b43052987667e10d2c85fdfcc9e1f06306b547523d06aa0bcd58a270ad9
                                • Instruction Fuzzy Hash: EDF09632D000199BCB057B94DC52AAEBF72EF50760F04403BF90563162DF7519A6EAC0
                                Function 00F63D70 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 443COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F63D75
                                  • Part of subcall function 00F6021A: __EH_prolog.LIBCMT ref: 00F6021F
                                  • Part of subcall function 00F804D2: _CxxThrowException.MSVCRT(00000000,00FF4A58), ref: 00F804F8
                                  • Part of subcall function 00F6749D: __EH_prolog.LIBCMT ref: 00F674A2
                                  • Part of subcall function 00F64345: __EH_prolog.LIBCMT ref: 00F6434A
                                  • Part of subcall function 00F6375C: __EH_prolog.LIBCMT ref: 00F63761
                                  • Part of subcall function 00F6375C: strcmp.MSVCRT ref: 00F63815
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$ExceptionThrowstrcmp
                                • String ID: Scanning error
                                • API String ID: 1140649431-2691707340
                                • Opcode ID: 423ff2dde4617c62705cf735738f1d41ecfb63bfdb9693d563c04cf637beefe7
                                • Instruction ID: 42f6493527437def500cf3dc6624c6da998e70edf4d0132d4cd152d81b3771a2
                                • Opcode Fuzzy Hash: 423ff2dde4617c62705cf735738f1d41ecfb63bfdb9693d563c04cf637beefe7
                                • Instruction Fuzzy Hash: 93028A71D04259DFCF15EFA4CC94AEEBBB0BF15310F2480A9E845A7252DB34AE84EB50
                                Function 00F988D8 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 441COMMON
                                Download Yara Rule
                                APIs
                                • wcscmp.MSVCRT ref: 00F98CC6
                                • __EH_prolog.LIBCMT ref: 00F988DD
                                  • Part of subcall function 00F98E31: __EH_prolog.LIBCMT ref: 00F98E36
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$wcscmp
                                • String ID: Can't open volume:
                                • API String ID: 3232955128-72083580
                                • Opcode ID: 513ff6f79af6d43f62fd9861042bd0e2cfcf30b92504a3f34f66089c32682d79
                                • Instruction ID: e5bae3b7476229f28d3dd12b85f0e1190a9c050bc2d46261bc078b7aaa55a3ac
                                • Opcode Fuzzy Hash: 513ff6f79af6d43f62fd9861042bd0e2cfcf30b92504a3f34f66089c32682d79
                                • Instruction Fuzzy Hash: 2F020570D00249DFEF15DFA8C884BEDBBB1AF56350F14809AE446A7291CB749E86EF11
                                Function 00F5B791 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 284COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F5B796
                                  • Part of subcall function 00FD7E00: _beginthreadex.MSVCRT ref: 00FD7E14
                                • __aulldiv.LIBCMT ref: 00F5BA51
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog__aulldiv_beginthreadex
                                • String ID:
                                • API String ID: 2901374343-3916222277
                                • Opcode ID: 83da9a3d4fadfe8ae070c19a5ae570f6d7105e91fc73cbe9f80c6632a819b67b
                                • Instruction ID: 3d2853a01f56a4f6c367fa142f09145fa4fdf2fe25e161a27b8f9d9f1ecf5bf1
                                • Opcode Fuzzy Hash: 83da9a3d4fadfe8ae070c19a5ae570f6d7105e91fc73cbe9f80c6632a819b67b
                                • Instruction Fuzzy Hash: 5DB17071D0020ADFCB20DF55C8819AEBBB1FF48311F24852EEA56A7351D7349E49DB50
                                Function 00FAAAE5 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 226COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00FAAAEA
                                  • Part of subcall function 00F41E40: free.MSVCRT ref: 00F41E44
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prologfree
                                • String ID: EXE$exe
                                • API String ID: 1978129608-1088655240
                                • Opcode ID: 461f87d6292c9ad48e5f3fcb1dcf131acd311bde0a4b7dd325f06ea97d6b644b
                                • Instruction ID: f7574273a0f604402cfc047ee376f35028534675627cb4ae22c77f4c03b22716
                                • Opcode Fuzzy Hash: 461f87d6292c9ad48e5f3fcb1dcf131acd311bde0a4b7dd325f06ea97d6b644b
                                • Instruction Fuzzy Hash: D991B3B1900209DFDF15DF64C880BEEBBB5FF46360F108519E86697251DB34E989EB22
                                Function 00F69531 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 204COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F69536
                                  • Part of subcall function 00F4965D: VariantClear.OLEAUT32(?), ref: 00F4967F
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: ClearH_prologVariant
                                • String ID: Unknown error$Unknown warning
                                • API String ID: 1166855276-4291957651
                                • Opcode ID: 433eb992f99b15bd14717c63e929bc25e48b300b2318297aa01ee0e209c56774
                                • Instruction ID: ac396381cfd011bea26e64b56b799d395f7fee807356068b03b51886811c358e
                                • Opcode Fuzzy Hash: 433eb992f99b15bd14717c63e929bc25e48b300b2318297aa01ee0e209c56774
                                • Instruction Fuzzy Hash: 89814871A04609DFCB10DFA4C9809EEBBF4FF48314F50896EE46AA7290D7B5AE05DB50
                                Function 00F92FDF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog__aullrem
                                • String ID: wav
                                • API String ID: 3415659256-1803495720
                                • Opcode ID: 5b7c1c25994e038cada47286005ae9667fc834b5fb120935e231e7e943cbe017
                                • Instruction ID: 92b2451ad4fb182aabe107b4a85ed29a06582bc2fcdb6ac95be01abd47920fc4
                                • Opcode Fuzzy Hash: 5b7c1c25994e038cada47286005ae9667fc834b5fb120935e231e7e943cbe017
                                • Instruction Fuzzy Hash: 3F61C031E002098FEF21CF94C944BAEB7F1AF45325F188059E805AB266C775DF85DBA1
                                Function 00F80982 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 160COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: @$crc
                                • API String ID: 3519838083-849529298
                                • Opcode ID: 64687236d11715e4553ebc3cc462385215a10db6421fa5c3667879c534cf462b
                                • Instruction ID: 601891fd42ecb18904a1850d6d531d00d73537097c9b676a4309d5904009bac8
                                • Opcode Fuzzy Hash: 64687236d11715e4553ebc3cc462385215a10db6421fa5c3667879c534cf462b
                                • Instruction Fuzzy Hash: 19518F32D0020ADBCB54FF90DC819EEBB75BF44354F948429F81667252DB78AE89EB50
                                Function 00F860D2 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 157COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: BlockPackSize$BlockUnpackSize
                                • API String ID: 3519838083-5494122
                                • Opcode ID: 8b04110e05e00c1427d16ba518f322cd5795af186f766a9f302ce199e92232fd
                                • Instruction ID: 60801095c6e7232940643a460b72dc5e35e6e5b9b96100a06f97e83e85bf9f7b
                                • Opcode Fuzzy Hash: 8b04110e05e00c1427d16ba518f322cd5795af186f766a9f302ce199e92232fd
                                • Instruction Fuzzy Hash: 1951E632C046859EDF39EB6488A1AFD7BB1AF26320F1840DED196D31A2D7215D8CF701
                                Function 00F535B9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 150COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F535BE
                                • _CxxThrowException.MSVCRT(?,00FF6010), ref: 00F53796
                                  • Part of subcall function 00F41E40: free.MSVCRT ref: 00F41E44
                                Strings
                                • incorrect update switch command, xrefs: 00F53783
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: ExceptionH_prologThrowfree
                                • String ID: incorrect update switch command
                                • API String ID: 2564996034-2497410926
                                • Opcode ID: 89cb8a0128f45bd04173b3c1804d1a19e01bcada6cf10463fe9649e3cb548241
                                • Instruction ID: 72e74c57b3baa3a57399065c8268c127344f9e0c088eaeac9b904998d1ff4377
                                • Opcode Fuzzy Hash: 89cb8a0128f45bd04173b3c1804d1a19e01bcada6cf10463fe9649e3cb548241
                                • Instruction Fuzzy Hash: 1C514872D0025ADBCF15EB98DC41BEDBBB5BF08360F240199E91177292CB346E89EB50
                                Function 00F5F172 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 131COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F5F177
                                  • Part of subcall function 00F5F302: __EH_prolog.LIBCMT ref: 00F5F307
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: AES128$AES192
                                • API String ID: 3519838083-2727009373
                                • Opcode ID: cff735d7cbf3b57fb47b225d9cd8a5f0b243b6aface17e3ed78dbddc43102af6
                                • Instruction ID: ce42d4ded9fd7844e88630b855d49ba347df85640c7672758dd5dfde4138eecf
                                • Opcode Fuzzy Hash: cff735d7cbf3b57fb47b225d9cd8a5f0b243b6aface17e3ed78dbddc43102af6
                                • Instruction Fuzzy Hash: F951CE75900109DBDF14DF94C991AEEBBB1FF58310F20426DEA46A7681C7749E1CEB90
                                Function 00F667E9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121stringCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prologstrcmp
                                • String ID: =
                                • API String ID: 1490138475-2525689732
                                • Opcode ID: 370f8406aab832d210c5cdc709e696e25f84242b88bb6e435f4bb965a8911176
                                • Instruction ID: d38f41802205f671d06733341175877ce971496ef04e2d4a5058134ed21723ec
                                • Opcode Fuzzy Hash: 370f8406aab832d210c5cdc709e696e25f84242b88bb6e435f4bb965a8911176
                                • Instruction Fuzzy Hash: C1417F30A00249ABDF15EBB4CC56BBD7F72AF84310F084029F9056B1D2CBA95D85E751
                                Function 00F4A4F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89stringCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F4A4F8
                                  • Part of subcall function 00F4A384: __EH_prolog.LIBCMT ref: 00F4A389
                                  • Part of subcall function 00F49E14: GetSystemInfo.KERNEL32(?), ref: 00F49E36
                                  • Part of subcall function 00F49E14: GetModuleHandleA.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 00F49E50
                                  • Part of subcall function 00F49E14: GetProcAddress.KERNEL32(00000000), ref: 00F49E57
                                • strcmp.MSVCRT ref: 00F4A564
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$AddressHandleInfoModuleProcSystemstrcmp
                                • String ID: -
                                • API String ID: 2798778560-3695764949
                                • Opcode ID: f4408b7809190d5e158621dbfe9b0f163d4198c00a6ca1c8d51807dddc4921bf
                                • Instruction ID: 32023ea83a2b65cd4a187482e3059ea3ae7c54028f0b3c5c65d429bfa98a7965
                                • Opcode Fuzzy Hash: f4408b7809190d5e158621dbfe9b0f163d4198c00a6ca1c8d51807dddc4921bf
                                • Instruction Fuzzy Hash: A8317A31D001099BCF15FBE0DD529EDBFB5AF54310F54406AFC0272192EF396A85EA62
                                Function 00F44DE5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: wcscmp
                                • String ID: UNC
                                • API String ID: 3392835482-337201128
                                • Opcode ID: 8f0e3bd5d13c7ebacaf7f043a28ef7e41d28e7588a0f307b516529bf14c8ca60
                                • Instruction ID: c6d38d2d6e2d58dc720d5932d7338f7034d6c91899d9752473d893ca7f435b37
                                • Opcode Fuzzy Hash: 8f0e3bd5d13c7ebacaf7f043a28ef7e41d28e7588a0f307b516529bf14c8ca60
                                • Instruction Fuzzy Hash: 13214F357002008FD724CF18D894F26BBE5FF45724B248869E956EF691C631FC41EB80
                                Function 00F64F46 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75stringCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prologstrlen
                                • String ID: sums
                                • API String ID: 1633371453-329994169
                                • Opcode ID: a572b809457b0b7475a932b3c56de33bf150d6c77745e4b149938d6276ebcb81
                                • Instruction ID: cc7e9c8616d97008acc1cdf8c906caad32b17fdb14060ac6032f4132c9c1dd33
                                • Opcode Fuzzy Hash: a572b809457b0b7475a932b3c56de33bf150d6c77745e4b149938d6276ebcb81
                                • Instruction Fuzzy Hash: 9221C131D041589BCF05FBA8D991AEEFBB5EF94314F14406AE80273293CB792E45EB91
                                Function 00F7C86A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73stringCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: __aulldivstrlen
                                • String ID: M
                                • API String ID: 1892184250-3664761504
                                • Opcode ID: b3d06ba9d94aad544d8b8de3a7a082e1d7da2db28492939e9b69dc6bcfcb0cbb
                                • Instruction ID: c6173e0ed8dfce896e399d0a7cd3f625457699ae2cc1d761055e74c731ef9971
                                • Opcode Fuzzy Hash: b3d06ba9d94aad544d8b8de3a7a082e1d7da2db28492939e9b69dc6bcfcb0cbb
                                • Instruction Fuzzy Hash: 9B112032A003445BDB25DAB5CC51F6F77EA9B88310F18487FE387972C1D935AC099361
                                Function 00F76184 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: 0$x
                                • API String ID: 3519838083-1948001322
                                • Opcode ID: 9de908d5189be0ab7479a22e407cf0f87afd4dfc106462ba41e98bcdfeb2c95b
                                • Instruction ID: 8d4b0c0cfb6e025138bd8ed5739632406e40095120ec862ae4a9118f3108071f
                                • Opcode Fuzzy Hash: 9de908d5189be0ab7479a22e407cf0f87afd4dfc106462ba41e98bcdfeb2c95b
                                • Instruction Fuzzy Hash: EA219D32D011199BCF09EB98D995AEDBBB5FF48304F54002BE801B7242DB795E04DBA1
                                Function 00F5393C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00F53941
                                • _CxxThrowException.MSVCRT(?,00FF6010), ref: 00F539DE
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: ExceptionH_prologThrow
                                • String ID: Unsupported charset:
                                • API String ID: 461045715-616772432
                                • Opcode ID: 42e4600ac86fbce171a2c450743d21b2dd5ee6c668e82ceea52a35f8720f9a34
                                • Instruction ID: 1a87a3fe8b0c42e78addb8688fc0a04ea433ea15273246dd4c6ab7f9cf8909bd
                                • Opcode Fuzzy Hash: 42e4600ac86fbce171a2c450743d21b2dd5ee6c668e82ceea52a35f8720f9a34
                                • Instruction Fuzzy Hash: 2C212672A000099BCB11EF98CC81EEDB772EF45354F044169FE866B252CB35AE49EB80
                                Function 00F8D3D5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: BT2$LZMA
                                • API String ID: 3519838083-1343681682
                                • Opcode ID: 2d39ad3107b0f6a462dc0af9bee9c412ebf3dbfdf9da02e4968fa6871cfc2e7e
                                • Instruction ID: cafd8655a4fd8a2685861f02b8ff160cb60b97a2d431d19811ebd2754f24ea36
                                • Opcode Fuzzy Hash: 2d39ad3107b0f6a462dc0af9bee9c412ebf3dbfdf9da02e4968fa6871cfc2e7e
                                • Instruction Fuzzy Hash: 90118F31A25214BBD718FBA4DC56FEDBB70AF24B50F000029F912661D2EBF86E04E741
                                Function 00F5B216 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: / $ :
                                • API String ID: 3519838083-1815150141
                                • Opcode ID: 03e6a31e73c4c33f1a13406abc63c1e0d8fb817f36940df42802a37f911bc75a
                                • Instruction ID: 66908ab64a5b34836532a47fa9a782793b4e3a468185fa684f6b2d66e68af3f6
                                • Opcode Fuzzy Hash: 03e6a31e73c4c33f1a13406abc63c1e0d8fb817f36940df42802a37f911bc75a
                                • Instruction Fuzzy Hash: 63113A329002299BCF15EF94CC92EEEB7B5BF58701F54042DF91677192DB78AA04EB60
                                Function 00F54DFF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: ErrorH_prologLast
                                • String ID: :
                                • API String ID: 1057991267-3653984579
                                • Opcode ID: 81d99cfd606558ff23abbce0f6b67a0e96a8b20d1089a8322dee79f9b49d143f
                                • Instruction ID: 27ef38024d81e05b02eca948a4a46cb05f13ccb019c454e596370c1832904b6a
                                • Opcode Fuzzy Hash: 81d99cfd606558ff23abbce0f6b67a0e96a8b20d1089a8322dee79f9b49d143f
                                • Instruction Fuzzy Hash: 8411A136D001059BCB05EBE4DC06ADEBF71BF54314F104069FD02A7292DB799E55EBA0
                                Function 00F78685 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • Cannot open the file as archive, xrefs: 00F786D0
                                • Cannot open encrypted archive. Wrong password?, xrefs: 00F78698
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: fputs
                                • String ID: Cannot open encrypted archive. Wrong password?$Cannot open the file as archive
                                • API String ID: 1795875747-1623556331
                                • Opcode ID: 0663846bf7019980eaeeeb37494dfa72d70e785b8878daa1a4e67ddec3e19c6d
                                • Instruction ID: 07569cf5c0c648765265ad268f45a89bed1173d3b737b86dfe9f60fb4c576077
                                • Opcode Fuzzy Hash: 0663846bf7019980eaeeeb37494dfa72d70e785b8878daa1a4e67ddec3e19c6d
                                • Instruction Fuzzy Hash: A201D6313402406BCA04E754DC99A7EB7A7AFC8390F58852FF90687685DF78AC47BB52
                                Function 00F4596C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34windowCOMMON
                                Download Yara Rule
                                APIs
                                • FormatMessageW.KERNEL32(00001300,00000000,?,00000000,?,00000000,00000000), ref: 00F45999
                                Strings
                                • Internal Error: The failure in hardware (RAM or CPU), OS or program, xrefs: 00F4597B
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: FormatMessage
                                • String ID: Internal Error: The failure in hardware (RAM or CPU), OS or program
                                • API String ID: 1306739567-2427807339
                                • Opcode ID: 2eb2748a289bfca19b68e4d6ce5caf3865a06d70456dea3b4baa9e092167e459
                                • Instruction ID: 869bc53f4a4d55c4126b1192713b789b54aa186e268948b65d0838d0a6311c9c
                                • Opcode Fuzzy Hash: 2eb2748a289bfca19b68e4d6ce5caf3865a06d70456dea3b4baa9e092167e459
                                • Instruction Fuzzy Hash: 8CE02272604689FFAF0577608C03CFF7AADEA90B303500228FC02EA242F6654E0236F5
                                Function 00F782DD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: fputs
                                • String ID: =
                                • API String ID: 1795875747-2525689732
                                • Opcode ID: 0e054e9bd926cb7c95814b1d4dd08fd566da8232764905345f9bc421745388c4
                                • Instruction ID: e8fd1a987fbb213f001df336d3ce345ed5dc17db0077126419e51d9d383304bb
                                • Opcode Fuzzy Hash: 0e054e9bd926cb7c95814b1d4dd08fd566da8232764905345f9bc421745388c4
                                • Instruction Fuzzy Hash: 63E0D831A001589BDB00B7ED9C858AE7F29FBC03547000823F910CB211EA70D916EBD1
                                Function 00F53290 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON
                                Download Yara Rule
                                APIs
                                • OpenEventW.KERNEL32(00000002,00000000,?,Unsupported Map data size,?,?,00F5324C,?,?,?,00000000), ref: 00F532A1
                                • GetLastError.KERNEL32(?,00F5324C,?,?,?,00000000), ref: 00F532AE
                                Strings
                                • Unsupported Map data size, xrefs: 00F53294
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: ErrorEventLastOpen
                                • String ID: Unsupported Map data size
                                • API String ID: 330508107-1172413320
                                • Opcode ID: 4a678dabeb742d2408ebbea2257b13fe26743360c70d413fbd1d5c12916ff54c
                                • Instruction ID: 737ffd034590a196f6fea47a0bcb2dd500deaf07aba15f15a23ec5b91d6c6cb1
                                • Opcode Fuzzy Hash: 4a678dabeb742d2408ebbea2257b13fe26743360c70d413fbd1d5c12916ff54c
                                • Instruction Fuzzy Hash: D8E06D31500208EBEB10ABA5CC07B9D77A9AF00395F604069E901E6191FB746F04BA54
                                Function 00F79587 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                Download Yara Rule
                                APIs
                                • fputs.MSVCRT ref: 00F79594
                                • fputs.MSVCRT ref: 00F7959D
                                  • Part of subcall function 00F42201: fputs.MSVCRT ref: 00F4221E
                                  • Part of subcall function 00F41FA0: fputc.MSVCRT ref: 00F41FA7
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: fputs$fputc
                                • String ID: Archives
                                • API String ID: 1185151155-454332015
                                • Opcode ID: 99bb566ff8ff8152333681a44144bf8a56ae625384fa3a4be06fc4e090f1b336
                                • Instruction ID: 938c8a0206015152d0e0b2260c52e511db5cd4e698536909a0285a02468f2c8d
                                • Opcode Fuzzy Hash: 99bb566ff8ff8152333681a44144bf8a56ae625384fa3a4be06fc4e090f1b336
                                • Instruction Fuzzy Hash: C2D02B322002046BCB117FA49C01C6FBEA6FFD47107010C1FFD8043121CE654865BF91
                                Function 00FA41C0 Relevance: 5.1, APIs: 4, Instructions: 57COMMON
                                Download Yara Rule
                                APIs
                                • memcmp.MSVCRT(?,00FF48A0,00000010), ref: 00FA41D6
                                • memcmp.MSVCRT(?,00FF0168,00000010), ref: 00FA41F1
                                • memcmp.MSVCRT(?,00FF01E8,00000010), ref: 00FA4205
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: memcmp
                                • String ID:
                                • API String ID: 1475443563-0
                                • Opcode ID: 5ea87b50117479d2603829c76ece0cd8088a71aea7928f093e15447187b4a35c
                                • Instruction ID: 5ddd13674c41fbebee03927ef57b9c372332884080a44b6b703a5be7be361316
                                • Opcode Fuzzy Hash: 5ea87b50117479d2603829c76ece0cd8088a71aea7928f093e15447187b4a35c
                                • Instruction Fuzzy Hash: 2D01C47275020967D7104B14CC42F7E73E49FA6761F044429FE46DB282F6F8FA54B651
                                Function 00F6CDD7 Relevance: 5.1, APIs: 4, Instructions: 57COMMON
                                Download Yara Rule
                                APIs
                                • memcmp.MSVCRT(?,00FF48A0,00000010), ref: 00F6CDED
                                • memcmp.MSVCRT(?,00FF0108,00000010), ref: 00F6CE08
                                • memcmp.MSVCRT(?,00FF0138,00000010), ref: 00F6CE1C
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: memcmp
                                • String ID:
                                • API String ID: 1475443563-0
                                • Opcode ID: 2507214c5e32dd699003853a9ec6abd256f96a2cf69881c6430175e48a936270
                                • Instruction ID: e3882184a0efc677eff85c00a8642e96e4cb0fd45d670a11bb0c75bfd7bb857c
                                • Opcode Fuzzy Hash: 2507214c5e32dd699003853a9ec6abd256f96a2cf69881c6430175e48a936270
                                • Instruction Fuzzy Hash: 2201A132750209A7D7104F148C02F7E73A99F64B60F044429FEC5EB282F6A6E654B7D5
                                Function 00F7B1A7 Relevance: 5.1, APIs: 4, Instructions: 57COMMON
                                Download Yara Rule
                                APIs
                                • memcmp.MSVCRT(?,00FF48A0,00000010), ref: 00F7B1BD
                                • memcmp.MSVCRT(?,00FF0418,00000010), ref: 00F7B1D8
                                • memcmp.MSVCRT(?,00FF0428,00000010), ref: 00F7B1EC
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: memcmp
                                • String ID:
                                • API String ID: 1475443563-0
                                • Opcode ID: 62f6c23cca6861f9a2d6759b9bf8c235cc50b38d3111335968ba8de4e0723b50
                                • Instruction ID: c316d2ed3948b4e960ad9963ef7bfdd2dfcd5cb9dd0486f57c27985d8f3b8aaa
                                • Opcode Fuzzy Hash: 62f6c23cca6861f9a2d6759b9bf8c235cc50b38d3111335968ba8de4e0723b50
                                • Instruction Fuzzy Hash: DF01A13275020D67D7115A14DC02FBE33A49F59760F04843AFE4ADB283F7A4E654B7A2
                                Function 00FA3C14 Relevance: 5.1, APIs: 4, Instructions: 57COMMON
                                Download Yara Rule
                                APIs
                                • memcmp.MSVCRT(?,00FF48A0,00000010), ref: 00FA3C2A
                                • memcmp.MSVCRT(?,00FF0388,00000010), ref: 00FA3C45
                                • memcmp.MSVCRT(?,00FF03B8,00000010), ref: 00FA3C59
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1807666346.0000000000F41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F40000, based on PE: true
                                • Associated: 0000000A.00000002.1807650396.0000000000F40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807728719.0000000000FEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807747126.0000000001002000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.1807771089.000000000100B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_f40000_7zr.jbxd
                                Similarity
                                • API ID: memcmp
                                • String ID:
                                • API String ID: 1475443563-0
                                • Opcode ID: cc7226c225b01bb3717e7c65f18ff41d2ed7f0930ef7e08112a2092c6d3a8afe
                                • Instruction ID: 06bffa4edff89c2d5d24a47bfae3fba4a6ac5badd1d856b0c2c5bd3a2201f607
                                • Opcode Fuzzy Hash: cc7226c225b01bb3717e7c65f18ff41d2ed7f0930ef7e08112a2092c6d3a8afe
                                • Instruction Fuzzy Hash: D001E1B274030867D7104A14CC02FBD73E88F65770F054439FE46AB282F6B4EB10B255